无法停止或删除 Docker 容器-权限拒绝错误

问题 : 无法停止码头容器,每当我尝试停止容器时,都会收到下面的错误消息,

ERROR: for yattyadocker_web_1  cannot stop container: 1f04148910c5bac38983e6beb3f6da4c8be3f46ceeccdc8d7de0da9d2d76edd8: Cannot kill container 1f04148910c5bac38983e6beb3f6da4c8be3f46ceeccdc8d7de0da9d2d76edd8: rpc error: code = PermissionDenied desc = permission denied

操作系统版本/build: Ubuntu 16.04 | Docker Version 17.09.0-ce,build afdb6d4 | Docker Compose Version 1.17.1,build 6d101fb

复制步骤:

  • 使用 Dockerfile 和 docker-compose. yml.docker-compose. yml 创建了一个 Rails 项目,版本3。
  • 使用 docker build -t <project name> .docker-compose up --build成功构建图像
  • 容器启动并成功运行。
  • 试图停止码头组合与码头组合-组合下来。

我试过:

  • 我必须运行 sudo service docker restart,然后容器可以被删除。
  • 卸载 docker,删除 docker 目录,然后重新安装一切。仍然面临同样的问题。

注意 : 此配置之前正常工作,但是文件权限可能发生了变化,我看到了这个错误。我必须运行 sudo service docker restart,然后容器可以被删除。但这非常不方便,我不知道如何解决这个问题。

参考文件:

# docker-compose.yml
version: '3'
volumes:
db-data:
driver: local
redis-data:
driver: local
services:
db:
image: postgres:9.4.1
volumes:
- db-data:/var/lib/postgresql/data
ports:
- "5432:5432"
env_file: local_envs.env
web:
image: yattya_docker:latest
command: bundle exec puma -C config/puma.rb
tty: true
stdin_open: true
ports:
- "3000:3000"
links:
- db
- redis
- memcached
depends_on:
- db
- redis
- memcached
env_file: local_envs.env
redis:
image: redis:3.2.4-alpine
ports:
# We'll bind our host's port 6379 to redis's port 6379, so we can use
# Redis Desktop Manager (or other tools) with it:
- 6379:6379
volumes:
# We'll mount the 'redis-data' volume into the location redis stores it's data:
- redis-data:/var/lib/redis
command: redis-server --appendonly yes
memcached:
image: memcached:1.5-alpine
ports:
- "11211:11211"
clock:
image: yattya_docker:latest
command: bundle exec clockwork lib/clock.rb
links:
- db
depends_on:
- db
env_file: local_envs.env
worker:
image: yattya_docker:latest
command: bundle exec rake jobs:work
links:
- db
depends_on:
- db
env_file: local_envs.env

还有 Dockerfile:

# Dockerfile
FROM ruby:2.4.1


RUN apt-get update && apt-get install -y nodejs --no-install-recommends && rm -rf /var/lib/apt/lists/*


ENV APP_HOME /app
RUN mkdir -p $APP_HOME
WORKDIR $APP_HOME


ADD Gemfile* $APP_HOME/
RUN bundle install


ADD . $APP_HOME


RUN mkdir -p ${APP_HOME}/log
RUN cat /dev/null > "$APP_HOME/log/development.log"


RUN mkdir -p ${APP_HOME}/tmp/cache \
&& mkdir -p ${APP_HOME}/tmp/pids \
&& mkdir -p ${APP_HOME}/tmp/sockets


EXPOSE 3000
80616 次浏览
小开
最佳答案

I was able to fix the issue. Apparmor service in ubuntu was not working normally due to some unknown issue. The problem was similar to the issue reported in moby project https://github.com/moby/moby/issues/20554.

The /etc/apparmor.d/tunables folder was empty, and https://github.com/mlaventure suggested to purge/reinstall apparmor to get it to the initial state.

So I reinstalled apparmor, and after restarting the problem was solved.

Hope this helps.

小开

For anyone that does not wish to completely purge AppArmor.

Check status: sudo aa-status

Shutdown and prevent it from restarting: sudo systemctl disable apparmor.service --now

Unload AppArmor profiles: sudo service apparmor teardown

Check status: sudo aa-status

You should now be able to stop/kill containers.

小开

In my case the issue was that I had conflicting docker installations: docker itself from the official docker-ce package , but docker-compose from the Ubuntu snap package.

Installing correctly docker-compose from the official github (instructions here) did the trick. I also followed the Linux post-install instructions and it may have helped as well (to run docker as a non-root user)

I just left AppArmor alone here - I did not touch it.

小开

A direct fix to the problem is executing bash in the container to be killed and directly calling kill there. An example:

host$ docker exec -it <container-name> sh
container$ ps
PID   USER     TIME  COMMAND
1 root      0:00 {entrypoint.sh} /bin/sh /entrypoint.sh
16 root      0:00 {entrypoint.sh} /bin/sh /entrypoint.sh
24 root      0:00 sh
31 root      0:00 ps
container$ kill 1

To check that the container was killed, run docker ps. This is a useful alternative to the solution reinstalling apparmor as this will also remove snapd.

小开

I installed Docker from the snap package and after a while I decided to move to apt repository installation.

I was facing the same problem and using sudo aa-remove-unknown worked for me.

So no reinstallation of Apparmor was needed.

小开

OS: Ubuntu 22.04 LTS docker version: 20.10.17, build 100c701 docker-compose version: 1.29.2

I faced the same issue and tried following,

  1. sudo systemctl disable apparmor.service --now
  2. sudo service apparmor teardown
  3. sudo aa-remove-unknown
  4. reboot

These solutions didn't work for me. This issue happens because of a security feature of linux kernal, apparmor.

We can disable it by running docker daemon as a non-root user(Rootless mode), Execute following commands,

Solution:

  1. curl -fsSL https://get.docker.com/rootless | sh | FORCE_ROOTLESS_INSTALL=1
  2. export PATH=/home/user-directory/bin:$PATH

docker-compose down or docker rm, will work


提交答案