Docker: Can create and start docker containers but not stop or update them

abasel · February 17, 2024, 9:52am

I have been using docker on VM for ages and suddenly now I can not create new containers but once done I cannot stop or delete them. Ok so I must have changed something at some point but I can’t remember what or when. Tried restoring a backup which did not help so must have made the changes ages again.

When I try I get “Error response from daemon: cannot stop container: xxxxxxx: permission denied”

I have apt-get update and upgrade on the VM, tried restarting the docker service but to no avail.

I would have thought that if I can create and start containers that the user should also have permission to stop it.

abasel · February 17, 2024, 10:11am

If I can crash the container (buy removing a directory and then restarting the VM) then I can delete the container or update and restart it (once I put the directory back).

xMAXIMUSx · February 17, 2024, 11:25am

Are you running “sudo” when you are running your commands?

abasel · February 17, 2024, 8:01pm

Hi, yes and tried SU too

81fa35949d57 Package homebox · GitHub “/app/api /data/conf…” 9 hours ago Up 9 hours 0.0.0.0:3100->7745/tcp, :::3100->7745/tcp homebox
d14b7b6b4bfc guacamole/guacamole “/opt/guacamole/bin/…” 6 months ago Up 10 hours 0.0.0.0:8080->8080/tcp, :::8080->8080/tcp my-guacamole
8e55e3ef9563 guacamole/guacd “/bin/sh -c '/opt/gu…” 6 months ago Up 10 hours (healthy) 4822/tcp my-guacd
80e95d6186a6 8189e588b0e8 “docker-entrypoint.s…” 9 months ago Up 10 hours 3306/tcp, 33060/tcp guacamole-mysql
633ed7835c27 lscr.io/linuxserver/heimdall:latest “/init” 9 months ago Up 10 hours 0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp heimdall
7e7b7e0d0e0f cloudflare/cloudflared:latest “cloudflared --no-au…” 10 months ago Up 10 hours cloudflaretunnel
root@services:/home/sysadmin# docker container stop homebox
Error response from daemon: cannot stop container: homebox: permission denied

The docker group has sysadmin as a member and tried as that user and sudo as that user.

drwxrwxr-x 7 sysadmin sysadmin 4096 Apr 27 2023 heimdall-config
drwxrwxr-x 3 sysadmin sysadmin 4096 Feb 17 23:32 homebox
-rw-rw-r-- 1 sysadmin sysadmin 23050 Aug 5 2023 initdb.sql
-rw-rw-r-- 1 sysadmin sysadmin 20827 Sep 8 20:27 my-httpd.conf
drwxr-xr-x 3 root root 4096 Feb 17 23:27 paperless
drwx------ 3 sysadmin sysadmin 4096 Apr 18 2023 snap

xMAXIMUSx · February 21, 2024, 2:44am

Do you have apparmor enabled?

You might try to disable this for testing purposes.

sudo systemctl disable apparmor.service --now

sudo service apparmor teardown

Then try to stop your containers.

abasel · February 27, 2024, 8:13am

Apologies for the late reply; been one of those weeks.

sysadmin@services:~$ su -
Password:
root@services:~# docker ps -a
CONTAINER ID   IMAGE                                 COMMAND                  CREATED         STATUS                PORTS                                                                      NAMES
28e6f12796b8   ghcr.io/hay-kot/homebox:latest        "/app/api /data/conf…"   9 days ago      Created                                                                                          81fa35949d57_homebox
81fa35949d57   ghcr.io/hay-kot/homebox:latest        "/app/api /data/conf…"   9 days ago      Up 9 days             0.0.0.0:3100->7745/tcp, :::3100->7745/tcp                                  homebox
d14b7b6b4bfc   guacamole/guacamole                   "/opt/guacamole/bin/…"   6 months ago    Up 9 days             0.0.0.0:8080->8080/tcp, :::8080->8080/tcp                                  my-guacamole
8e55e3ef9563   guacamole/guacd                       "/bin/sh -c '/opt/gu…"   6 months ago    Up 9 days (healthy)   4822/tcp                                                                   my-guacd
80e95d6186a6   8189e588b0e8                          "docker-entrypoint.s…"   10 months ago   Up 9 days             3306/tcp, 33060/tcp                                                        guacamole-mysql
633ed7835c27   lscr.io/linuxserver/heimdall:latest   "/init"                  10 months ago   Up 9 days             0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp   heimdall
7e7b7e0d0e0f   cloudflare/cloudflared:latest         "cloudflared --no-au…"   10 months ago   Up 9 days                                                                                        cloudflaretunnel
root@services:~# docker container stop homebox
Error response from daemon: cannot stop container: homebox: permission denied
root@services:~#
root@services:~#
root@services:~# sudo systemctl disable apparmor.service --now
Synchronizing state of apparmor.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable apparmor
root@services:~# service apparmor stop
root@services:~# docker container stop homebox
Error response from daemon: cannot stop container: homebox: permission denied