Error response from daemon: cannot stop container - signaling init process caused "permission denied"

Question

I started the Docker container:

VirtualBox:~$ sudo docker run --name rabbitmq -d -p 0.0.0.0:5672:5672 -p 0.0.0.0:15672:15672 bitnami/rabbitmq

All is well, the container is working.

docker  ps

CONTAINER ID        IMAGE                     COMMAND                  CREATED             STATUS              PORTS                                                                                                NAMES
dd3d12133774        bitnami/rabbitmq:latest   "/app-entrypoint.sh …"   37 minutes ago      Up 37 minutes       0.0.0.0:4369->4369/tcp, 0.0.0.0:5672->5672/tcp, 0.0.0.0:15672->15672/tcp, 0.0.0.0:25672->25672/tcp   sad_knuth
203500ee7f1e        bitnami/rabbitmq          "/app-entrypoint.sh …"   5 hours ago         Up 5 hours          0.0.0.0:5672->5672/tcp, 4369/tcp, 25672/tcp, 0.0.0.0:15672->15672/tcp                                rabbitmq

When I use command :

docker stop 203500ee7f1e

or

docker stop rabbitmq

Nothing happens (Error):

VirtualBox:~$ docker stop rabbitmq
Error response from daemon: cannot stop container: rabbitmq: Cannot kill container 203500ee7f1eb09bf0ecb2fdaf2041f4da27990a3654bca90b808a3ec36238cf: unknown error after kill: docker-runc did not terminate sucessfully: container_linux.go:393: signaling init process caused "permission denied"
: unknown

Output Docker version

VirtualBox:~$ docker version
Client:
 Version:           18.06.0-ce
 API version:       1.38
 Go version:        go1.10.3
 Git commit:        0ffa825
 Built:             Wed Jul 18 19:09:54 2018
 OS/Arch:           linux/amd64
 Experimental:      false

Server:
 Engine:
  Version:          18.06.0-ce
  API version:      1.38 (minimum version 1.12)
  Go version:       go1.10.3
  Git commit:       0ffa825
  Built:            Wed Jul 18 19:07:56 2018
  OS/Arch:          linux/amd64
  Experimental:     false

Output Docker info

    VirtualBox:~$ docker info
Containers: 2
 Running: 2
 Paused: 0
 Stopped: 0
Images: 2
Server Version: 18.06.0-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: d64c661f1d51c48782c9cec8fda7604785f93587
runc version: 69663f0bd4b60df09991c08812a60108003fa340
init version: fec3683
Security Options:
 apparmor
 seccomp
  Profile: default
Kernel Version: 4.15.0-29-generic
Operating System: Ubuntu 18.04.1 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 3.852GiB
Name: ivanpuzyrev-VirtualBox
ID: 2LAE:PADC:VVDH:G2OW:MWUD:IRTS:CRNU:J727:DDEV:ZYBS:GTGG:SIOI
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

WARNING: No swap limit support

Help Please!!! Nothing happens. Perhaps you have any ideas?

Answer 1

So I had a troublesome container running node:lts-bookworm-slim.

At first was trying the command

docker stop f8c586d8b4af

The error emitted would be

Error response from daemon: cannot stop container: f8c586d8b4af: permission denied

So I tried using the docker kill to send an immediate SIGKILL

docker kill f8c586d8b4af

The error emitted was still the same as using docker stop

Error response from daemon: Cannot kill container: f8c586d8b4af: permission denied

Tried executing the kill command but my container couldn't identify the PATH variable to the command

docker exec -it f8c586d8b4af kill 1

OCI runtime exec failed: exec failed: unable to start container process: exec: "kill": executable file not found in $PATH: unknown

Finally used a bash pseudo terminal to execute the command directly

docker exec -it f8c586d8b4af bash

Inside the container, I used this command to kill everything and exit the container

kill -9 -1

Now I was able to stop the container

docker stop f8c586d8b4af

Answer 2

Error response from daemon: cannot stop container: 6732d7fa18ce861068c9be7754e33591f491e154c301353660d: permission denied

this cmd is solve me this issue

sudo aa-remove-unknown

then it will ask for password

sudo] password for user:

    Warning: found usr.sbin.sssd in /etc/apparmor.d/force-complain, forcing complain mode
Removing 'snap.snapd-desktop-integration.snapd-desktop-integration'
Removing 'snap.snapd-desktop-integration.hook.configure'
Removing 'snap.snap-store.ubuntu-software-local-file'
Removing 'snap.snap-store.ubuntu-software'
Removing 'snap.snap-store.snap-store'
Removing 'snap.snap-store.hook.configure'
Removing 'snap.firefox.hook.post-refresh'
Removing 'snap.firefox.hook.disconnect-plug-host-hunspell'
Removing 'snap.firefox.hook.connect-plug-host-hunspell'
Removing 'snap.firefox.hook.configure'
Removing 'snap.firefox.geckodriver'
Removing 'snap.firefox.firefox'
Removing 'snap.docker.nvidia-container-toolkit'
Removing 'snap.docker.hook.post-refresh'
Removing 'snap.docker.hook.install'
Removing 'snap.docker.hook.connect-plug-graphics-core22'
Removing 'snap.docker.hook.configure'
Removing 'snap.docker.help'
Removing 'snap.docker.dockerd'
Removing 'snap.docker.docker'
Removing 'snap.docker.compose'
Removing 'snap.code.url-handler'
Removing 'snap.code.code'
Removing 'snap-update-ns.snapd-desktop-integration'
Removing 'snap-update-ns.snap-store'
Removing 'snap-update-ns.firefox'
Removing 'snap-update-ns.docker'
Removing 'snap-update-ns.code'
Removing 'docker-default'
Removing '/snap/snapd/20092/usr/lib/snapd/snap-confine//mount-namespace-capture-helper'
Removing '/snap/snapd/20092/usr/lib/snapd/snap-confine'
Removing '/snap/snapd/18933/usr/lib/snapd/snap-confine//mount-namespace-capture-helper'
Removing '/snap/snapd/18933/usr/lib/snapd/sn

Answer 3

Update

Note that I have added another answer after I have found out what the root cause was in my case: Concurrent docker installations I recommend that you check if that is the case for you, too, because if so, the other answer provides the preferred solution.

---

This answer helped me with docker as well:

After

sudo aa-remove-unknown

the problem was instantly gone and docker stop would work again as expected. See: aa-remove-unknown - remove unknown AppArmor profiles

Background

As far as I understand it, the problem cause is that the docker package does not install a profile for docker in the AppArmor service, so docker is categorized as 'unknown' by AppArmor. The above command removes the profile for all unknown applications, so they are no longer restricted by AppArmor.

Of course, the correct way would be to keep the profile for unknown applications and create an AppArmor profile for docker. According to the docker docs on AppArmor security profiles for Docker, "A profile for the Docker Engine daemon exists but it is not currently installed".

Answer 4

Note: I decided to add this answer in addition to my earlier one after I have eventually found out what the root cause was in my case. This may not always be the case, so I keep the old answer, too.

Concurrent docker installations

The issue can be caused by docker being installed through apt and snap at the same time.

In my case, I had installed docker via apt, but accidentally another install via snap happened. This can happen because, on Ubuntu, apt is configured to use snap under the hood, unless you disable it (see this answer and this question on how to prevent this). After that, the "permission denied" issues started appearing, as described in the question.

How to check

In order to check if that's the case, check the snap installs, as in this example:

$ sudo snap list | grep docker
docker  20.10.17       2285   latest/stable  canonical✓  -

Here we can see that snap has installed docker 20.10.17.

Now check the apt installs, like so:

$ sudo apt list --installed | grep docker

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

docker-ce-cli/focal,now 5:20.10.21~3-0~ubuntu-focal amd64 [installed]
docker-ce-rootless-extras/focal,now 5:20.10.21~3-0~ubuntu-focal amd64 [installed,automatic]
docker-ce/focal,now 5:20.10.21~3-0~ubuntu-focal amd64 [installed]
docker-scan-plugin/focal,now 0.21.0~ubuntu-focal amd64 [installed,automatic]

Here we can see that apt has installed docker 20.10.21. This was the one that got executed, but somehow the snap install was interfering with it.

How to fix

The problem can be fixed by removing the snap install:

$ sudo snap remove docker

In my case, this command would hang. To check:

$ snap changes
ID   Status  Spawn               Ready  Summary
6    Doing   today at 15:19 CET  -      Remove "docker" snap

The status should be 'Done'. If it stays 'Doing', you can abort it via

$ sudo snap abort 6

where 6 is the number from the ID column of the previous command output.

Then, try removing it forcely (should always work):

$ sudo snap remove --purge docker

Finally, I recommend to reboot and check again, but after the snap installation has been removed, Docker should usually instantly be back to working as expected.

---

You may prefer to keep the snap installation rather than the apt installation, which may work equally well, but I haven't tried it.

Answer 5

Try executing these two commands:

$ sudo systemctl restart docker.socket docker.service
$ docker rm {container_id}

Answer 6

It is possible this was cause by Ubuntu's security and in particular apparmor

In that case, you should have added to the docker run the --security-opt apparmor:unconfined. This seems preferable to removing apparmor.

e.g. try:

docker run --security-opt apparmor:unconfined -ti ubuntu bash

then try to docker stop and see it works!

If this does not work, or if you want to stop an already running container, consider killing with -9 the root process from inside the container.

I have had a similar issue with the mssql container. mssql server drops its priviledges and so docker stop fails. However, to solve this, one has to explicitly elevate the priviledges inside the container usin e.g. -u 0 priviledges:

docker exec -u 0 -it mssql ps aux

check the outputm in my case it was:

USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
mssql          1  0.4  0.0  61108 18380 ?        Ssl  16:55   0:00 /opt/mssql/bin/sqlservr
mssql          9  8.4  1.5 16865624 1014056 ?    Sl   16:55   0:04 /opt/mssql/bin/sqlservr
root         267  0.0  0.0   5896  2848 pts/0    R+   16:56   0:00 ps aux

so, I needed to kill (with -9) processes 1 and 9 inside the container...

docker exec -u 0 -it mssql kill -9 1 9

note here that when running mssql i gave the container the name mssql... in your case it would have been rabbitmq

Answer 7

I was having the same issue I solved it by executing a shell in the docker container using this command docker exec -it imagebase bash then issuing kill 1 command.

Answer 8

After installing docker with snap on Debian GNU/Linux 10 (buster) I had the same issue. After removing the snap docker version and installing docker according to https://docs.docker.com/engine/install/debian/#install-using-the-repository and https://docs.docker.com/engine/install/linux-postinstall/ up to Configure Docker to start on boot with $ sudo systemctl enable docker and a reboot, the $ docker stop name-of-container worked.

Answer 9

You need to tell rabbitmq to quit, by using rabbitmqctl so:

docker exec rmq rabbitmqctl stop

(swap rmq for your containers name)

Once the process has safely stopped the docker container should shutdown.

Answer 10

Try to reload daemon and restart the docker, then remove all your containers.

On Linux:

$sudo systemctl daemon-reload
$sudo systemctl restart docker
$docker ps –qa|xargs docker rm

On Win.10:

$docker stop $(docker ps -a -q)
$docker ps -qa|xargs docker rm

Answer 11

I'm going to disagree with everyone suggesting sudo. The docker command sends api calls to the daemon, and if you needed sudo to run the command, you would know from the failure to connect to the docker socket. The daemon itself should be running as root.

The permission error to me looks like something that could be caused by an AppArmor policy or it could just be a bug in the engine/containerd/runc. You are also running Ubuntu 18.04 which docker only recently added support, so if possible, try running a slightly older version of Ubuntu LTS, or see if one of the edge/nightly builds fixes the issue. In the short term, you may have luck restarting the docker engine (systemctl restart docker) and possibly the entire host to see if that clears up the issue.

Answer 12

Since you ran the docker as 'sudo', you have to stop it with the 'sudo' privileges

To stop the container

sudo docker stop 203500ee7f1e

To remove the container

sudo docker rm 203500ee7f1e

If you want to stop and remove all the containers, the below command will be useful

sudo docker stop $(docker ps -a -q)  && sudo docker rm  $(docker ps -a -q) 

Answer 13

Try killing it:

sudo docker kill rabbitmq

This will force the stop but will not remove the container.

Answer 14

Try as superuser:

sudo docker container stop rabbitmq