How can apparmor docker-default permission issues be debugged or futher investigated?
I have an ubuntu 16.04 vm running docker 17.06 ce that has been experiencing permissions issues while trying to interact with (stop, kill, exec) containers.
Error response from daemon: Cannot stop container XXX: Cannot kill container XXXXXXX: rpc error: code = 7 desc = permission denied
rpc error: code = 2 desc = oci runtime error: exec failed: container_linux.go:1370: sending signal 0 to pid 1889 caused "permission denied"
I’ve already gone through the steps of trying to change the volume driver to overlay2 from aufs after seeing similar errors be found to be an issue with aufs volume driver to see if it resolves the problem but it does not.
This setup is a mac mini running vmware esxi and a vm running ubuntu 16.04. If I reboot the vm the containers startup and are running but when I try stop them or enter them I get these permissions errors. If I run
dmesg I see numerous apparmor DENIED messages indicating they are coming from docker-default profile, but I don’t know how to investigate further to see what specific problem is causing this - i.e. what in the docker-default profile is telling apparmor that the events should be denied?
[2117079.944187] audit: type=1400 audit(1502636750.631:38181768): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=3287 comm="monit" requested_mask="tracedby" denied_mask="tracedby" peer="docker-default"
[2117404.088531] audit: type=1400 audit(1502637074.772:38187445): apparmor="DENIED" operation="signal" profile="docker-default" pid=85049 comm="monit" requested_mask="receive" denied_mask="receive" signal=usr1 peer="docker-default"
Any clues or how to dig deeper here?
The problem is not limited to a single container.
Has anyone experienced similar problems on this setup with apple hardware, vmesxi 6.0, ubuntu 16 vm running docker 17.06 ce?