We need to add delegate yes to docker's service file so that it can
manage the cgroups of the processes that it launches without systemd
interfering with them and moving the processes after it is reloaded.
```
Delegate=
Turns on delegation of further resource control partitioning to
processes of the unit. For unprivileged services (i.e. those
using the User= setting), this allows processes to create a
subhierarchy beneath its control group path. For privileged
services and scopes, this ensures the processes will have all
control group controllers enabled.
```
This is the proper fix for issue #20152
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Upstream-commit: d16737f971092767c1b9d28302a3f5aedbe2f576
Component: engine
Previously, this check only worked if no host was specified and was
hard coded to check for "/var/run/docker.sock"
This change generalizes that check and captures any specified socket
and waits for it to be created.
Caveat: This will only check the first socket specified, but it is an
improvement over none at all.
Fixes#185160
Signed-off-by: Andrew Guenther <guenther.andrew.j@gmail.com>
Upstream-commit: 9f401254bd8e097ef30a3bc5de5576de08bc979a
Component: engine
systemd sets an additional limit on processes and threads that defaults to 512 when run under Linux >= 4.3.
See more information here: http://unix.stackexchange.com/a/255603/59955
Signed-off-by: Candid Dauth <cdauth@cdauth.eu>
Upstream-commit: 105778343a2e5d510fae1cbdb1b7ab6879e5a028
Component: engine
With content addressability update starting upgraded
daemon for the first time can take a long time if
graph dir was not prepared with a migration tool before.
This avoids systemd timeouts while the migration is
taking place.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Upstream-commit: eff5e6498fa424587c339b5ae54e28f003775e4b
Component: engine
Add 10 seconds timeout when running `sudo service docker stop`. This is
especially needed when running `sudo service docker restart`. Otherwise,
`restart` results in exitstatus 1, because `start` has nothing to do.
Signed-off-by: Ewa Czechowska <ewa@ai-traders.com>
Upstream-commit: 5c94a9e800ed4f2e43f472b214f699c22fd7e2fe
Component: engine
On boot, the init script is invoked from `/etc/rcN.d/S20docker` (where N
is the runlevel). Consequently, the init script tried to find the
defaults at `/etc/defaults/S20docker` and the binary at
`/usr/bin/S20docker`. This causes the docker daemon to fail at boot with
the error
/usr/bin/S20docker not present or not executable
Starting it manually works because it invokes `/etc/init.d/docker` which
has the correct basename.
Fix this by hardcoding "docker" as the base name.
Signed-off-by: Matthias Rampke <mr@soundcloud.com>
Upstream-commit: 01c5cfcc5629e1d90a50a8447f9712fa6ff49f48
Component: engine
The shebang for OpenRC init scripts is now #!/sbin/openrc-run, and we
can also use the default start and stop functions built into OpenRC.
Signed-off-by: William Hubbs <w.d.hubbs@gmail.com>
Upstream-commit: e3772538c0eb5c1478075979d222485cb3bd8c91
Component: engine
The docker script in contrib/init/sysvinit-redhat will fail silently on
a start if Docker is not installed in the default /usr/bin/ location.
While a non-zero exit code is returned the user will receive no visible
indication (i.e. error message) as to why Docker was not started.
This commit changes the logic so that in the case that the docker
executable is not found in the expected location or the user does not
have execute permissions on the executable appropriate error messages
are now shown to the user as well as exiting with a non-zero exit code
Signed-off-by: Rob Vesse <rvesse@dotnetrdf.org>
Upstream-commit: f8387f69042b222e5b0a5d91cf49a840e345f88d
Component: engine
Currently the service type is 'simple', the default, meaning that
docker.service is considered to be started straight after
spawning. This is incorrect as there is significant amount of time
between spawning and docker ready to accept connections on the passed
sockets. Docker does implement systemd socket activate and
notification protocol, and send the ready signal to systemd, once it
is ready. However for systemd to take those notifications into
account, the service file type should be set to notify.
Signed-off-by: Dimitri John Ledkov <dimitri.j.ledkov@intel.com>
Upstream-commit: d3e5179c291a7646c71f1ca608d6700026756f7c
Component: engine
If you have some kind of bogus `other_args` in `/etc/sysconfig/docker` the start script will report "started" but it's full of lies. This enhances the flow so that if the pidfile never shows up (failure to start) you get a proper failure message.
I also added dots for fun.
Signed-off-by: Jeff Minard <jeff.minard@creditkarma.com>
Upstream-commit: 6f8fdb8aa893b2d5f319d342614dd159e0c8bb83
Component: engine
This will now properly check whether /etc/init.d/docker or service docker is
invoking the script and respond to the user accordingly.
Signed-off-by: Steven Richards <steven@axiomzen.co>
Upstream-commit: e5ff643aed78fb5dfb5e3fef518dfe56b82b3023
Component: engine
Give Docker more time to kill containers before upstart kills Docker.
The default kill timeout is 5 seconds.
This will help decrease the chance of but not eliminate the chance of
orphaned container processes.
Signed-off-by: David Xia <dxia@spotify.com>
Upstream-commit: 2f9e7a067a7273a0f344c1c9a6397e4bb61d7554
Component: engine
Once the job has failed and is respawned, the status becomes `docker
respawn/post-start` after subsequent failures (as opposed to `docker
stop/post-start`), so the post-start script needs to take this into
account.
I could not find specific documentation on the job transitioning to the
`respawn/post-start` state, but this was observed on Ubuntu 14.04.2.
Signed-off-by: Lewis Marshall <lewis@lmars.net>
Upstream-commit: 302e3834a0bfa860f9d06b42a2955b0cbd135c38
Component: engine
The validation script from #10681 is too pedantic, and does not handle
well situations like:
```
cat <<EOF # or <<-EOF
Whether the leading whitespace is stripped out or not by bash
it should still be considered as valid.
EOF
```
This reverts commit 4e65c1c319afffc325853b88c9aef0c42ec83482.
Signed-off-by: Tibor Vass <tibor@docker.com>
Upstream-commit: 0252ad0adc37a34b88fa908ae74a13b940febdcb
Component: engine
Created a validation that detects all trailing whitespaces from every
text file that isn't *.go, *.md, vendor/*,
docs/theme/mkdocs/tipuesearch*
Removed trailing whitespaces from every text file except from vendor/*
builder/parser/testfiles*, docs/theme/mkdocs/tipuesearch* and *.md
Signed-off-by: André Martins <martins@noironetworks.com>
Upstream-commit: 4e65c1c319afffc325853b88c9aef0c42ec83482
Component: engine
set LimitCORE=infinity to ensure complete core creation,
allows extraction of as much information as possible.
Thanks to Ulrich Obergfell <uobergfe@redhat.com>
and Jeremy Eder <jeder@redhat.com>
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
Upstream-commit: ae9cdbbde7824951b124a648e897ac4c291108e3
Component: engine
unshare the mount namespace of the docker daemon to avoid other pids
outside the daemon holding mount references of docker containers.
Signed-off-by: Vincent Batts <vbatts@redhat.com>
Upstream-commit: 6bb65864589fbd720622cbd795763d108999a366
Component: engine
This systemd.exec setting will construct a new mount namespace for the
docker daemon, and use slave shared-subtree mounts so that volume mounts
propogate correctly into containers.
By having an unshared mount namespace for the daemon it ensures that
mount references are not held by other pids outside of the docker
daemon. Frequently this can be seen in EBUSY or "device or resource
busy" errors.
Signed-off-by: Vincent Batts <vbatts@redhat.com>
Upstream-commit: eb76cb2301fc883941bc4ca2d9ebc3a486ab8e0a
Component: engine
Fixes#6647: Other upstart jobs that depend on docker by specifying
"start on started docker" would often start before the docker daemon was
ready, so they'd fail with "Cannot connect to the Docker daemon" or
"dial unix /var/run/docker.sock: no such file or directory".
This is because "docker -d" doesn't daemonize, it runs in the
foreground, so upstart can't know when the daemon is ready to receive
incoming connections. (Traditionally, a daemon will create all necessary
sockets and then fork to signal that it's ready; according to @tianon
this "isn't possible in Go"[1]. See also [2].)
Presumably this isn't a problem with systemd init with its socket
activation. The SysV init scripts may or may not suffer from this
problem but I have no motivation to fix them.
This commit adds a "post-start" stanza to the upstart configuration
that waits for the socket to be available. Upstart won't emit the
"started" event until the "post-start" script completes.[3]
Note that the system administrator might have specified a different path
for the socket, or a tcp socket instead, by customising
/etc/default/docker. In that case we don't try to figure out what the
new socket is, but at least we don't wait in vain for
/var/run/docker.sock to appear.
If the main script (`docker -d`) fails to start, the `initctl status
$UPSTART_JOB | grep -q "stop/"` line ensures that we don't loop forever.
I stole this idea from Steve Langasek.[4]
If for some reason we *still* end up in an infinite loop --I guess
`docker -d` must have hung-- then at least we'll be able to see the
"Waiting for /var/run/docker.sock" debug output in
/var/log/upstart/docker.log.
I considered using inotifywait instead of sleep, but it isn't worth
the complexity & the extra dependency.
[1] https://github.com/docker/docker/issues/6647#issuecomment-47001613
[2] https://code.google.com/p/go/issues/detail?id=227
[3] http://upstart.ubuntu.com/cookbook/#post-start
[4] https://lists.ubuntu.com/archives/upstart-devel/2013-April/002492.html
Signed-off-by: David Röthlisberger <david@rothlis.net>
Upstream-commit: f42c0a53a38a2a141bec8768d0836a3726de4a83
Component: engine
Two problems how they are today:
In the current systemd unit files it is impossible to have the
docker.service started at system boot. Instead enableing docker.service
will actually enable docker.socket. This is a problem, as that means
any container with --restart=always will not launch on reboot. And of
course as soon as you log in and type docker ps, docker.service will be
launched and now your images are running. Talk about a PITA to debug!
The fix is to just install docker.service when people ask docker.service
to be enabled. If an admin wants to enable docker.socket instead, that
is fine and will work just as it does today.
The second problem is a common docker devel workflow, although not
something normal admins would hit. In this case consider a dev doing
the following:
systemctl stop docker.service
docker -d
[run commands]
[^C]
systemctl start docker.service
Running docker -d (without -F fd://) will clean up the
/var/run/docker.sock when it exits. Remember, you just ran the docker
daemon not telling it about socket actviation, so cleaning up its socket
makes sense! The new docker, started by systemd will expect socket
activation, but the last one cleaned up the docker.sock. So things are
just broken. You can, today, work around this by restarting
docker.socket. This fixes it by telling docker.socket that it is
PartOf=docker.service. So when docker.service is
started/stopped/restarted docker.socket will also be
started/stopped/restarted. So the above semi-common devel workflow will
be fine. When docker.service is stopped, so is docker.socket, docker
-d (without -F fd://) will create and delete /var/run/docker.sock.
Starting docker.service again will restart docker.socket, which will
create the file an all is happy in the word.
Signed-off-by: Eric Paris <eparis@redhat.com>
Upstream-commit: 053c3557b3198466ecfbe066fefdbab2a78771d5
Component: engine
This change will allow the Docker daemon's init script to wait up to 5
minutes before being forcibly terminated by the initscript. Many
non-trivial containers will take more than the default 3 seconds to
stop, which can result in containers whose rootfs is still mounted and
will not restart when the daemon starts up again, or worse, orphan
processes that are still running.
Signed-off-by: Steven Merrill <steven.merrill@gmail.com>
Upstream-commit: 640d2ef6f54d96ac4fc3f0f745cb1e6a35148607
Component: engine
- add `set -e` to make failing commands bail the script
- remove trailing `exit 0` which is just extraneous anyhow
- adjust `status_of_proc` options to pass in `$DOCKER_DESC` so we get consistently styled messages like `Docker is running` or `Docker is not running` or `could not access PID file for Docker`
Signed-off-by: Andrew Page <admwiggin@gmail.com>
Upstream-commit: 478fdaf93353c70a26c0043dadb650fd2f101c40
Component: engine
This should not be done by default but used by adminsys with a drop-in.d file,
for buggy daemons which crash without known fixes.
Docker-DCO-1.1-Signed-off-by: Sébastien Luttringer <seblu@seblu.net> (github: seblu)
Upstream-commit: 533916fa6bb0b19fb887b5b0b2b704b224154b41
Component: engine
As requested after #7021 add me as a maintainer alongside the sword
toting @lsm5.
Docker-DCO-1.1-Signed-off-by: Brandon Philips <brandon.philips@coreos.com> (github: philips)
Upstream-commit: 81307680142d5ddd8e80c70c5da8afc799318556
Component: engine
