[1.12] docker service update --publish-rm "[port]:[port]" does not unpublish ports #25200

mike-hearn · 2016-07-29T01:48:00Z

Output of docker version:

Client:
 Version:      1.12.0
 API version:  1.24
 Go version:   go1.6.3
 Git commit:   8eab29e
 Built:        Thu Jul 28 22:11:10 2016
 OS/Arch:      linux/amd64

Server:
 Version:      1.12.0
 API version:  1.24
 Go version:   go1.6.3
 Git commit:   8eab29e
 Built:        Thu Jul 28 22:11:10 2016
 OS/Arch:      linux/amd64

Output of docker info:

root@testserver:~# docker info
Containers: 20
 Running: 10
 Paused: 0
 Stopped: 10
Images: 1
Server Version: 1.12.0
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 51
 Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: host null bridge overlay
Swarm: active
 NodeID: 7g9n07v9wcqh215l8fr9jku9q
 Is Manager: true
 ClusterID: 2hmvi41my9ljcj9w88sega02f
 Managers: 1
 Nodes: 1
 Orchestration:
  Task History Retention Limit: 5
 Raft:
  Snapshot interval: 10000
  Heartbeat tick: 1
  Election tick: 3
 Dispatcher:
  Heartbeat period: 5 seconds
 CA configuration:
  Expiry duration: 3 months
 Node Address: 104.131.182.84
Runtimes: runc
Default Runtime: runc
Security Options: apparmor seccomp
Kernel Version: 4.4.0-31-generic
Operating System: Ubuntu 16.04.1 LTS
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 488.5 MiB
Name: testserver
ID: SHMX:TWPS:TBUX:AE2Z:DCRW:U27U:DUKX:4AS2:BV3L:ZHF3:AN7W:H5AL
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
Labels:
 provider=digitalocean
Insecure Registries:
 127.0.0.0/8

Additional environment details (AWS, VirtualBox, physical, etc.):

Digital ocean. Single droplet as the manager in a single-node swarm.

Steps to reproduce the issue:

Create a droplet on digital ocean with docker-machine

$ docker-machine create -d digitalocean --digitalocean-image "ubuntu-16-04-x64" testserver
Running pre-create checks...

[etc etc etc]

Docker is up and running!
To see how to connect your Docker Client to the Docker Engine running on this virtual machine, run: docker-machine env testserver

Create a swarm

root@testserver:~# docker swarm init --advertise-addr $(dig +short myip.opendns.com @resolver1.opendns.com)
Swarm initialized: current node (7g9n07v9wcqh215l8fr9jku9q) is now a manager.

Create a service with 10 replicas, but no publish port

root@testserver:~# docker service create --replicas 10 --name nginxtest nginxdemos/hello
0mhsp06y8be6e7ctuzu9r9avq
root@testserver:~# docker service ps nginxtest
ID                         NAME          IMAGE             NODE        DESIRED STATE  CURRENT STATE             ERROR
aijolpdm6vvn8jl4mcetvt31e  nginxtest.1   nginxdemos/hello  testserver  Running        Preparing 11 seconds ago
6quaslvqls98h8jbksiblxed1  nginxtest.2   nginxdemos/hello  testserver  Running        Preparing 11 seconds ago
aoukmdeypxzl1sqr29u5yctjt  nginxtest.3   nginxdemos/hello  testserver  Running        Preparing 11 seconds ago
3cbxvjrdn7m8tkahpvscmfvul  nginxtest.4   nginxdemos/hello  testserver  Running        Preparing 11 seconds ago
4o0zaff98aozqv3t1af9s5tk0  nginxtest.5   nginxdemos/hello  testserver  Running        Preparing 11 seconds ago
6uc1v37hkua2771ncm8lnvbv3  nginxtest.6   nginxdemos/hello  testserver  Running        Preparing 11 seconds ago
0u7cr49qy4ctdf7a4omlv6rbp  nginxtest.7   nginxdemos/hello  testserver  Running        Preparing 11 seconds ago
8urs0t0nncetjxtmuxcb8mzuq  nginxtest.8   nginxdemos/hello  testserver  Running        Preparing 11 seconds ago
a1y4uffudc7b6pwe89gb3506t  nginxtest.9   nginxdemos/hello  testserver  Running        Preparing 11 seconds ago
3a9s1uusb2xa20fd5t4u91x47  nginxtest.10  nginxdemos/hello  testserver  Running        Preparing 11 seconds ago

Add a publish port of "80:80", and run inspect to verify the port has been added:

root@testserver:~# docker service update --publish-add "80:80" nginxtest
nginxtest

root@testserver:~# docker service inspect nginxtest --pretty
ID:     0mhsp06y8be6e7ctuzu9r9avq
Name:       nginxtest
Mode:       Replicated
 Replicas:  10
Update status:
 State:     completed
 Started:   22 seconds ago
 Completed: 5 seconds ago
 Message:   update completed
Placement:
UpdateConfig:
 Parallelism:   1
 On failure:    pause
ContainerSpec:
 Image:     nginxdemos/hello
Resources:
Ports:
 Protocol = tcp
 TargetPort = 80
 PublishedPort = 80

Remove the publish port:

root@testserver:~# docker service update --publish-rm "80:80" nginxtest
nginxtest

Describe the results you received:

If I run inspect again, port 80 still appears to be assigned to the service:

root@testserver:~# docker service inspect nginxtest --pretty
ID:     0mhsp06y8be6e7ctuzu9r9avq
Name:       nginxtest
Mode:       Replicated
 Replicas:  10
Placement:
UpdateConfig:
 Parallelism:   1
 On failure:    pause
ContainerSpec:
 Image:     nginxdemos/hello
Resources:
Ports:
 Protocol = tcp
 TargetPort = 80
 PublishedPort = 80

If I subsequently try to re-add the port, I get this error:

root@testserver:~# docker service update --publish-add "80:80" nginxtest
Error response from daemon: rpc error: code = 3 desc = EndpointSpec: duplicate ports provided

Describe the results you expected:

I expected the ports to be unpublished from the service.

The text was updated successfully, but these errors were encountered:

icecrime · 2016-07-29T04:33:54Z

Cc @dnephin @vieux!

dnephin · 2016-07-29T15:33:57Z

From the usage text:

"Remove a published port by its target port"

The important bit is target port. So --publish-rm 80 should work. This is likely going to be a common mistake, so we can probably do something to make this easier to discover. Either error if there is a colon in the value, or allow the port spec, parse it, compare both target and published port, and raise an error if the published port doesn't match. Maybe also add a warning letting users know they don't need to include published port (if we do that).

mike-hearn · 2016-07-29T15:45:11Z

That doesn't seem to be working either:

root@testserver:~# docker service update --publish-rm 80 nginxtest
nginxtest

root@testserver:~# docker service inspect nginxtest --pretty
ID:             7ub4g7cs24eoxh9viaqfcf3w0
Name:           nginxtest
Mode:           Replicated
 Replicas:      10
Update status:
 State:         updating
 Started:       1 seconds ago
 Message:       update in progress
Placement:
UpdateConfig:
 Parallelism:   1
 On failure:    pause
ContainerSpec:
 Image:         nginxdemos/hello
Resources:
Ports:
 Protocol = tcp
 TargetPort = 80
 PublishedPort = 80

jhorwit2 · 2016-07-29T16:06:50Z

I noticed something interesting. If your service is in an overlay network this functionality works fine, but if you didn't specify the network and only have ingress it won't.

mike-hearn · 2016-07-29T16:41:39Z

Wow, yep. Great catch @jhorwit2. I just verified:

root@testserver:~# docker service rm nginxtest
nginxtest

root@testserver:~# docker network create -d overlay testnetwork
0youublge6plq5hoc9m15608s

root@testserver:~# docker service create --replicas 10 --name nginxtest --network testnetwork nginxdemos/hello
617t8jgip3kfiphi2vgposr3l

root@testserver:~# docker service update --publish-add "80:80" nginxtest
nginxtest

root@testserver:~# docker service inspect nginxtest --pretty
ID:             617t8jgip3kfiphi2vgposr3l
Name:           nginxtest
Mode:           Replicated
 Replicas:      10
Update status:
 State:         updating
 Started:       2 seconds ago
 Message:       update in progress
Placement:
UpdateConfig:
 Parallelism:   1
 On failure:    pause
ContainerSpec:
 Image:         nginxdemos/hello
Resources:
Networks: 0youublge6plq5hoc9m15608sPorts:
 Protocol = tcp
 TargetPort = 80
 PublishedPort = 80

root@testserver:~# docker service update --publish-rm 80 nginxtest
nginxtest

root@testserver:~# docker service inspect nginxtest --pretty
ID:             617t8jgip3kfiphi2vgposr3l
Name:           nginxtest
Mode:           Replicated
 Replicas:      10
Update status:
 State:         completed
 Started:       3 minutes ago
 Completed:     3 minutes ago
 Message:       update completed
Placement:
UpdateConfig:
 Parallelism:   1
 On failure:    pause
ContainerSpec:
 Image:         nginxdemos/hello
Resources:

dperny · 2016-08-01T20:59:56Z

I can reproduce this. There don't seem to be any errors generated. I'm am investigating the problem.

Fixes moby/moby#25200. This change should trigger an allocation when the service has ports attached but the spec says none should be. Signed-off-by: Drew Erny <drew.erny@docker.com>

Fixes moby/moby#25200. This change should trigger an allocation when the service has ports attached but the spec says none should be. Signed-off-by: Drew Erny <drew.erny@docker.com> (cherry picked from commit 5982397)

thaJeztah · 2016-08-04T19:33:35Z

ping @mrjana @dperny I'm reopening this, because the change in SwarmKit was not vendored yet; could you make sure to add a "closes" in the vendor bump PR that brings in moby/swarmkit#1301 ?

thaJeztah · 2016-08-10T15:31:03Z

er, @vdemeester looks like this auto-closed from your repository 😂

vdemeester · 2016-08-10T15:39:07Z

wat ? 😅 😂 😱

aaronlehmann · 2016-08-11T23:32:12Z

moby/swarmkit#1301 is there now.

thaJeztah · 2016-08-11T23:35:06Z

Third time lucky!

…TargetPort>` Currently `--publish-rm` only accepts `<TargetPort>` or `<TargetPort>[/Protocol]` though there are some confusions. Since `--publish-add` accepts `<PublishedPort>:<TargetPort>[/Protocol]`, some user may provide `--publish-rm 80:80`. However, there is no error checking so the incorrect provided argument is ignored silently. This fix adds the check to make sure `--publish-rm` only accepts `<TargetPort>[/Protocol]` and returns error if the format is invalid. The `--publish-rm` itself may needs to be revisited to have a better UI/UX experience, see discussions on: moby/swarmkit#1396 moby#25200 (comment) moby#25338 (comment) This fix is short term measure so that end users are not misled by the silently ignored error of `--publish-rm`. This fix is related to (but is not a complete fix): moby/swarmkit#1396 Signed-off-by: Yong Tang <yong.tang.github@outlook.com>

…TargetPort>` Currently `--publish-rm` only accepts `<TargetPort>` or `<TargetPort>[/Protocol]` though there are some confusions. Since `--publish-add` accepts `<PublishedPort>:<TargetPort>[/Protocol]`, some user may provide `--publish-rm 80:80`. However, there is no error checking so the incorrect provided argument is ignored silently. This fix adds the check to make sure `--publish-rm` only accepts `<TargetPort>[/Protocol]` and returns error if the format is invalid. The `--publish-rm` itself may needs to be revisited to have a better UI/UX experience, see discussions on: moby/swarmkit#1396 moby/moby#25200 (comment) moby/moby#25338 (comment) This fix is short term measure so that end users are not misled by the silently ignored error of `--publish-rm`. This fix is related to (but is not a complete fix): moby/swarmkit#1396 Signed-off-by: Yong Tang <yong.tang.github@outlook.com>

…TargetPort>` Currently `--publish-rm` only accepts `<TargetPort>` or `<TargetPort>[/Protocol]` though there are some confusions. Since `--publish-add` accepts `<PublishedPort>:<TargetPort>[/Protocol]`, some user may provide `--publish-rm 80:80`. However, there is no error checking so the incorrect provided argument is ignored silently. This fix adds the check to make sure `--publish-rm` only accepts `<TargetPort>[/Protocol]` and returns error if the format is invalid. The `--publish-rm` itself may needs to be revisited to have a better UI/UX experience, see discussions on: moby/swarmkit#1396 moby/moby#25200 (comment) moby/moby#25338 (comment) This fix is short term measure so that end users are not misled by the silently ignored error of `--publish-rm`. This fix is related to (but is not a complete fix): moby/swarmkit#1396 Signed-off-by: Yong Tang <yong.tang.github@outlook.com> Upstream-commit: 8597e231a5caa23247934f7a89c1001d87e26192 Component: cli

…TargetPort>` Currently `--publish-rm` only accepts `<TargetPort>` or `<TargetPort>[/Protocol]` though there are some confusions. Since `--publish-add` accepts `<PublishedPort>:<TargetPort>[/Protocol]`, some user may provide `--publish-rm 80:80`. However, there is no error checking so the incorrect provided argument is ignored silently. This fix adds the check to make sure `--publish-rm` only accepts `<TargetPort>[/Protocol]` and returns error if the format is invalid. The `--publish-rm` itself may needs to be revisited to have a better UI/UX experience, see discussions on: moby/swarmkit#1396 moby/moby#25200 (comment) moby/moby#25338 (comment) This fix is short term measure so that end users are not misled by the silently ignored error of `--publish-rm`. This fix is related to (but is not a complete fix): moby/swarmkit#1396 Signed-off-by: Yong Tang <yong.tang.github@outlook.com> Upstream-commit: 1b400f6284b17fffa0495e1c801155fdd0716e98 Component: cli

GordonTheTurtle added the version/1.12 label Jul 29, 2016

icecrime added area/networking area/swarm labels Jul 29, 2016

thaJeztah added this to the 1.12.1 milestone Jul 29, 2016

thaJeztah added the kind/bug Bugs are bugs. The cause may or may not be known at triage time so debugging may be needed. label Jul 29, 2016

icecrime added the status/claimed label Aug 1, 2016

dperny mentioned this issue Aug 2, 2016

Fix missing newline in service inspect --pretty #25345

Merged

dperny mentioned this issue Aug 2, 2016

Added check for change to 0 ports moby/swarmkit#1301

Merged

mrjana closed this as completed in moby/swarmkit#1301 Aug 4, 2016

thaJeztah reopened this Aug 4, 2016

thaJeztah added the priority/P1 Important: P1 issues are a top priority and a must-have for the next release. label Aug 5, 2016

thaJeztah mentioned this issue Aug 5, 2016

Fix issue in service update --publish-add #25428

Merged

vdemeester closed this as completed in vdemeester/swarmkit@5982397 Aug 10, 2016

thaJeztah reopened this Aug 10, 2016

aaronlehmann closed this as completed Aug 11, 2016

yongtang mentioned this issue Aug 18, 2016

service update --publish-rm unable to remove pair of ports moby/swarmkit#1396

Open

yongtang mentioned this issue Aug 19, 2016

Return error for incorrect argument of service update --publish-rm #25860

Merged

thaJeztah added the area/ux label Dec 11, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[1.12] docker service update --publish-rm "[port]:[port]" does not unpublish ports #25200

[1.12] docker service update --publish-rm "[port]:[port]" does not unpublish ports #25200

mike-hearn commented Jul 29, 2016

icecrime commented Jul 29, 2016

dnephin commented Jul 29, 2016

mike-hearn commented Jul 29, 2016

jhorwit2 commented Jul 29, 2016

mike-hearn commented Jul 29, 2016

dperny commented Aug 1, 2016

thaJeztah commented Aug 4, 2016

thaJeztah commented Aug 10, 2016

vdemeester commented Aug 10, 2016

aaronlehmann commented Aug 11, 2016

thaJeztah commented Aug 11, 2016

[1.12] docker service update --publish-rm "[port]:[port]" does not unpublish ports #25200

[1.12] docker service update --publish-rm "[port]:[port]" does not unpublish ports #25200

Comments

mike-hearn commented Jul 29, 2016

icecrime commented Jul 29, 2016

dnephin commented Jul 29, 2016

mike-hearn commented Jul 29, 2016

jhorwit2 commented Jul 29, 2016

mike-hearn commented Jul 29, 2016

dperny commented Aug 1, 2016

thaJeztah commented Aug 4, 2016

thaJeztah commented Aug 10, 2016

vdemeester commented Aug 10, 2016

aaronlehmann commented Aug 11, 2016

thaJeztah commented Aug 11, 2016