docker 1.13.0 creates empty docker folder in filesystem root

[weirdgiraffe]

Description
Empty /docker folder will be created when docker starts a container. On readonly root filesystem it produces an error:

docker: Error response from daemon: linux init cgroups path: mkdir /docker: read-only file system

This behaviour was introduced in commit 7ed3d265a and this side effect is not described in changelog, so it looks like some kind of buggy behaviour.

Steps to reproduce the issue:

1. under ubuntu 16.04 or debian jessie upgrade docker from 1.12.6 to 1.13.0
2. start any container, for example docker run --rm alpine /bin/true

Steps to reproduce the issue if /docker folder already exists:

1. remove /docker folder
2. start any container, for example docker run --rm alpine /bin/true

Describe the results you received:

Empty /docker folder will be created

Describe the results you expected:

No additional folders should creaded in fylesystem root.

Additional information you deem important (e.g. issue happens only occasionally):

Output of docker version:

Client:
 Version:      1.13.0
 API version:  1.25
 Go version:   go1.7.3
 Git commit:   49bf474
 Built:        Tue Jan 17 09:44:08 2017
 OS/Arch:      linux/amd64

Server:
 Version:      1.13.0
 API version:  1.25 (minimum version 1.12)
 Go version:   go1.7.3
 Git commit:   49bf474
 Built:        Tue Jan 17 09:44:08 2017
 OS/Arch:      linux/amd64
 Experimental: false

Output of docker info:

Containers: 0
 Running: 0
 Paused: 0
 Stopped: 0
Images: 84
Server Version: 1.13.0
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 62
 Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 03e5862ec0d8d3b3f750e19fca3ee367e13c090e
runc version: 2f7393a47307a16f8cee44a37b262e8b81021e3e
init version: 949e6fa
Kernel Version: 3.16.0-4-amd64
Operating System: Debian GNU/Linux 9 (stretch)
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 993.7 MiB
Name: playground
ID: QEFF:ZELR:MFUQ:Q4M3:SYYS:CY6V:L6TJ:RHGQ:2NWF:ZJ4U:5JXS:INWX
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): true
 File Descriptors: 15
 Goroutines: 22
 System Time: 2017-01-31T12:07:05.871298086+01:00
 EventsListeners: 0
Registry: https://index.docker.io/v1/
WARNING: No memory limit support
WARNING: No swap limit support
WARNING: No kernel memory limit support
WARNING: No oom kill disable support
WARNING: No cpu cfs quota support
WARNING: No cpu cfs period support
Experimental: false
Insecure Registries:
 localregistry:5000
 127.0.0.0/8
Live Restore Enabled: false

Additional environment details (AWS, VirtualBox, physical, etc.):

[anusha-ragunathan]

Intent of commit 7ed3d26 was to add support for exec-opt native.cgroupdriver. This option can take systemd or cgroupfs. In this case, cgroupfs is used. Looks like the directory creation is an undesired side effect of using cgroupfs. Need to investigate in the runc repo.

If you repeat the test using by starting the daemon using systemd,
dockerd --exec-opt native.cgroupdriver=systemd, the directory is not created.

[weirdgiraffe]

I can confirm that workaround with --exec-opt native.cgroupdriver=systemd works.
And I'm looking forward for further investigation of this undesired side effect

[anusha-ragunathan]

I just tested this on 1.13.1-rc1 and it seems fixed.

[anusha-ragunathan]

Also, this is not plugins related.

[anusha-ragunathan]

@weirdgiraffe : can you upgrade to 1.13.1-rc1 and try it out? I'll close the issue once you confirm

[thaJeztah]

@anusha-ragunathan could it be fixed by #29846 ?

[anusha-ragunathan]

@thaJeztah : Yes, that's the one 👍

[anusha-ragunathan]

It's worth adding that to the Changelog.