-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bugfix systemd docker daemon conflicting with daemon.json #27473
Conversation
recommended `/etc/docker/daemon.json`. An example use case is configuring daemon.json with TLS verify and setting the listening interface with the hosts field. Example JSON which causes docker daemon to fail to start. ```json { "hosts": ["tcp://127.0.0.1:2700"], "tlsverify": true, "tlscacert": "/etc/docker/ca.pem", "tlscert": "/etc/docker/cert.pem", "tlskey": "/etc/docker/key.pem" } ``` Error encountered: > unable to configure the Docker daemon with file > /etc/docker/daemon.json: the following directives are specified both as > a flag and in the configuration file: hosts: (from flag: [fd://], from > file: [tcp://127.0.0.1:2700]) fixes #22339 Signed-off-by: Sam Gleske <sam.mxracer@gmail.com>
@@ -9,7 +9,7 @@ Type=notify | |||
# the default is not to use systemd for cgroups because the delegate issues still | |||
# exists and systemd currently does not support the cgroup feature set required | |||
# for containers run by docker | |||
ExecStart=/usr/bin/dockerd -H fd:// | |||
ExecStart=/usr/bin/dockerd |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change is not correct, as -H fd://
is required for socket activation (see https://github.com/docker/docker/pull/27473/files#diff-ff907ce70a8c7e795bde1de91be6fa68R5 above)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Except, my docker instance works just fine without that option. That option also directly conflicts with daemon.json
. It's not possible to configure the hosts
field in daemon.json
so long as that option exists.
Docker should provide a default socket if none is specified (and it does).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FWIW: my /lib/systemd/system/docker.service
file has...
...
ExecStart=/usr/bin/dockerd $DOCKER_OPTS
...
And in /etc/default/docker
I have DOCKER_OPTS=""
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, docker will still start, but socket activation will no longer work; see https://www.freedesktop.org/software/systemd/man/systemd.socket.html, http://0pointer.de/blog/projects/socket-activation.html, and http://superuser.com/questions/860869/how-does-docker-tcp-socket-actually-enable-dockers-remote-api-on-coreos#881825
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FWIW, it's really not recommended to edit the docker.service
directly (e.g. to add $DOCKER_OPTS
. Doing so may result in the unit file not being updated if a new version becomes available. To make changes, always use an override ("drop-in") file https://docs.docker.com/engine/admin/systemd/#/custom-docker-daemon-options
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure what issues you're describing about the docker socket. When I make the described changes docker still creates a socket and I can run docker
client commands just fine (e.g. docker images
).
The current configuration makes configuring hosts via daemon.json
not possible. It means people are forced to configure the daemon via /etc/default/docker
which clearly states as not recommended.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
An excerpt from /etc/default/docker
:
# Here in Debian, this file is sourced by:
# - /etc/init.d/docker (sysvinit)
# - /etc/init/docker (upstart)
# - systemd's docker.service
# Use of this file for configuring your Docker daemon is discouraged.
# The recommended alternative is "/etc/docker/daemon.json", as described in:
# https://docs.docker.com/v1.11/engine/reference/commandline/daemon/#daemon-configuration-file
Notice Use of this file for configuring your Docker daemon is discouraged
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That message is (although not incorrect) probably added by the Ubuntu packagers, as it's not in the official packages from this repository https://github.com/docker/docker/blob/v1.12.2/contrib/init/sysvinit-debian/docker.default#L3-L8
The socket is still created with this change, however socket activation no longer works; socket activation allows docker to be automatically started when you're trying to connect to it (and without the service running before that)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@thaJeztah what change do you think would be appropriate here? Do you recognize the issue I'm raising and agree it's an issue?
It seems a bit of a chicken and egg scenario. I want to use daemon.json
but -H fd://
is preventing me (although, I could add that to the hosts of the daemon.json).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is socket activation necessary here? I stopped the docker daemon and then ran docker images
. It seems it didn't start the docker daemon for me or perhaps I misunderstand. Instead, I got the following message.
Cannot connect to the Docker daemon. Is the docker daemon running on this host?
I'm going to open a new issue related to this and amend my commit. EDIT: I'll just let this PR serve as my issue unless I'm required otherwise. |
We don't recommend using socket activation, it means container restart does |
@justincormack that was for RPM based installs (for which we removed it), on .deb based installs, socket activation is still in use |
@thaJeztah why? It causes the same issues. I think we should remove it everywhere. |
@justincormack I'm not against removing it, as I don't think it's widely used (actually suggested that on other occasions), but based on #24804 (comment) its not causing issues for deb-based systems |
It's causing issues on my deb-based system because I wish to make use of |
@samrocketman that comment was about the reason socket activation was not a problem for deb-based installs for restarting. A related discussion of the conflict between |
Thanks for the reference, I've subscribed for updates. |
@thaJeztah what's up here? |
@LK4D4 this is about removing socket activation from all systemd unit files, but there was no consensus yet if that's a good thing to do ping @tonistiigi |
Socket activation works fine when you just specify it in the json file and leave out the |
I think socket activation is a useful feature. If we don't use it we are not following the best practices for unit files. It's a shame that selinux and systemd can't figure out how to work together in fedora. For the perspective of specifying hosts, socket activation is no different. We would have the same problem if you specify |
We discussed this in the maintainers meeting, and this PR in its current form cannot be merged due to it being needed for socket activation. We are open to having a I'll open an issue for tracking later update: there's an issue tracking this already, see #21559 |
I am facing an issue while updating below entries in docker daemon.json if i used override options my containers won't come up [systemm]# cat /lib/systemd/system/docker.service [Service] [Install] |
- What I did
On Ubuntu package:
I created
/etc/default/daemon.json
with the contents.Starting the docker daemon (
systemctl start docker.service
) causes the error- How I did it
Patch the
docker.service
and the error goes away.- How to verify it
docker.io
package in Ubuntu 16.04./lib/systemd/system/docker.service
with the changes in this PR./etc/docker/daemon.json
. Restart and watch restart success.- Description for the changelog
fixes #22339