Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cgroup delegation issue #38749

Open
voroniys opened this issue Feb 18, 2019 · 1 comment
Open

cgroup delegation issue #38749

voroniys opened this issue Feb 18, 2019 · 1 comment

Comments

@voroniys
Copy link

voroniys commented Feb 18, 2019
edited

Description

The information in /proc/PID/cgroup is duplicated, what breaks systemd.

Steps to reproduce the issue:
1.Install any Linux image contains systemd 237 all above (ubuntu-18.04, Fedora-28)
2. Log in to container and install opendkim.
3. Start the service and see it failed to start

Describe the results you received:
File /proc/PID/cgroup inside container reports /docker/HASH> twice:

$ cat /proc/929/cgroup
11:perf_event:/docker/697489ce8b56ae004fd093aae1fcb6ae0daa7ea964b8569eeccc2c9395c3bd8f
10:cpuset:/docker/697489ce8b56ae004fd093aae1fcb6ae0daa7ea964b8569eeccc2c9395c3bd8f
9:freezer:/docker/697489ce8b56ae004fd093aae1fcb6ae0daa7ea964b8569eeccc2c9395c3bd8f
8:net_cls,net_prio:/docker/697489ce8b56ae004fd093aae1fcb6ae0daa7ea964b8569eeccc2c9395c3bd8f
7:pids:/docker/697489ce8b56ae004fd093aae1fcb6ae0daa7ea964b8569eeccc2c9395c3bd8f/docker/697489ce8b56ae004fd093aae1fcb6ae0daa7ea964b8569eeccc2c9395c3bd8f/system.slice/opendkim.service
6:devices:/docker/697489ce8b56ae004fd093aae1fcb6ae0daa7ea964b8569eeccc2c9395c3bd8f/docker/697489ce8b56ae004fd093aae1fcb6ae0daa7ea964b8569eeccc2c9395c3bd8f/system.slice/opendkim.service
5:cpu,cpuacct:/docker/697489ce8b56ae004fd093aae1fcb6ae0daa7ea964b8569eeccc2c9395c3bd8f
4:hugetlb:/docker/697489ce8b56ae004fd093aae1fcb6ae0daa7ea964b8569eeccc2c9395c3bd8f
3:blkio:/docker/697489ce8b56ae004fd093aae1fcb6ae0daa7ea964b8569eeccc2c9395c3bd8f
2:memory:/docker/697489ce8b56ae004fd093aae1fcb6ae0daa7ea964b8569eeccc2c9395c3bd8f
1:name=systemd:/docker/697489ce8b56ae004fd093aae1fcb6ae0daa7ea964b8569eeccc2c9395c3bd8f/docker/697489ce8b56ae004fd093aae1fcb6ae0daa7ea964b8569eeccc2c9395c3bd8f/system.slice/opendkim.service

Describe the results you expected:

path /docker/HASH has to be mentioned only once, like this:

1:name=systemd:/docker/697489ce8b56ae004fd093aae1fcb6ae0daa7ea964b8569eeccc2c9395c3bd8f/system.slice/opendkim.service

Additional information you deem important (e.g. issue happens only occasionally):

Output of docker version:

Client:
 Version:           18.09.2
 API version:       1.39
 Go version:        go1.10.6
 Git commit:        6247962
 Built:             Sun Feb 10 04:13:50 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          18.09.2
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.10.6
  Git commit:       6247962
  Built:            Sun Feb 10 03:42:13 2019
  OS/Arch:          linux/amd64
  Experimental:     false

Output of docker info:

Containers: 16
 Running: 5
 Paused: 0
 Stopped: 11
Images: 139
Server Version: 18.09.2
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 186
 Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 9754871865f7fe2f4e74d43e2fc7ccd237edcbce
runc version: 09c8266bf2fcf9519a651b04ae54c967b9ab86ec
init version: fec3683
Security Options:
 apparmor
 seccomp
  Profile: default
Kernel Version: 4.4.0-134-generic
Operating System: Ubuntu 16.04.5 LTS
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 3.842GiB
Name: Works
ID: TRFD:6DS7:H6Z2:V647:JMV2:AOV5:23Y7:I6CT:3HEE:YHCG:AFSS:THRJ
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine

Additional environment details (AWS, VirtualBox, physical, etc.):
Related to systemd/systemd#11752
@voroniys voroniys mentioned this issue Feb 18, 2019
Closed
@ajknv ajknv mentioned this issue Oct 22, 2019
Open
3 tasks
@ekohl ekohl mentioned this issue Nov 23, 2019
Merged
ekohl added a commit to ekohl/puppet-puppet that referenced this issue Nov 26, 2019
@ekohl
Stop acceptance tests on EL7
f091643 
Because of moby/moby#38749 we can't start
puppetserver under systemd. That makes all our acceptance tests useless.
@ekohl ekohl mentioned this issue Nov 26, 2019
Merged
mmoll pushed a commit to theforeman/puppet-puppet that referenced this issue Nov 26, 2019
@ekohl @mmoll
Stop acceptance tests on EL7
270f72a 
Because of moby/moby#38749 we can't start
puppetserver under systemd. That makes all our acceptance tests useless.
alexjfisher added a commit to alexjfisher/puppet-proxysql that referenced this issue Dec 13, 2019
@alexjfisher
Run acceptance tests on CentOS 7.6
0f8461d 
Needed because of moby/moby#38749
@alexjfisher alexjfisher mentioned this issue Dec 13, 2019
Merged
@baurmatt baurmatt mentioned this issue Jan 7, 2020
Closed
baurmatt added a commit to syseleven/puppet-zabbix that referenced this issue Jan 7, 2020
@baurmatt
Pin CentOS acceptance tests 7.6.1810
8496ed3 
This is needed because of docker/for-linux#835
and moby/moby#38749.

Long story short: systemd on CentOS 7.7 is broken with current versions
of Docker.
@baurmatt baurmatt mentioned this issue Jan 7, 2020
Merged
ljeromets pushed a commit to ljeromets/puppet-zabbix that referenced this issue Feb 2, 2020
@baurmatt @ljeromets
Pin CentOS acceptance tests 7.6.1810
867d1ef 
This is needed because of docker/for-linux#835
and moby/moby#38749.

Long story short: systemd on CentOS 7.7 is broken with current versions
of Docker.
@myii myii mentioned this issue Mar 31, 2020
Open
@timdeluxe timdeluxe mentioned this issue May 12, 2020
Closed
@johnkwoods
Copy link

We are running into this issue, when running Docker CE 19.03.12 under RHEL 7.8.

We created an image using registry.redhat.io/ubi7/ubi-init:latest, which is based on systemd. We installed BIND in the container, and attempted to start the named.service. Even though the named.pid was created, the service encountered these systemd errors:

Jul 20 09:09:32 dns-s4 systemd[1]: New main PID 115 does not belong to service, and PID file is not owned by root. Refusing.
Jul 20 09:09:32 dns-s4 systemd[1]: New main PID 115 does not belong to service, and PID file is not owned by root. Refusing.
Jul 20 09:11:03 dns-s4 systemd[1]: named.service start operation timed out. Terminating.
Jul 20 09:11:03 dns-s4 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).
Jul 20 09:11:03 dns-s4 systemd[1]: Unit named.service entered failed state.
Jul 20 09:11:03 dns-s4 systemd[1]: named.service failed.

The cgroup file shows:
1:name=systemd:/docker/07b616e182daadca31fa2844e27ed07e47fe7f12ac14d98d23146c6976ce90b6/docker/07b616e182daadca31fa2844e27ed07e47fe7f12ac14d98d23146c6976ce90b6/system.slice/systemd-journald.service

Right now, the only workarounds I see are:

  1. Reconfigure named.service to run as root
  2. Avoid using systemd-based containers altogether. (Probably a cleaner implementation anyways)

@ekohl ekohl mentioned this issue Oct 2, 2020
Merged
alexjfisher added a commit to alexjfisher/puppet-chrony that referenced this issue Oct 25, 2020
@alexjfisher
Use older CentOS 7 and 8 images for testing
1a1d1ab 
This is to workaround moby/moby#38749
alexjfisher added a commit to alexjfisher/puppet-chrony that referenced this issue Oct 25, 2020
@alexjfisher
Disable EL8 acceptance tests and use older 7 image
7b6886a 
The older CentOS7 image works around
moby/moby#38749 We don't currently have a
solution for CentOS8 :(
alexjfisher added a commit to alexjfisher/puppet-chrony that referenced this issue Oct 25, 2020
@alexjfisher
Disable EL8 acceptance tests and use older 7 image
6e90a1c 
The older CentOS7 image works around
moby/moby#38749 We don't currently have a
solution for CentOS8 :(
@kenyon kenyon mentioned this issue Feb 14, 2021
Merged
cegeka-jenkins pushed a commit to cegeka/puppet-proxysql that referenced this issue Aug 22, 2023
@alexjfisher
Run acceptance tests on CentOS 7.6
1823564 
Needed because of moby/moby#38749
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@voroniys @johnkwoods