search

containrrr / watchtower

A process for automating Docker container base image updates.
https://containrrr.dev/watchtower/
Apache License 2.0
19.02k stars 846 forks source link

Cannot connect to the Docker daemon after Docker daemon update #2023

Open brechsteiner opened 3 weeks ago

brechsteiner commented 3 weeks ago

Describe the bug

If the Docker daemon on a host is updated by apt, the Watchtower container can no longer communicate with the Docker daemon via the socket.

Steps to reproduce

1) Run Docker via Compose

  watchtower:
    image: containrrr/watchtower:latest
    container_name: watchtower
    restart: always
    network_mode: bridge
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /etc/localtime:/etc/localtime:ro
    environment:
      - WATCHTOWER_WARN_ON_HEAD_FAILURE=never
      - WATCHTOWER_CLEANUP=true
      - WATCHTOWER_SCHEDULE=0 15 5 * * *
      - WATCHTOWER_INCLUDE_RESTARTING=true

2) Update Docker Daemon with apt upgrade 3) Wait for Watchtower check interval

Expected behavior

The Watchtower should still be able to communicate via the socket after the update.

Screenshots

No response

Environment

Your logs

Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?

Additional context

No response

github-actions[bot] commented 3 weeks ago

Hi there! 👋🏼 As you're new to this repo, we'd like to suggest that you read our code of conduct as well as our contribution guidelines. Thanks a bunch for opening your first issue! 🙏

wollomatic commented 3 weeks ago

Hi @brechsteiner,

do you have "live-restore": true set in the /etc/docker/daemon.json?

It is a common issue that after an update of the Docker daemon the socket connections are dysfuntional, so that the client has to be restarted.

That's one reason I created a socket-proxy with an integrated watchdog, so it can restart when the socket connection fails.

Here is my configuration with Watchtower:

services:

  watchtower:
    image: containrrr/watchtower:1.7.1
    restart: always
    read_only: true
    user: 2000:2000
    command:
      - '--host=tcp://dockerproxy:2375'
      - '--cleanup'
      - '--debug'
      - '--label-enable'
      - '--schedule=0 0 4 * * *'
    networks:
      - watchtower
      - docker_socket

  dockerproxy:
    image: wollomatic/socket-proxy:1.5.0
    restart: unless-stopped
    user: 65534:999 # GID needs to be Docker group
    read_only: true
    mem_limit: 256M
    cap_drop:
      - ALL
    security_opt:
      - no-new-privileges
    command:
      - '-loglevel=info'
      - '-allowfrom=watchtower'
      - '-listenip=0.0.0.0'
      - '-allowGET=/v1\..{2}/(containers/.*|images/.*)'
      - '-allowPOST=/v1\..{2}/(containers/.*|images/.*|networks/.*)'
      - '-allowDELETE=/v1\..{2}/(containers/.*|images/.*)'
      - '-watchdoginterval=60'
      - '-stoponwatchdog'
      - '-shutdowngracetime=5'
    labels:
      - com.centurylinklabs.watchtower.enable=false # this is important! Without, an automatic update would break Watchtower and socket-proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - docker_socket

networks:
  watchtower:
    driver: bridge
  docker_socket:
    internal: true
    attachable: false