To be honest I'm even not sure whether this issue is directly related to the rootlesskit or maybe containerd or docker itself but if it isn't please let me know and I will move it to away. I create the issue here, because the /usr/share/docker.io/contrib/dockerd-rootless.sh starts at the end a rootlesskit process which initialize the docker daemon and containerd processes.
export _DOCKERD_ROOTLESS_CHILD
# Re-exec the script via RootlessKit, so as to create unprivileged {user,mount,network} namespaces.
#
# --copy-up allows removing/creating files in the directories by creating tmpfs and symlinks
# * /etc: copy-up is required so as to prevent `/etc/resolv.conf` in the
# namespace from being unexpectedly unmounted when `/etc/resolv.conf` is recreated on the host
# (by either systemd-networkd or NetworkManager)
# * /run: copy-up is required so that we can create /run/docker (hardcoded for plugins) in our namespace
exec $rootlesskit \
--net=$net --mtu=$mtu \
--slirp4netns-sandbox=$DOCKERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SANDBOX \
--slirp4netns-seccomp=$DOCKERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SECCOMP \
--disable-host-loopback --port-driver=$DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER \
--copy-up=/etc --copy-up=/run \
--propagation=rslave \
$DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS \
$0 $@
My Setup
Rootless Docker setup on Debian 11
Tools/versions:
rootlesskit : 0.14.2-1+b3
runc: 1.0.0~rc93+ds1-5+deb11u2
containerd: 1.4.13~ds1-1~deb11u3
docker: 20.10.5+dfsg1-1+deb11u2
Issue description
When I try to start the Docker daemon with systemctl --user start docker.service it fails with the message:
It happens only if there are running containers on Docker daemon stop. I see clearly within the journald log that on stop of the Docker daemon the containerd processes are killed. This leads that container directories within the /run/user/1000/docker/ directory are not cleaned up:
docker-rootless systemd[552]: Stopping Docker Application Container Engine (Rootless)...
docker-rootless dockerd-rootless.sh[37069]: time="2023-02-24T08:38:01.661787553+01:00" level=info msg="Processing signal 'terminated'"
docker-rootless dockerd-rootless.sh[37069]: time="2023-02-24T08:38:01.663588744+01:00" level=info msg="Daemon shutdown complete"
docker-rootless dockerd-rootless.sh[37069]: time="2023-02-24T08:38:01.663612700+01:00" level=info msg="stopping healthcheck following graceful shutdown" module=libcontainerd
docker-rootless dockerd-rootless.sh[37069]: time="2023-02-24T08:38:01.663854464+01:00" level=info msg="stopping event stream following graceful shutdown" error="context canceled" module=libcontainerd namespace=plugins.moby
docker-rootless dockerd-rootless.sh[37069]: time="2023-02-24T08:38:01.663948934+01:00" level=info msg="stopping event stream following graceful shutdown" error="context canceled" module=libcontainerd namespace=moby
docker-rootless systemd[552]: docker.service: Killing process 37692 (fuse-overlayfs) with signal SIGKILL.
docker-rootless systemd[552]: docker.service: Killing process 37700 (containerd-shim) with signal SIGKILL.
docker-rootless systemd[552]: docker.service: Killing process 37773 (fuse-overlayfs) with signal SIGKILL.
docker-rootless systemd[552]: docker.service: Killing process 37782 (containerd-shim) with signal SIGKILL.
docker-rootless systemd[552]: docker.service: Killing process 37702 (containerd-shim) with signal SIGKILL.
docker-rootless systemd[552]: docker.service: Killing process 37703 (containerd-shim) with signal SIGKILL.
docker-rootless systemd[552]: docker.service: Killing process 37704 (containerd-shim) with signal SIGKILL.
docker-rootless systemd[552]: docker.service: Killing process 37705 (containerd-shim) with signal SIGKILL.
docker-rootless systemd[552]: docker.service: Killing process 37706 (containerd-shim) with signal SIGKILL.
docker-rootless systemd[552]: docker.service: Killing process 37707 (containerd-shim) with signal SIGKILL.
docker-rootless systemd[552]: docker.service: Killing process 37708 (containerd-shim) with signal SIGKILL.
docker-rootless systemd[552]: docker.service: Killing process 37747 (containerd-shim) with signal SIGKILL.
docker-rootless systemd[552]: docker.service: Killing process 37756 (containerd-shim) with signal SIGKILL.
docker-rootless systemd[552]: docker.service: Killing process 37783 (containerd-shim) with signal SIGKILL.
docker-rootless systemd[552]: docker.service: Killing process 37784 (containerd-shim) with signal SIGKILL.
docker-rootless systemd[552]: docker.service: Killing process 37785 (containerd-shim) with signal SIGKILL.
docker-rootless systemd[552]: docker.service: Killing process 37786 (containerd-shim) with signal SIGKILL.
docker-rootless systemd[552]: docker.service: Killing process 37787 (containerd-shim) with signal SIGKILL.
docker-rootless systemd[552]: docker.service: Killing process 37788 (containerd-shim) with signal SIGKILL.
docker-rootless systemd[552]: docker.service: Killing process 37789 (containerd-shim) with signal SIGKILL.
docker-rootless systemd[552]: docker.service: Killing process 37790 (containerd-shim) with signal SIGKILL.
docker-rootless systemd[552]: docker.service: Killing process 37792 (containerd-shim) with signal SIGKILL.
docker-rootless systemd[552]: docker.service: Killing process 37847 (containerd-shim) with signal SIGKILL.
docker-rootless systemd[552]: docker.service: Killing process 37979 (containerd-shim) with signal SIGKILL.
docker-rootless systemd[552]: docker.service: Succeeded.
docker-rootless systemd[552]: Stopped Docker Application Container Engine (Rootless).
The systemd docker.service gets created by the dockerd-rootless-setup.sh script provided by the Docker installation package:
Lets assume that I have a container running with the container id: 3a9723c5b2421bc661a9df3a85fc4003e1bbb20cfd1a57616632dceb4b0e5cc7. After stopping the Docker daemon the following directories are still there (with a content inside):
find /run/user/1000/docker -type d -name 3a9723c5b2421bc661a9df3a85fc4003e1bbb20cfd1a57616632dceb4b0e5cc7
/run/user/1000/docker/runtime-runc/moby/3a9723c5b2421bc661a9df3a85fc4003e1bbb20cfd1a57616632dceb4b0e5cc7
/run/user/1000/docker/containerd/3a9723c5b2421bc661a9df3a85fc4003e1bbb20cfd1a57616632dceb4b0e5cc7
/run/user/1000/docker/containerd/daemon/io.containerd.runtime.v2.task/moby/3a9723c5b2421bc661a9df3a85fc4003e1bbb20cfd1a57616632dceb4b0e5cc7
Current workaround
I'm doing systemd ExecStop which stops all running containers before the processes started by the docker.service are stopped. But this isn't a solution imho. Especially when you would like to use live-restore.
How it behaves when live-restore is enabled, without stopping the containers beforehand
If I enable live-restore and do a docker.service stop, the process of the application keeps running, but the parent containerd-shim-runc-v2 process gets killed:
Then because a start will fail I have to clean/delete the folders mentioned above in order to start the Docker daemon again. This leads to a container in a stopped state although the container process is still running. If I start the container with docker start a second process is started and that is a no go imho.
What I would expect
I wish that stopping the Docker daemon will do the necessary steps whatever they are in order to be able to start the Docker daemon afterwards without further workaround.
To be honest I'm even not sure whether this issue is directly related to the rootlesskit or maybe containerd or docker itself but if it isn't please let me know and I will move it to away. I create the issue here, because the /usr/share/docker.io/contrib/dockerd-rootless.sh starts at the end a rootlesskit process which initialize the docker daemon and containerd processes.
My Setup
Rootless Docker setup on Debian 11 Tools/versions:
Issue description
When I try to start the Docker daemon with
systemctl --user start docker.service
it fails with the message:When this happens
It happens only if there are running containers on Docker daemon stop. I see clearly within the journald log that on stop of the Docker daemon the containerd processes are killed. This leads that container directories within the /run/user/1000/docker/ directory are not cleaned up:
The systemd docker.service gets created by the dockerd-rootless-setup.sh script provided by the Docker installation package:
Lets assume that I have a container running with the container id: 3a9723c5b2421bc661a9df3a85fc4003e1bbb20cfd1a57616632dceb4b0e5cc7. After stopping the Docker daemon the following directories are still there (with a content inside):
Current workaround
I'm doing systemd ExecStop which stops all running containers before the processes started by the docker.service are stopped. But this isn't a solution imho. Especially when you would like to use live-restore.
How it behaves when live-restore is enabled, without stopping the containers beforehand
If I enable live-restore and do a docker.service stop, the process of the application keeps running, but the parent containerd-shim-runc-v2 process gets killed:
Then because a start will fail I have to clean/delete the folders mentioned above in order to start the Docker daemon again. This leads to a container in a stopped state although the container process is still running. If I start the container with docker start a second process is started and that is a no go imho.
What I would expect
I wish that stopping the Docker daemon will do the necessary steps whatever they are in order to be able to start the Docker daemon afterwards without further workaround.