-
Notifications
You must be signed in to change notification settings - Fork 600
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
zombie containerd-shim processes #318
Comments
The simplest "fix" (workaround) for this repository is something like adjusting |
(If you don't trust our entrypoint script [which, fair], you can also reproduce just the same with |
Temporary workaround is up in #319 (to just throw |
Did you open a ticket in containerd as well? (of the existing ones don't match this scenario?) |
I didn't file an issue there yet, but I've commented at containerd/containerd#5708 (comment) now (because it feels way too similar to be coincidence, IMO). |
Quoting containerd/containerd#5708 (comment) here for posterity:
|
FWIW, I can still reproduce (using $ docker run -dit --privileged --name test --entrypoint dockerd --pull=always docker:dind
dind: Pulling from library/docker
Digest: sha256:a7a9383d0631b5f6b59f0a8138912d20b63c9320127e3fb065cb9ca0257a58b2
Status: Downloaded newer image for docker:dind
41749ef585c457ff1e737f7ef2efc6ac8d3395219a6526c25f042c31bc43ca01
$ docker exec test ps faux
PID USER TIME COMMAND
1 root 0:00 dockerd
22 root 0:00 containerd --config /var/run/docker/containerd/containerd.toml --log-level info
138 root 0:00 ps faux
$ docker exec test docker run --rm tianon/true
Unable to find image 'tianon/true:latest' locally
latest: Pulling from tianon/true
c53fb220cbad: Pulling fs layer
c53fb220cbad: Download complete
c53fb220cbad: Pull complete
Digest: sha256:009cce421096698832595ce039aa13fa44327d96beedb84282a69d3dbcf5a81b
Status: Downloaded newer image for tianon/true:latest
$ docker exec test ps faux
PID USER TIME COMMAND
1 root 0:00 dockerd
22 root 0:00 containerd --config /var/run/docker/containerd/containerd.toml --log-level info
196 root 0:00 [containerd-shim]
270 root 0:00 ps faux
$ docker exec test docker run --rm tianon/true
$ docker exec test ps faux
PID USER TIME COMMAND
1 root 0:00 dockerd
22 root 0:00 containerd --config /var/run/docker/containerd/containerd.toml --log-level info
196 root 0:00 [containerd-shim]
303 root 0:00 [containerd-shim]
376 root 0:00 ps faux
$ docker exec test docker version
Client:
Version: 20.10.17
API version: 1.41
Go version: go1.17.11
Git commit: 100c701
Built: Mon Jun 6 22:56:42 2022
OS/Arch: linux/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.17
API version: 1.41 (minimum version 1.12)
Go version: go1.17.11
Git commit: a89b842
Built: Mon Jun 6 23:01:45 2022
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: v1.6.6
GitCommit: 10c12954828e7c7c9b6e0ea9b0c02b01407d3ae1
runc:
Version: 1.1.2
GitCommit: v1.1.2-0-ga916309f
docker-init:
Version: 0.19.0
GitCommit: de40ad0 |
dockerd might fail from time to time which looks related to the known issue docker-library/docker#318 and using docker-init is the workaround used by the community Changelog: None Ticket: QA-508 Signed-off-by: Alex Miliukov <[email protected]>
dockerd might fail from time to time which looks related to the known issue docker-library/docker#318 and using docker-init is the workaround used by the community Changelog: None Ticket: QA-508 Signed-off-by: Alex Miliukov <[email protected]>
Coming back a year later to ring the bell again: 😭 $ docker run -dit --privileged --name test --entrypoint dockerd --pull=always docker:dind
dind: Pulling from library/docker
Digest: sha256:87d892c14d2b755ac4e8268b21e8c8a7ff7f44b52753e265b7a300d2fa065d50
Status: Image is up to date for docker:dind
99217162d401fa0c9785053345702d946c7e5fb241be3a6faf84dfb4056a13ce
$ docker exec test ps faux
PID USER TIME COMMAND
1 root 0:00 dockerd
23 root 0:00 containerd --config /var/run/docker/containerd/containerd.toml
189 root 0:00 ps faux
$ docker exec test docker run --rm tianon/true
Unable to find image 'tianon/true:latest' locally
latest: Pulling from tianon/true
4e30b577f37b: Pulling fs layer
4e30b577f37b: Verifying Checksum
4e30b577f37b: Download complete
4e30b577f37b: Pull complete
Digest: sha256:45b95352fad44acee2c35a4ddc2205b61448b1daf2ba2c949b7136582446e682
Status: Downloaded newer image for tianon/true:latest
$ docker exec test ps faux
PID USER TIME COMMAND
1 root 0:00 dockerd
23 root 0:00 containerd --config /var/run/docker/containerd/containerd.toml
248 root 0:00 [containerd-shim]
316 root 0:00 ps faux
$ docker exec test docker run --rm tianon/true
$ docker exec test ps faux
PID USER TIME COMMAND
1 root 0:00 dockerd
23 root 0:00 containerd --config /var/run/docker/containerd/containerd.toml
248 root 0:00 [containerd-shim]
346 root 0:00 [containerd-shim]
411 root 0:00 ps faux
$ docker exec test docker version
Client:
Version: 27.0.2
API version: 1.46
Go version: go1.21.11
Git commit: 912c1dd
Built: Wed Jun 26 18:46:21 2024
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 27.0.2
API version: 1.46 (minimum version 1.24)
Go version: go1.21.11
Git commit: e953d76
Built: Wed Jun 26 18:47:59 2024
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: v1.7.18
GitCommit: ae71819c4f5e67bb4d5ae76a6b735f29cc25774e
runc:
Version: 1.1.13
GitCommit: v1.1.13-0-g58aa920
docker-init:
Version: 0.19.0
GitCommit: de40ad0 |
It's a long time, not sure whether is same condition. I changed the host kernel from realtime to a generic one, then problem solved. |
Yes, 26 is also affected: $ docker run -dit --privileged --name test --entrypoint dockerd --pull=always docker:26-dind
26-dind: Pulling from library/docker
Digest: sha256:dfaffff209798d9efe4ec07243d172ba8706918859c87869656a5d3091df44bb
Status: Image is up to date for docker:26-dind
94ddbbe9823bad23454556b690c854e6ac8b7e06adc71095676d7ccf2c7ef9d2
$ docker exec test ps faux
PID USER TIME COMMAND
1 root 0:00 dockerd
26 root 0:00 containerd --config /var/run/docker/containerd/containerd.toml
163 root 0:00 ps faux
$ docker exec test docker run --rm tianon/true
Unable to find image 'tianon/true:latest' locally
latest: Pulling from tianon/true
4e30b577f37b: Pulling fs layer
4e30b577f37b: Verifying Checksum
4e30b577f37b: Download complete
4e30b577f37b: Pull complete
Digest: sha256:45b95352fad44acee2c35a4ddc2205b61448b1daf2ba2c949b7136582446e682
Status: Downloaded newer image for tianon/true:latest
$ docker exec test docker run --rm tianon/true
$ docker exec test ps faux
PID USER TIME COMMAND
1 root 0:00 dockerd
26 root 0:00 containerd --config /var/run/docker/containerd/containerd.toml
197 root 0:00 [containerd-shim]
277 root 0:00 [containerd-shim]
336 root 0:00 ps faux
$ docker exec test docker version
Client:
Version: 26.1.4
API version: 1.45
Go version: go1.21.11
Git commit: 5650f9b
Built: Wed Jun 5 11:27:57 2024
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 26.1.4
API version: 1.45 (minimum version 1.24)
Go version: go1.21.11
Git commit: de5c9cf
Built: Wed Jun 5 11:29:25 2024
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: v1.7.18
GitCommit: ae71819c4f5e67bb4d5ae76a6b735f29cc25774e
runc:
Version: 1.1.12
GitCommit: v1.1.12-0-g51d5e94
docker-init:
Version: 0.19.0
GitCommit: de40ad0 |
This isn't specific to the way $ docker run -dit --rm --name test --privileged --pull=always tianon/containerd:rc
rc: Pulling from tianon/containerd
Digest: sha256:bc0d7e7f36b2963769c4924a11bf1da09f501cbccdc7cb8c2f5d011d0d066440
Status: Image is up to date for tianon/containerd:rc
9f2cb8622b6ac98c90a0d2fbe325993199d71f5c469941a7c2117492c1d8ad12
$ docker exec test ctr i pull docker.io/tianon/true:latest > /dev/null
$ docker exec test ctr run --rm docker.io/tianon/true:latest test
$ docker exec test ctr run --rm docker.io/tianon/true:latest test
$ docker exec test ctr run --rm docker.io/tianon/true:latest test
$ # "tianon/containerd" doesn't have "ps" and I can't convince "docker top" to show zombies 🙈
$ docker run --rm --pid container:test bash ps faux
PID USER TIME COMMAND
1 root 0:00 containerd
91 root 0:00 [containerd-shim]
166 root 0:00 [containerd-shim]
248 root 0:00 [containerd-shim]
299 root 0:00 ps faux
$ docker exec test ctr version
Client:
Version: v2.0.0-rc.3
Revision: 27de5fea738a38345aa1ac7569032261a6b1e562
Go version: go1.22.4
Server:
Version: v2.0.0-rc.3
Revision: 27de5fea738a38345aa1ac7569032261a6b1e562
UUID: 46bfcb40-716f-46fb-8887-6010373bed51 |
If I do the same test with
--init
or... docker:20-dind docker-init dockerd
, then we get no zombies.I think this is technically a bug in containerd, because I can reproduce with bare
containerd
as pid1 as well, but it doesn't seem quite the same as containerd/containerd#5708 (although perhaps related).cc @thaJeztah @cpuguy83
The text was updated successfully, but these errors were encountered: