daemon: release sandbox even when NetworkDisabled

payall4u · akerouanton · commit 9664f33e0db8 · 2023-10-16T12:08:01.000+02:00
When the default bridge is disabled by setting dockerd's `--bridge=none` option, the daemon still creates a sandbox for containers with no network attachment specified. In that case `NetworkDisabled` will be set to true. However, currently the `releaseNetwork` call will early return if NetworkDisabled is true. Thus, these sandboxes won't be deleted until the daemon is restarted. If a high number of such containers are created, the daemon would then take few minutes to start. See #42461. Signed-off-by: payall4u <payall4u@qq.com> Signed-off-by: Albin Kerouanton <albinker@gmail.com>
diff --git a/daemon/container_operations.go b/daemon/container_operations.go
@@ -967,10 +967,17 @@ func (daemon *Daemon) getNetworkedContainer(containerID, connectedContainerID st
 
 func (daemon *Daemon) releaseNetwork(container *container.Container) {
 	start := time.Now()
+	// If live-restore is enabled, the daemon cleans up dead containers when it starts up. In that case, the
+	// netController hasn't been initialized yet and so we can't proceed.
+	// TODO(aker): If we hit this case, the endpoint state won't be cleaned up (ie. no call to cleanOperationalData).
 	if daemon.netController == nil {
 		return
 	}
-	if container.HostConfig.NetworkMode.IsContainer() || container.Config.NetworkDisabled {
+	// If the container uses the network namespace of another container, it doesn't own it -- nothing to do here.
+	if container.HostConfig.NetworkMode.IsContainer() {
+		return
+	}
+	if container.NetworkSettings == nil {
 		return
 	}
 
