stop/rm container did not remove its network namespace after running docker network disconnect cmd to diconnect bridge network #31597
Description
BUG REPORT INFORMATION
Description
in multiple network interface environment, after running docker network disconnect to disconnect on NIC and stop container, the IP address on other NIC still is reachable. Frankly at this time, this container network namespace should be disappear.
Steps to reproduce the issue:
- start container:
docker run -dt centos bash - create ipvlan device in host:
ip link add ipvlan3 link vxlan_oam type ipvlan mode l2(here vxlan_oam is vxlan device) cd /var/run/netns- Get PID of that container
ln -s /proc/PID/ns/net /var/run/netns/PID- Add ipvlan3 to container as following:
ip link set dev ipvlan3 netns 7973
[root@cluster-misc netns]# ip netns exec 7973 ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
32: eth0@if33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::42:acff:fe11:2/64 scope link
valid_lft forever preferred_lft forever
34: ipvlan3@if9: <BROADCAST,MULTICAST> mtu 1450 qdisc noop state DOWN group default qlen 1000
link/ether b6:0e:e8:51:2c:c9 brd ff:ff:ff:ff:ff:ff
[root@cluster-misc netns]#
- Add ip addr to ipvlan3 in container:
ip netns exec PID ip addr add 10.100.10.3/24 dev ipvlan3 - Bring up ipvlan3 in container:
ip netns exec PID ip link set ipvlan3 up - Add another netns:
ip netns add ns001 - Create another ipvlan device on host:
ip link add ipvlan1 link vxlan_oam type ipvlan mode l2 - Add ipvlan1 to ns001:
ip link set dev ipvlan1 netns ns001 - Add ip addr to ipvlan1 in ns001:
ip netns exec ns001 ip addr add 10.100.10.1/24 dev ipvlan1 - Bring ipvlan1 in ns001 up:
ip netns exec ns001 ip link set ipvlan1 up - ping 10.100.10.3 well from ns001:
ip netns exec ns001 ping 10.100.10.3 - for now: disconnect eth0 from bridge:
docker network disconnect bridge container_id - docker stop container_id;
docker rm container_id - step 14 still work: i.e: ping still work. it is not reasonable because docker stopped and deleted.
Describe the results you received:
device and ip address in deleted container is still reachable.
Describe the results you expected:
container network namespace shall clear all information when container stop and deleted including device and ip address
Additional information you deem important (e.g. issue happens only occasionally):
reproducable always
Output of docker version:
[root@cluster-misc netns]# docker version
Client:
Version: 1.12.1
API version: 1.24
Go version: go1.6.3
Git commit: 23cf638
Built:
OS/Arch: linux/amd64
Server:
Version: 1.12.1
API version: 1.24
Go version: go1.6.3
Git commit: 23cf638
Built:
OS/Arch: linux/amd64
Output of docker info:
[root@cluster-misc netns]# docker info
Containers: 5
Running: 0
Paused: 0
Stopped: 5
Images: 58
Server Version: 1.12.1
Storage Driver: devicemapper
Pool Name: docker-253:0-25813446-pool
Pool Blocksize: 65.54 kB
Base Device Size: 10.74 GB
Backing Filesystem: xfs
Data file: /dev/loop0
Metadata file: /dev/loop1
Data Space Used: 3.695 GB
Data Space Total: 107.4 GB
Data Space Available: 4.699 GB
Metadata Space Used: 5.923 MB
Metadata Space Total: 2.147 GB
Metadata Space Available: 2.142 GB
Thin Pool Minimum Free Space: 10.74 GB
Udev Sync Supported: true
Deferred Removal Enabled: false
Deferred Deletion Enabled: false
Deferred Deleted Device Count: 0
Data loop file: /var/lib/docker/devicemapper/devicemapper/data
WARNING: Usage of loopback devices is strongly discouraged for production use. Use `--storage-opt dm.thinpooldev` to specify a custom block storage device.
Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
Library Version: 1.02.107-RHEL7 (2015-10-14)
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge null host overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options: seccomp
Kernel Version: 4.8.11-1.el7.elrepo.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 2.937 GiB
Name: cluster-misc
ID: NXSJ:RTDK:LQRT:JW6W:IUNX:FMSL:IPL3:KIVY:TEYA:WVHY:ITNK:5OXK
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Http Proxy: http://10.0.2.15:6699/
Https Proxy: https://10.0.2.15:6699/
Registry: https://index.docker.io/v1/
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
Insecure Registries:
127.0.0.0/8
[root@cluster-misc netns]#
Additional environment details (AWS, VirtualBox, physical, etc.):
this issue is fired in all VirtualBox, physical and VM platform