Add "Delegate=yes" to docker's service file #20633

crosbymichael · 2016-02-23T22:24:03Z

We need to add delegate yes to docker's service file so that it can
manage the cgroups of the processes that it launches without systemd
interfering with them and moving the processes after it is reloaded.

       Delegate=
           Turns on delegation of further resource control partitioning to
           processes of the unit. For unprivileged services (i.e. those
           using the User= setting), this allows processes to create a
           subhierarchy beneath its control group path. For privileged
           services and scopes, this ensures the processes will have all
           control group controllers enabled.

This is the proper fix for issue #20152

Signed-off-by: Michael Crosby [email protected]

crosbymichael · 2016-02-23T22:25:29Z

@PierreF @LK4D4 Can you two check this out and see if it fixes your issue. You an do a build off of master because it does not include the libcontainer fix yet so that you can test this independently. It should work with all systemd versions properly.

LK4D4 · 2016-02-23T22:52:02Z

Works for me.

philips · 2016-02-23T23:48:58Z

Nack. We should default to systemd on systemd: #20635

crosbymichael · 2016-02-23T23:55:30Z

@philips why? systemd cgroups gives us a small subset of the features we need and then we have to do everything else via the filesystem api anyways so why depend on it if it provides us with so little?

We also fight with weird bugs all the time that are related to systemd cgroups across different version of os and systemd. It appears that Delegate=yes is exactly what we want from the docker daemon to manage the cgroups of the containers that it launches.

philips · 2016-02-24T00:00:34Z

@crosbymichael Is there a documented chain of issues of where and why this is happening? If we are making changes to default behavior we should document why. The other way to look at this is #20152 was caused by #17704

crosbymichael · 2016-02-24T00:11:50Z

@philips actually #20152 still applies when using systemd cgroup driver. The underlying cause is in systemd and how it handles the children of daemons that write any cgroup changes.

The previous change just made it more obvious to users; it is a long running issue that no one noticed until the change of defaults and there is no other way to properly fix this that i can see.

[Unit]
Description=docker
Documentation=https://docker.com
After=network.target

[Service]
MemoryLimt=3072M
CPUQuota=200%
ExecStartPre=/sbin/modprobe overlay
ExecStart=/usr/local/bin/docker daemon -D --userland-proxy=false -s overlay --exec-opt native.cgroupdriver=systemd
#Delegate=yes

[Unit]
Description=docker
Documentation=https://docker.com
After=network.target

michael|~/development/gocode/src/github.com/docker/docker > cat /proc/17630/cgroup 
10:memory:/system.slice/docker-933fca94925897532d07c180bf73552abdba1b709c5f3e283cb2462cbee01f76.scope
9:hugetlb:/system.slice/docker-933fca94925897532d07c180bf73552abdba1b709c5f3e283cb2462cbee01f76.scope
8:freezer:/system.slice/docker-933fca94925897532d07c180bf73552abdba1b709c5f3e283cb2462cbee01f76.scope
7:net_cls,net_prio:/system.slice/docker-933fca94925897532d07c180bf73552abdba1b709c5f3e283cb2462cbee01f76.scope
6:perf_event:/system.slice/docker-933fca94925897532d07c180bf73552abdba1b709c5f3e283cb2462cbee01f76.scope
5:devices:/system.slice/docker-933fca94925897532d07c180bf73552abdba1b709c5f3e283cb2462cbee01f76.scope
4:cpu,cpuacct:/system.slice/docker-933fca94925897532d07c180bf73552abdba1b709c5f3e283cb2462cbee01f76.scope
3:blkio:/system.slice/docker-933fca94925897532d07c180bf73552abdba1b709c5f3e283cb2462cbee01f76.scope
2:cpuset:/system.slice/docker-933fca94925897532d07c180bf73552abdba1b709c5f3e283cb2462cbee01f76.scope
1:name=systemd:/system.slice/docker-933fca94925897532d07c180bf73552abdba1b709c5f3e283cb2462cbee01f76.scope
michael|~/development/gocode/src/github.com/docker/docker > sudo systemctl daemon-reload 
michael|~/development/gocode/src/github.com/docker/docker > sudo systemctl restart cron
michael|~/development/gocode/src/github.com/docker/docker > cat /proc/17630/cgroup 
10:memory:/system.slice/docker-933fca94925897532d07c180bf73552abdba1b709c5f3e283cb2462cbee01f76.scope
9:hugetlb:/system.slice
8:freezer:/system.slice
7:net_cls,net_prio:/system.slice
6:perf_event:/system.slice
5:devices:/system.slice/docker-933fca94925897532d07c180bf73552abdba1b709c5f3e283cb2462cbee01f76.scope
4:cpu,cpuacct:/system.slice/docker-933fca94925897532d07c180bf73552abdba1b709c5f3e283cb2462cbee01f76.scope
3:blkio:/system.slice/docker-933fca94925897532d07c180bf73552abdba1b709c5f3e283cb2462cbee01f76.scope
2:cpuset:/system.slice
1:name=systemd:/system.slice/docker-933fca94925897532d07c180bf73552abdba1b709c5f3e283cb2462cbee01f76.scope

calavera · 2016-02-24T00:20:09Z

This change LGTM. We know as a fact that our implementation will always work for containers started by Docker, we cannot say the same about systemd's implementation unfortunately.

PierreF · 2016-02-24T10:00:52Z

Built crosbymichael/unit-file (839f86c):

$ docker version
Client:
 Version:      1.11.0-dev
 API version:  1.23
 Go version:   go1.5.3
 Git commit:   839f86c
 Built:        Wed Feb 24 09:30:04 2016
 OS/Arch:      linux/amd64

Server:
 Version:      1.11.0-dev
 API version:  1.23
 Go version:   go1.5.3
 Git commit:   839f86c
 Built:        Wed Feb 24 09:30:04 2016
 OS/Arch:      linux/amd64

Tested on Ubuntu wily, Ubuntu xenial:

first WITHOUT changing unit-file : it failed
the by creating /etc/systemd/system/docker.service.d/override.conf : it works

$ cat /etc/systemd/system/docker.service.d/override.conf                                                                                                            
[Service]
Delegate=yes

Also tested on Debian jessie : it does NOT works... but it's because Delegate doesn't exists in this Systemd version:

# journalctl -n1
Feb 24 10:52:37 jessie systemd[1]: [/etc/systemd/system/docker.service.d/override.conf:2] Unknown lvalue 'Delegate' in section 'Service'
# systemctl --version
systemd 215
+PAM +AUDIT +SELINUX +IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ -SECCOMP -APPARMOR

cyphar · 2016-02-24T10:34:23Z

LGTM. This solves several of the really hairy problems with systemd changing cgroups due to external factors (like the angle of the sun and how many pencils are on the left side of your desk, etc).

philips · 2016-02-24T17:27:16Z

Given that we are trying to work with a thousand different versions of systemd all patched in different ways it seems like this is the best default. LGTM.

philips · 2016-02-24T17:28:06Z

We should probably add a comment about --exec-opt native.cgroupdriver=systemd however to this service file.

crosbymichael · 2016-02-24T17:58:01Z

I'll update with a comment soon

tianon · 2016-02-24T17:59:44Z

To be clear, on platforms where Delegate= isn't supported yet (like Debian Jessie, noted by @PierreF above in #20633 (comment)), does this create an error (and thus a daemon that doesn't start), or just a warning?

crosbymichael · 2016-02-24T18:15:06Z

@tianon i don't know if it errors or not, if someone is running 215 can you try really quick?

PierreF · 2016-02-24T22:50:06Z

Just a warning, and Docker daemon is started.

tianon · 2016-02-24T22:59:04Z

Sweet, SGTM 👍

We need to add delegate yes to docker's service file so that it can manage the cgroups of the processes that it launches without systemd interfering with them and moving the processes after it is reloaded. ``` Delegate= Turns on delegation of further resource control partitioning to processes of the unit. For unprivileged services (i.e. those using the User= setting), this allows processes to create a subhierarchy beneath its control group path. For privileged services and scopes, this ensures the processes will have all control group controllers enabled. ``` This is the proper fix for issue moby#20152 Signed-off-by: Michael Crosby <[email protected]>

crosbymichael · 2016-02-25T18:32:39Z

Ok, I added comments for the cgroup default and the delegate yes section in the file

philips · 2016-02-25T18:35:40Z

lgtm

crosbymichael · 2016-02-25T18:47:43Z

Thanks for the reviews all.

Add "Delegate=yes" to docker's service file

ngrilly · 2018-05-23T19:54:43Z

Is it safe to run Docker on Debian Jessie with systemd 215 that doesn't support Delegate=?

GordonTheTurtle added the status/0-triage label Feb 23, 2016

icecrime added status/2-code-review and removed status/0-triage labels Feb 23, 2016

philips mentioned this pull request Feb 24, 2016

contrib/init/systemd: use systemd cgroups driver #20635

Closed

crosbymichael force-pushed the unit-file branch from 839f86c to d16737f Compare February 25, 2016 18:32

crosbymichael added a commit that referenced this pull request Feb 25, 2016

Merge pull request #20633 from crosbymichael/unit-file

6582013

Add "Delegate=yes" to docker's service file

crosbymichael merged commit 6582013 into moby:master Feb 25, 2016

crosbymichael deleted the unit-file branch February 25, 2016 18:47

thaJeztah mentioned this pull request Mar 24, 2016

Docker container exited with System error: stat /system.slice/docker.service: no such file or directory. #21444

Closed

thaJeztah mentioned this pull request Jun 13, 2016

oci runtime error: Cannot set property Delegate, or unknown property #23374

Closed

thaJeztah added this to the 1.11.0 milestone Jun 17, 2016

thaJeztah mentioned this pull request Jun 17, 2016

Cgroups info on host not updated with cgroupfs #22525

Closed

thaJeztah mentioned this pull request Jul 1, 2016

Can't run any container after Docker re-install on CentOS7 on AWS #24184

Closed

thaJeztah mentioned this pull request Jul 29, 2016

docker-engine upgrade failed on Debian Jessie from 1.11.2-0~jessie to 1.12.0-0~jessie #25222

Closed

thaJeztah mentioned this pull request May 31, 2017

[1.10] Docker top something return empty list of processes for a running container #20152

Closed

thaJeztah mentioned this pull request Aug 31, 2018

Update new systemd unit file with changes from upstream docker/docker-ce-packaging#179

Merged

seemethere mentioned this pull request Sep 4, 2018

[18.09] Update new systemd unit file with changes from upstream docker/docker-ce-packaging#182

Merged

Add "Delegate=yes" to docker's service file #20633

Add "Delegate=yes" to docker's service file #20633

Uh oh!

Conversation

crosbymichael commented Feb 23, 2016

Uh oh!

crosbymichael commented Feb 23, 2016

Uh oh!

LK4D4 commented Feb 23, 2016

Uh oh!

philips commented Feb 23, 2016

Uh oh!

crosbymichael commented Feb 23, 2016

Uh oh!

philips commented Feb 24, 2016

Uh oh!

crosbymichael commented Feb 24, 2016

Uh oh!

calavera commented Feb 24, 2016

Uh oh!

PierreF commented Feb 24, 2016

Uh oh!

cyphar commented Feb 24, 2016

Uh oh!

philips commented Feb 24, 2016

Uh oh!

philips commented Feb 24, 2016

Uh oh!

crosbymichael commented Feb 24, 2016

Uh oh!

tianon commented Feb 24, 2016

Uh oh!

crosbymichael commented Feb 24, 2016

Uh oh!

PierreF commented Feb 24, 2016

Uh oh!

tianon commented Feb 24, 2016 via email

Uh oh!

crosbymichael commented Feb 25, 2016

Uh oh!

philips commented Feb 25, 2016

Uh oh!

crosbymichael commented Feb 25, 2016

Uh oh!

ngrilly commented May 23, 2018

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

11 participants