Docker 1.11.2 systemd --stop-signal=RTMIN+3 still can not stop Docker container

davidlandry · June 27, 2016, 6:01pm

OS: Red Hat Enterprise Linux Workstation release 7.2 (Maipo)
Kernel: Linux xxxxx.xxxxx.com 3.10.0-327.18.2.el7.x86_64 #1 SMP Fri Apr 8 05:09:53 EDT 2016 x86_64 x86_64 x86_64 GNU/Linux

Client:
Version: 1.11.2
API version: 1.23
Go version: go1.5.4
Git commit: b9f10c9
Built: Wed Jun 1 21:23:11 2016
OS/Arch: linux/amd64

Server:
Version: 1.11.2
API version: 1.23
Go version: go1.5.4
Git commit: b9f10c9
Built: Wed Jun 1 21:23:11 2016
OS/Arch: linux/amd64

To Reproduce:

build simple docker image from folllowing Dockerfile:

FROM centos:7
ENV container docker
RUN yum -y install httpd; yum clean all; systemctl enable httpd
CMD [ “/sbin/init” ]

Build using: docker build -t local/stoptest:v1 .
Run using: docker run --privileged -ti --stop-signal=RTMIN+3 -p 80:80 local/stoptest:v1

verify working by browsing to localhost port 80 http://localhost

Issues:

Upon start it kicks me to a virtual console login prompt. Sometimes I can return to my original Gnome 3 session sometimes it eventually returns to the gnome login prompt.
docker stop does not stop container. Container just seems to hang. ‘docker ps’ shows the container is still running, but nothing can connect or use the container.

The only way to stop the container that I found was to issue a ‘systemctl stop docker’.

Anyone know what’s going on here? I though this was suppose to be fixed?

davidlandry · June 28, 2016, 5:38pm

okay, I think I found the issue (I really wish Docker and Systemd would get their ‘stuff’ together and stop playing games with who should check for whom and adjust. There really should be no need to go through this kind of pain to use systemd on docker. I appreciate the work these teams do, but us ‘users’ out here just want to use something that works, and really don’t have time to waste on someone else’s “politics”.

anyway, here’s what I found out so far, mostly by trial and error.

1 - build a special image with a minimal Centos 7 pull and a couple of mods for systemd (DO NOT try to do much more in this image, it will probably fail, just use this image to build other images with more complicated ‘stuff’ as needed.)

In this case I simply do the minimum needed and a little yum update, as updating later will probably mess up systemd again (smh!)

minimal image Docker file:

FROM centos:7
MAINTAINER “you” you@your.email
ENV container docker
RUN yum -y update; yum clean all
RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in ; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done);
rm -f /lib/systemd/system/multi-user.target.wants/;
rm -f /etc/systemd/system/.wants/;
rm -f /lib/systemd/system/local-fs.target.wants/;
rm -f /lib/systemd/system/sockets.target.wants/udev;
rm -f /lib/systemd/system/sockets.target.wants/initctl;
rm -f /lib/systemd/system/basic.target.wants/;
rm -f /lib/systemd/system/anaconda.target.wants/*;
VOLUME [ “/sys/fs/cgroup” ]
CMD ["/usr/sbin/init"]

2 - build this image:

docker build -t centos-systemd-image .

3 - now assume you want a Centos/Systemd container that runs httpd and sshd so you can run a web page and ssh into the container to access html files. Your Dockerfile will look something like this:

Create the Dockerfile and make it FROM the “centos-systemd-image” image you just created

FROM centos-systemd-image
MAINTAINER “You” you@your.email
ENV container docker

install and enable httpd and sshd

RUN yum -y install httpd; yum clean all; systemctl enable httpd
RUN yum -y install openssh-server.x86_64; yum clean all; systemctl enable sshd.service

Set the root passord

RUN echo -e ‘passw0rd\npassw0rd\n’ | passwd root

VOLUME [ “/sys/fs/cgroup” ]
VOLUME [ “run” ]
CMD ["/usr/sbin/init"]

4 - now make this new image

docker build -t usable-centos-systemd-image .

5 - run the new mage

docker run --privileged --stop-signal=$(kill -l RTMIN+3) -ti -v /sys/fs/cgroup:/sys/fs/cgroup:ro -v /run:/tmp -p 80:80 -p 4022:22 --name usable-centos-systemd-container -h ‘localhost’ usable-centos-systemd-image

====================
There are probably better ways to run it than with the --priviledged option, but for now this works for me.

bmitch3020 · July 3, 2016, 2:48am

I’m not really sure why you’re going through so much trouble to run httpd with systemd, perhaps more of an explanation of why

docker run -d -p 80:80 httpd

is insufficient for your needs? You seem to have gone through a lot of trouble to bypass many of the protections Docker provides and replace the design of the single foreground daemon process that’s expected with Docker containers.

davidlandry · July 3, 2016, 3:51am

No, that was not sufficient (although one would expect it to be, which is why it is so frustrating an issue) even for a single daemon process (which is an unrealistic expectation anyway IMO if you’re dealing with real applications … you can’t redesign enterprise apps at the drop of a hat so sometimes you have to live with a less than optimum situation … bit that’s for another discussion.)

Running RHEL7 and having systemd run hhtp would still not work with that simple command line – well, it would ‘sort of work’, but only if your definition of ‘working’ was freezing anytime you tried to stop or pause the container.

I also would not consider it ‘working’ if updating systemd (say for security updates) broke the image.