diff --git a/nodeup/pkg/model/docker.go b/nodeup/pkg/model/docker.go index 1aeab2dcfa5d2..1d2029ec579c4 100644 --- a/nodeup/pkg/model/docker.go +++ b/nodeup/pkg/model/docker.go @@ -504,6 +504,8 @@ func (b *DockerBuilder) buildDockerGroup() *nodetasks.GroupTask { // buildSystemdSocket creates docker.socket, for when we're not installing from a package func (b *DockerBuilder) buildSystemdSocket() *nodetasks.Service { + // Based on https://github.com/docker/docker-ce-packaging/blob/master/systemd/docker.socket + manifest := &systemd.Manifest{} manifest.Set("Unit", "Description", "Docker Socket for the API") manifest.Set("Unit", "PartOf", "docker.service") @@ -529,38 +531,53 @@ func (b *DockerBuilder) buildSystemdSocket() *nodetasks.Service { } func (b *DockerBuilder) buildSystemdService(dockerVersionMajor int, dockerVersionMinor int) *nodetasks.Service { + // Based on https://github.com/docker/docker-ce-packaging/blob/master/systemd/docker.service + manifest := &systemd.Manifest{} manifest.Set("Unit", "Description", "Docker Application Container Engine") manifest.Set("Unit", "Documentation", "https://docs.docker.com") - - manifest.Set("Unit", "After", "network.target docker.socket") + manifest.Set("Unit", "After", "network-online.target firewalld.service") + manifest.Set("Unit", "Wants", "network-online.target") manifest.Set("Unit", "Requires", "docker.socket") - manifest.Set("Service", "Type", "notify") manifest.Set("Service", "EnvironmentFile", "/etc/sysconfig/docker") manifest.Set("Service", "EnvironmentFile", "/etc/environment") + // the default is not to use systemd for cgroups because the delegate issues still + // exists and systemd currently does not support the cgroup feature set required + // for containers run by docker + manifest.Set("Service", "Type", "notify") manifest.Set("Service", "ExecStart", "/usr/bin/dockerd -H fd:// \"$DOCKER_OPTS\"") - manifest.Set("Service", "ExecReload", "/bin/kill -s HUP $MAINPID") - // kill only the docker process, not all processes in the cgroup - manifest.Set("Service", "KillMode", "process") + manifest.Set("Service", "TimeoutSec", "0") + manifest.Set("Service", "RestartSec", "2s") + manifest.Set("Service", "Restart", "always") + + // Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229. + // Both the old, and new location are accepted by systemd 229 and up, so using the old location + // to make them work for either version of systemd. + manifest.Set("Service", "StartLimitBurst", "3") - manifest.Set("Service", "TimeoutStartSec", "0") + // Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230. + // Both the old, and new name are accepted by systemd 230 and up, so using the old name to make + // this option work for either version of systemd. + manifest.Set("Service", "StartLimitInterval", "60s") + // Having non-zero Limit*s causes performance problems due to accounting overhead + // in the kernel. We recommend using cgroups to do container-local accounting. manifest.Set("Service", "LimitNOFILE", "infinity") manifest.Set("Service", "LimitNPROC", "infinity") manifest.Set("Service", "LimitCORE", "infinity") + // Only systemd 226 and above support this option. manifest.Set("Service", "TasksMax", "infinity") - manifest.Set("Service", "Restart", "always") - manifest.Set("Service", "RestartSec", "2s") - manifest.Set("Service", "StartLimitInterval", "0") - // set delegate yes so that systemd does not reset the cgroups of docker containers manifest.Set("Service", "Delegate", "yes") + // kill only the docker process, not all processes in the cgroup + manifest.Set("Service", "KillMode", "process") + manifest.Set("Install", "WantedBy", "multi-user.target") manifestString := manifest.Render() diff --git a/nodeup/pkg/model/tests/dockerbuilder/docker_18.06.3/tasks.yaml b/nodeup/pkg/model/tests/dockerbuilder/docker_18.06.3/tasks.yaml index bffadb09f70af..859e8401f8524 100644 --- a/nodeup/pkg/model/tests/dockerbuilder/docker_18.06.3/tasks.yaml +++ b/nodeup/pkg/model/tests/dockerbuilder/docker_18.06.3/tasks.yaml @@ -313,25 +313,27 @@ definition: | [Unit] Description=Docker Application Container Engine Documentation=https://docs.docker.com - After=network.target docker.socket + After=network-online.target firewalld.service + Wants=network-online.target Requires=docker.socket [Service] - Type=notify EnvironmentFile=/etc/sysconfig/docker EnvironmentFile=/etc/environment + Type=notify ExecStart=/usr/bin/dockerd -H fd:// "$DOCKER_OPTS" ExecReload=/bin/kill -s HUP $MAINPID - KillMode=process - TimeoutStartSec=0 + TimeoutSec=0 + RestartSec=2s + Restart=always + StartLimitBurst=3 + StartLimitInterval=60s LimitNOFILE=infinity LimitNPROC=infinity LimitCORE=infinity TasksMax=infinity - Restart=always - RestartSec=2s - StartLimitInterval=0 Delegate=yes + KillMode=process [Install] WantedBy=multi-user.target diff --git a/nodeup/pkg/model/tests/dockerbuilder/healthcheck/tasks.yaml b/nodeup/pkg/model/tests/dockerbuilder/healthcheck/tasks.yaml index 823ec0fc0e7e7..c8517c5c823ca 100644 --- a/nodeup/pkg/model/tests/dockerbuilder/healthcheck/tasks.yaml +++ b/nodeup/pkg/model/tests/dockerbuilder/healthcheck/tasks.yaml @@ -316,24 +316,27 @@ definition: | [Unit] Description=Docker Application Container Engine Documentation=https://docs.docker.com - After=network.target docker.socket + After=network-online.target firewalld.service + Wants=network-online.target Requires=docker.socket [Service] - Type=notify EnvironmentFile=/etc/sysconfig/docker EnvironmentFile=/etc/environment + Type=notify ExecStart=/usr/bin/dockerd -H fd:// "$DOCKER_OPTS" ExecReload=/bin/kill -s HUP $MAINPID - KillMode=process - TimeoutStartSec=0 + TimeoutSec=0 + RestartSec=2s + Restart=always + StartLimitBurst=3 + StartLimitInterval=60s LimitNOFILE=infinity LimitNPROC=infinity LimitCORE=infinity - Restart=always - RestartSec=2s - StartLimitInterval=0 + TasksMax=infinity Delegate=yes + KillMode=process [Install] WantedBy=multi-user.target diff --git a/nodeup/pkg/model/tests/dockerbuilder/logflags/tasks.yaml b/nodeup/pkg/model/tests/dockerbuilder/logflags/tasks.yaml index 413b4e4c0bd04..c8517c5c823ca 100644 --- a/nodeup/pkg/model/tests/dockerbuilder/logflags/tasks.yaml +++ b/nodeup/pkg/model/tests/dockerbuilder/logflags/tasks.yaml @@ -316,25 +316,27 @@ definition: | [Unit] Description=Docker Application Container Engine Documentation=https://docs.docker.com - After=network.target docker.socket + After=network-online.target firewalld.service + Wants=network-online.target Requires=docker.socket [Service] - Type=notify EnvironmentFile=/etc/sysconfig/docker EnvironmentFile=/etc/environment + Type=notify ExecStart=/usr/bin/dockerd -H fd:// "$DOCKER_OPTS" ExecReload=/bin/kill -s HUP $MAINPID - KillMode=process - TimeoutStartSec=0 + TimeoutSec=0 + RestartSec=2s + Restart=always + StartLimitBurst=3 + StartLimitInterval=60s LimitNOFILE=infinity LimitNPROC=infinity LimitCORE=infinity TasksMax=infinity - Restart=always - RestartSec=2s - StartLimitInterval=0 Delegate=yes + KillMode=process [Install] WantedBy=multi-user.target diff --git a/nodeup/pkg/model/tests/dockerbuilder/simple/tasks.yaml b/nodeup/pkg/model/tests/dockerbuilder/simple/tasks.yaml index 413b4e4c0bd04..c8517c5c823ca 100644 --- a/nodeup/pkg/model/tests/dockerbuilder/simple/tasks.yaml +++ b/nodeup/pkg/model/tests/dockerbuilder/simple/tasks.yaml @@ -316,25 +316,27 @@ definition: | [Unit] Description=Docker Application Container Engine Documentation=https://docs.docker.com - After=network.target docker.socket + After=network-online.target firewalld.service + Wants=network-online.target Requires=docker.socket [Service] - Type=notify EnvironmentFile=/etc/sysconfig/docker EnvironmentFile=/etc/environment + Type=notify ExecStart=/usr/bin/dockerd -H fd:// "$DOCKER_OPTS" ExecReload=/bin/kill -s HUP $MAINPID - KillMode=process - TimeoutStartSec=0 + TimeoutSec=0 + RestartSec=2s + Restart=always + StartLimitBurst=3 + StartLimitInterval=60s LimitNOFILE=infinity LimitNPROC=infinity LimitCORE=infinity TasksMax=infinity - Restart=always - RestartSec=2s - StartLimitInterval=0 Delegate=yes + KillMode=process [Install] WantedBy=multi-user.target