Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] Docker uses containerd to manage containers but fails to setup the proper dependencies in the systemd service. https://bugs.debian.org/989490 [ Impact ] On system shutdown Docker often is unable to properly shutdown containers and just hangs. This delays shutdown until it reaches the timeout (by default 90s). [ Tests ] I have been running these changes on a few hosts for a month and haven't had any problems regarding start/shutdown since. [ Risks ] The changes only touch the systemd service and have been backported from current upstream. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] * Order docker.service after containerd.service * Explicitly pass the containerd socket path to dockerd to make sure it doesn't start containerd on its own.
diff -Nru docker.io-20.10.5+dfsg1/debian/changelog docker.io-20.10.5+dfsg1/debian/changelog --- docker.io-20.10.5+dfsg1/debian/changelog 2021-12-04 11:53:03.000000000 +0100 +++ docker.io-20.10.5+dfsg1/debian/changelog 2022-05-30 20:34:49.000000000 +0200 @@ -1,3 +1,12 @@ +docker.io (20.10.5+dfsg1-1+deb11u2) bullseye; urgency=medium + + * Order docker.service after containerd.service to fix shutdown of + containers (Closes: #989490) + * Explicitly pass the containerd socket path to dockerd to make sure it + doesn't start containerd on its own. + + -- Felix Geyer <fge...@debian.org> Mon, 30 May 2022 20:34:49 +0200 + docker.io (20.10.5+dfsg1-1+deb11u1) bullseye; urgency=medium * Backport patches for CVE-2021-41089 CVE-2021-41091 CVE-2021-41092 diff -Nru docker.io-20.10.5+dfsg1/debian/patches/engine-systemd-service-after-containerd.patch docker.io-20.10.5+dfsg1/debian/patches/engine-systemd-service-after-containerd.patch --- docker.io-20.10.5+dfsg1/debian/patches/engine-systemd-service-after-containerd.patch 1970-01-01 01:00:00.000000000 +0100 +++ docker.io-20.10.5+dfsg1/debian/patches/engine-systemd-service-after-containerd.patch 2022-05-30 20:09:40.000000000 +0200 @@ -0,0 +1,28 @@ +Description: Order docker.service after containerd.service + Fixes proper shutdown of containers. +Origin: upstream, cherry-picked parts of https://github.com/moby/moby/pull/42373 + and https://github.com/moby/moby/pull/42622 +Bug-Debian: https://bugs.debian.org/989490 + +--- docker.io-20.10.11+dfsg1.orig/engine/contrib/init/systemd/docker.service ++++ docker.io-20.10.11+dfsg1/engine/contrib/init/systemd/docker.service +@@ -1,8 +1,8 @@ + [Unit] + Description=Docker Application Container Engine + Documentation=https://docs.docker.com +-After=network-online.target docker.socket firewalld.service +-Wants=network-online.target ++After=network-online.target docker.socket firewalld.service containerd.service ++Wants=network-online.target containerd.service + Requires=docker.socket + + [Service] +@@ -11,7 +11,7 @@ Type=notify + # exists and systemd currently does not support the cgroup feature set required + # for containers run by docker + EnvironmentFile=-/etc/default/docker +-ExecStart=/usr/sbin/dockerd -H fd:// $DOCKER_OPTS ++ExecStart=/usr/sbin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock $DOCKER_OPTS + ExecReload=/bin/kill -s HUP $MAINPID + LimitNOFILE=1048576 + # Having non-zero Limit*s causes performance problems due to accounting overhead diff -Nru docker.io-20.10.5+dfsg1/debian/patches/series docker.io-20.10.5+dfsg1/debian/patches/series --- docker.io-20.10.5+dfsg1/debian/patches/series 2021-12-04 11:53:03.000000000 +0100 +++ docker.io-20.10.5+dfsg1/debian/patches/series 2022-05-30 20:10:09.000000000 +0200 @@ -11,6 +11,7 @@ cli-dont-duplicate-authconfig.patch engine-add-go.mod-file.patch +engine-systemd-service-after-containerd.patch libnetwork-add-go.mod-file.patch libnetwork_proto.patch