Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
Docker uses containerd to manage containers but fails to setup the proper
dependencies in the systemd service.
https://bugs.debian.org/989490
[ Impact ]
On system shutdown Docker often is unable to properly shutdown containers
and just hangs. This delays shutdown until it reaches the timeout
(by default 90s).
[ Tests ]
I have been running these changes on a few hosts for a month and haven't
had any problems regarding start/shutdown since.
[ Risks ]
The changes only touch the systemd service and have been backported from
current upstream.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
* Order docker.service after containerd.service
* Explicitly pass the containerd socket path to dockerd to make sure it
doesn't start containerd on its own.
diff -Nru docker.io-20.10.5+dfsg1/debian/changelog
docker.io-20.10.5+dfsg1/debian/changelog
--- docker.io-20.10.5+dfsg1/debian/changelog2021-12-04 11:53:03.0
+0100
+++ docker.io-20.10.5+dfsg1/debian/changelog2022-05-30 20:34:49.0
+0200
@@ -1,3 +1,12 @@
+docker.io (20.10.5+dfsg1-1+deb11u2) bullseye; urgency=medium
+
+ * Order docker.service after containerd.service to fix shutdown of
+containers (Closes: #989490)
+ * Explicitly pass the containerd socket path to dockerd to make sure it
+doesn't start containerd on its own.
+
+ -- Felix Geyer Mon, 30 May 2022 20:34:49 +0200
+
docker.io (20.10.5+dfsg1-1+deb11u1) bullseye; urgency=medium
* Backport patches for CVE-2021-41089 CVE-2021-41091 CVE-2021-41092
diff -Nru
docker.io-20.10.5+dfsg1/debian/patches/engine-systemd-service-after-containerd.patch
docker.io-20.10.5+dfsg1/debian/patches/engine-systemd-service-after-containerd.patch
---
docker.io-20.10.5+dfsg1/debian/patches/engine-systemd-service-after-containerd.patch
1970-01-01 01:00:00.0 +0100
+++
docker.io-20.10.5+dfsg1/debian/patches/engine-systemd-service-after-containerd.patch
2022-05-30 20:09:40.0 +0200
@@ -0,0 +1,28 @@
+Description: Order docker.service after containerd.service
+ Fixes proper shutdown of containers.
+Origin: upstream, cherry-picked parts of
https://github.com/moby/moby/pull/42373
+ and https://github.com/moby/moby/pull/42622
+Bug-Debian: https://bugs.debian.org/989490
+
+--- docker.io-20.10.11+dfsg1.orig/engine/contrib/init/systemd/docker.service
docker.io-20.10.11+dfsg1/engine/contrib/init/systemd/docker.service
+@@ -1,8 +1,8 @@
+ [Unit]
+ Description=Docker Application Container Engine
+ Documentation=https://docs.docker.com
+-After=network-online.target docker.socket firewalld.service
+-Wants=network-online.target
++After=network-online.target docker.socket firewalld.service containerd.service
++Wants=network-online.target containerd.service
+ Requires=docker.socket
+
+ [Service]
+@@ -11,7 +11,7 @@ Type=notify
+ # exists and systemd currently does not support the cgroup feature set
required
+ # for containers run by docker
+ EnvironmentFile=-/etc/default/docker
+-ExecStart=/usr/sbin/dockerd -H fd:// $DOCKER_OPTS
++ExecStart=/usr/sbin/dockerd -H fd://
--containerd=/run/containerd/containerd.sock $DOCKER_OPTS
+ ExecReload=/bin/kill -s HUP $MAINPID
+ LimitNOFILE=1048576
+ # Having non-zero Limit*s causes performance problems due to accounting
overhead
diff -Nru docker.io-20.10.5+dfsg1/debian/patches/series
docker.io-20.10.5+dfsg1/debian/patches/series
--- docker.io-20.10.5+dfsg1/debian/patches/series 2021-12-04
11:53:03.0 +0100
+++ docker.io-20.10.5+dfsg1/debian/patches/series 2022-05-30
20:10:09.0 +0200
@@ -11,6 +11,7 @@
cli-dont-duplicate-authconfig.patch
engine-add-go.mod-file.patch
+engine-systemd-service-after-containerd.patch
libnetwork-add-go.mod-file.patch
libnetwork_proto.patch