Develop Reference

docker swarm container memory limit does not work

I'm experimenting with forcing a container to use more memory than it's allowed but I can't get it to work. The container is part of a stack defined with docker compose and it's deployed to docker in swarm mode.
Docker is allowing the container to go way above the 50M limit I've set. I was expecting docker to kill the container, throw an error, etc.
Can anyone help me on why Docker does not enforce the memory limit here?
The container in docker-compose.yml is defined to have a memory limit of 50M, and then I have setup a very simple PHP test which will try to allocate 200M. I've defined PHP mem limit to 128M.
This is my docker-compose.yml
version: "3"
services:
nginx:
image: nginx:latest
restart: unless-stopped
volumes:
- ./deploy/nginx/nginx.conf:/etc/nginx/nginx.conf
- ./public:/usr/share/nginx/html
ports:
- "8180:80"
links:
- app
app:
image: 127.0.0.1:5000/wpdemo
build:
context: .
dockerfile: Dockerfile-app
restart: unless-stopped
volumes:
- .:/var/www/html
links:
- mysql
deploy:
resources:
limits:
cpus: '0.50'
memory: 50M
reservations:
cpus: '0.25'
memory: 20M
mysql:
image: mysql:5.7
restart: unless-stopped
ports:
- "13306:3306"
environment:
MYSQL_ALLOW_EMPTY_PASSWORD: 'yes'
volumes:
- ~/docker/volumes/mysql:/var/lib/mysql
Instead of docker killing the container, it allows it to take as much memory as it wants and PHP eventually stops the process throwing the error below:
"PHP message: PHP Fatal error: Allowed memory size of 125829120 bytes exhausted (tried to allocate 67108872 bytes) in /var/www/html/public/index.php on line 4"
I'm using Ubuntu 18.04.
uname -a
Linux 4.18.10-041810-generic #201809260332 SMP Wed Sep 26 07:34:01 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Docker version 18.06.1-ce, build e68fc7a
docker-compose version 1.17.1, build unknown docker-py version: 2.5.1
CPython version: 2.7.15rc1 OpenSSL version: OpenSSL 1.1.0g 2 Nov 2017
This is the output of "docker stats" on the app container:
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
679c8495ac1d stackdemo_app.1.hr3ufwlskhdafre39aqrshxyu 0.00% 43.81MiB / 50MiB 87.62% 106kB / 389kB 2.05GB / 10.6GB 5
This is the output of "docker info":
Containers: 36
Running: 5
Paused: 0
Stopped: 31
Images: 450
Server Version: 18.06.1-ce
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: active
NodeID: wnegv5lp41wfs3epfrua489or
Is Manager: true
ClusterID: hq7o176yffjglxzb9pu3fiomr
Managers: 1
Nodes: 1
Orchestration:
Task History Retention Limit: 5
Raft:
Snapshot Interval: 10000
Number of Old Snapshots to Retain: 0
Heartbeat Tick: 1
Election Tick: 10
Dispatcher:
Heartbeat Period: 5 seconds
CA Configuration:
Expiry Duration: 3 months
Force Rotate: 0
Autolock Managers: false
Root Rotation In Progress: false
Node Address: 192.168.1.120
Manager Addresses:
192.168.1.120:2377
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 468a545b9edcd5932818eb9de8e72413e616e86e
runc version: 69663f0bd4b60df09991c08812a60108003fa340
init version: fec3683
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.18.10-041810-generic
Operating System: Ubuntu 18.04.1 LTS
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 15.49GiB
Name: rafxps15
ID: QEX7:FEB3:J76L:DCAQ:SO4S:SWVE:4XPI:PI6R:YM4C:MV4I:C3PM:FLOQ
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
WARNING: No swap limit support

As you said in comment, swap is enabled on host but swap limit in cgroups does not supported yet.
According to this enabling swap limit support. Note that reboot of system is essential.
At last, —-memory-swap flag should be set. If you want to prevent your PHP app accessing swap, you should set it with the same value of —-memory. More details about memory swap settings.

"cAdvisor" is not allowing other containers to be removed

I have installed "cAdvisor" to monitor my containers on the host, now whenever I try to stop and remove any other containers, cAdvisor is not allowing to remove the other containers.
`# docker ps -a | grep -i api
790ddf58f54a container/container-abc "/bin/sh -c 'sh -c..." 42 hours ago Dead`
`# docker rm 790ddf58f54a
Error response from daemon: Unable to remove filesystem for
790ddf58f54acf041b3e33bc040ea035d43be92315c7d970f411ad56a855e627: remove /var/lib/docker/containers/790ddf58f54acf041b3e33bc040ea035d43be92315c7d970f411ad56a855e627/shm: device or resource busy`
`# docker rm 790ddf58f54a
Error response from daemon: Unable to remove filesystem for
790ddf58f54acf041b3e33bc040ea035d43be92315c7d970f411ad56a855e627: remove` `/var/lib/docker/containers/790ddf58f54acf041b3e33bc040ea035d43be92315c7d970f411ad56a855e627/shm: device or resource busy`
When I stop the cAdvisor, it allows me to remove the containers.
`# docker ps | grep -i cadvisor
b54e4acb3f36 google/cadvisor "/usr/bin/cadvisor..." 21 hours ago Up 21 hours 0.0.0.0:9911->8080/tcp cadvisor`
`# docker stop b54e4acb3f36
b54e4acb3f36`
`# docker rm 790ddf58f54a
790ddf58f54a
I reffered to this github issue, but of no help https://github.com/moby/moby/issues/34198. Also searched further on this, is there any permanent fix for this issue.
1) container/container-abc is being generated using below command.
# docker run -d --restart=on-failure:5 --name=container-abc -p 15200:15200 -p 15201:15201 container-abc-image
2) I am using docker-compose for cadvisor, below is the docker compose content.
services:
cadvisor:
image: google/cadvisor
container_name: cadvisor
volumes:
- /:/rootfs:ro
- /var/run:/var/run:rw
- /sys:/sys:ro
- /var/lib/docker/:/var/lib/docker:ro
ports:
- 9911:8080
privileged: true
restart: always
3) Below is the docker info command.
# docker info
Containers: 38
Running: 24
Paused: 0
Stopped: 14
Images: 310
Server Version: 1.13.1
Storage Driver: overlay
Backing Filesystem: extfs
Supports d_type: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: aa8187dbd3b7ad67d8e5e3a15115d3eef43a7ed1
runc version: 9df8b306d01f59d3a8029be411de015b7304dd8f
init version: 949e6fa
Security Options:
apparmor
Kernel Version: 3.12.74-60.64.85-default
Operating System: SUSE Linux Enterprise Server 12 SP1
OSType: linux
Architecture: x86_64
CPUs: 32
Total Memory: 31.27 GiB
ID: BTZ2:KQZM:VGL5:DN7P:LKEB:JMDY:57N6:JUC2:LIBA:UZWA:EU3T:CHWP
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): true
File Descriptors: 171
Goroutines: 132
System Time: 2018-07-16T03:58:55.156080332-07:00
EventsListeners: 0
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
WARNING: No kernel memory limit support
Experimental: false
Insecure Registries:
172.24.227.60:8090
127.0.0.0/8
Live Restore Enabled: false
Thanks in advance.

Docker - Error response from daemon: invalid header field value "oci runtime error: rootfs

I am getting error while running the below docker command.
docker run -it -v /tmp:/tmp/host registry.docker.com/base/jdk1.8 rm -rf /tmp/host/mesos
Error :-
docker: Error response from daemon: invalid header field value "oci
runtime error: rootfs
(\"/tst/app/docker/devicemapper/mnt/140eb7aadfb7e1530a3fc5955f57ae154008be913cf920ba908cf064d5e586cc/rootfs\")
does not exist\n".
Docker version result :-
docker version
Client:
Version: 1.12.6
API version: 1.24
Go version: go1.6.4
Git commit: 1512168
Built: Wed Jan 11 09:49:56 2017
OS/Arch: linux/amd64
Server:
Version: 1.12.6
API version: 1.24
Go version: go1.6.4
Git commit: 1512168
Built: Wed Jan 11 09:49:56 2017
OS/Arch: linux/amd64
Docker Info Result :-
docker info
Containers: 90
Running: 0
Paused: 0
Stopped: 90
Images: 5
Server Version: 1.12.6
Storage Driver: devicemapper
Pool Name: docker-249:1-1838266-pool
Pool Blocksize: 65.54 kB
Base Device Size: 10.74 GB
Backing Filesystem: ext4
Data file: /dev/loop2
Metadata file: /dev/loop3
Data Space Used: 4.219 GB
Data Space Total: 107.4 GB
Data Space Available: 43.82 GB
Metadata Space Used: 8.79 MB
Metadata Space Total: 2.147 GB
Metadata Space Available: 2.139 GB
Thin Pool Minimum Free Space: 10.74 GB
Udev Sync Supported: true
Deferred Removal Enabled: false
Deferred Deletion Enabled: false
Deferred Deleted Device Count: 0
Data loop file: /tst/app/docker/devicemapper/devicemapper/data
WARNING: Usage of loopback devices is strongly discouraged for production use. Use `--storage-opt dm.thinpooldev` to specify a custom block storage device.
Metadata loop file: /tst/app/docker/devicemapper/devicemapper/metadata
Library Version: 1.02.117-RHEL6 (2016-12-13)
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host null overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options:
Kernel Version: 4.1.12-103.10.1.el6uek.x86_64
Operating System: Oracle Linux Server 6.9
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 15.55 GiB
Name: host.com
ID: GL42:TV5D:F5NA:3RIU:JW3A:W62C:O4RF:DBIV:WBVZ:U2Q4:FGC7:XX3Q
Docker Root Dir: /tst/app/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Insecure Registries:
127.0.0.0/8

HTTP port exposed but not responding properly

Running Docker 1.9.1 on OpenSuse 42.1 (can't upgrade at this time but also the same problem on Docker 1.12).
I have a Docker images that exposes a web application on port 8080. I can ssh into the container and access the application correctly from inside the container on http://localhost:8080/.
I run the container using
docker run -p 10000:8080 ...
and I would expect the web application being accessible on either
http://localhost:10000 or http://public-ip:10000
The port is open but the connection is being closed immediately.
sudo netstat -nap|grep LISTEN|grep -v LISTENING|grep 1000
root's password:
tcp 0 0 :::10000 :::* LISTEN 17375/docker-proxy
I can telnet to port 10000 but as said the connection is being closed immediately
docker --version
Docker version 1.9.1, build a34a1d5
docker version
Client:
Version: 1.9.1
API version: 1.21
Go version: go1.4.2
Git commit: a34a1d5
Built:
OS/Arch: linux/amd64
Server:
Version: 1.9.1
API version: 1.21
Go version: go1.4.2
Git commit: a34a1d5
Built:
OS/Arch: linux/amd64
docker info (1.9)
Containers: 23
Running: 1
Paused: 0
Stopped: 22
Images: 198
Server Version: 1.12.6
Storage Driver: devicemapper
Pool Name: docker-8:2-1074640197-pool
Pool Blocksize: 65.54 kB
Base Device Size: 10.74 GB
Backing Filesystem: xfs
Data file: /dev/loop0
Metadata file: /dev/loop1
Data Space Used: 13.22 GB
Data Space Total: 107.4 GB
Data Space Available: 94.16 GB
Metadata Space Used: 20.58 MB
Metadata Space Total: 2.147 GB
Metadata Space Available: 2.127 GB
Thin Pool Minimum Free Space: 10.74 GB
Udev Sync Supported: true
Deferred Removal Enabled: false
Deferred Deletion Enabled: false
Deferred Deleted Device Count: 0
Data loop file: /var/lib/docker/devicemapper/devicemapper/data
WARNING: Usage of loopback devices is strongly discouraged for production use. Use `--storage-opt dm.thinpooldev` to specify a custom block storage device.
Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
Library Version: 1.02.136 (2016-11-05)
Logging Driver: journald
Cgroup Driver: systemd
Plugins:
Volume: local
Network: null bridge host overlay
Swarm: inactive
Runtimes: oci runc
Default Runtime: oci
Security Options: seccomp
Kernel Version: 4.11.8-200.fc25.x86_64
Operating System: Fedora 25 (Server Edition)
OSType: linux
Architecture: x86_64
Number of Docker Hooks: 2
CPUs: 6
Total Memory: 29.45 GiB
Name: dev2.zopyx.com
ID: DE7T:KEX4:UCRB:KOED:2DHE:3437:MYDS:LPQT:BBYO:SOQH:2EZL:VTYR
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Insecure Registries:
127.0.0.0/8
Registries: docker.io (secure)
docker info (1.12)
Containers: 23
Running: 1
Paused: 0
Stopped: 22
Images: 198
Server Version: 1.12.6
Storage Driver: devicemapper
Pool Name: docker-8:2-1074640197-pool
Pool Blocksize: 65.54 kB
Base Device Size: 10.74 GB
Backing Filesystem: xfs
Data file: /dev/loop0
Metadata file: /dev/loop1
Data Space Used: 13.22 GB
Data Space Total: 107.4 GB
Data Space Available: 94.16 GB
Metadata Space Used: 20.58 MB
Metadata Space Total: 2.147 GB
Metadata Space Available: 2.127 GB
Thin Pool Minimum Free Space: 10.74 GB
Udev Sync Supported: true
Deferred Removal Enabled: false
Deferred Deletion Enabled: false
Deferred Deleted Device Count: 0
Data loop file: /var/lib/docker/devicemapper/devicemapper/data
WARNING: Usage of loopback devices is strongly discouraged for production use. Use `--storage-opt dm.thinpooldev` to specify a custom block storage device.
Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
Library Version: 1.02.136 (2016-11-05)
Logging Driver: journald
Cgroup Driver: systemd
Plugins:
Volume: local
Network: bridge host overlay null
Swarm: inactive
Runtimes: runc oci
Default Runtime: oci
Security Options: seccomp
Kernel Version: 4.11.8-200.fc25.x86_64
Operating System: Fedora 25 (Server Edition)
OSType: linux
Architecture: x86_64
Number of Docker Hooks: 2
CPUs: 6
Total Memory: 29.45 GiB
Name: dev2.zopyx.com
ID: DE7T:KEX4:UCRB:KOED:2DHE:3437:MYDS:LPQT:BBYO:SOQH:2EZL:VTYR
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Insecure Registries:
127.0.0.0/8
Registries: docker.io (secure)
What could be the problem here?

Solution: the webservice internally was only binding to 127.0.0.1 instead to 0.0.0.0

Insecure Docker registry on Centos7 refuses to ingest images, even with flag 'insecure-registries'

I try to deploy an insecure Docker Registry on a CentOS7 server:
docker run -d -p 5000:5000 --restart=always --name registry registry:2
I configured docker like this:
# /etc/docker/daemon.json
{
"insecure-registries":["registry.mydomain.com:5000"]
}
With that, docker info gives me:
Containers: 1
Running: 1
Paused: 0
Stopped: 0
Images: 2
Server Version: 1.12.4
Storage Driver: devicemapper
Pool Name: docker-253:2-650870-pool
Pool Blocksize: 65.54 kB
Base Device Size: 10.74 GB
Backing Filesystem: xfs
Data file: /dev/loop0
Metadata file: /dev/loop1
Data Space Used: 69.86 MB
Data Space Total: 107.4 GB
Data Space Available: 50.4 GB
Metadata Space Used: 708.6 kB
Metadata Space Total: 2.147 GB
Metadata Space Available: 2.147 GB
Thin Pool Minimum Free Space: 10.74 GB
Udev Sync Supported: true
Deferred Removal Enabled: false
Deferred Deletion Enabled: false
Deferred Deleted Device Count: 0
Data loop file: /var/lib/docker/devicemapper/devicemapper/data
WARNING: Usage of loopback devices is strongly discouraged for production use. Use `--storage-opt dm.thinpooldev` to specify a custom block storage device.
Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
Library Version: 1.02.135-RHEL7 (2016-09-28)
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: null host bridge overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options: seccomp
Kernel Version: 3.10.0-327.36.3.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 489.1 MiB
Name: ASB-Registry
ID: KNQD:2AVN:EG5H:VV7U:US7G:SJ2D:G2FY:UAZK:N2NY:FQAA:CQJV:N2IS
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
Insecure Registries:
registry.mydomain.com:5000
127.0.0.0/8
So:
Insecure Registries:
registry.mydomain.com:5000
127.0.0.0/8
Appears correctly.
However, when I try to push a container to that registry:
docker push registry.mydomain.com:5000/my_image
I get the following log:
The push refers to a repository [registry.mydomain.com:5000/my_image]
Get https://registry.mydomain.com:5000/v1/_ping: http: server gave HTTP response to HTTPS client
Any idea?