daemon: release sandbox even when NetworkDisabled

When the default bridge is disabled by setting dockerd's `--bridge=none` option, the daemon still creates a sandbox for containers with no network attachment specified. In that case `NetworkDisabled` will be set to true. However, currently the `releaseNetwork` call will early return if NetworkDisabled is true. Thus, these sandboxes won't be deleted until the daemon is restarted. If a high number of such containers are created, the daemon would then take few minutes to start. See https://github.com/moby/moby/issues/42461. Signed-off-by: payall4u <payall4u@qq.com> Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2021-06-15 18:46:43 +08:00 · 2021-06-15 18:46:43 +08:00 · 9664f33e0d
commit 9664f33e0d
parent adea457841
1 changed files with 8 additions and 1 deletions
--- a/daemon/container_operations.go
+++ b/daemon/container_operations.go
@ -967,10 +967,17 @@ func (daemon *Daemon) getNetworkedContainer(containerID, connectedContainerID st

 func (daemon *Daemon) releaseNetwork(container *container.Container) {
 	start := time.Now()
+	// If live-restore is enabled, the daemon cleans up dead containers when it starts up. In that case, the
+	// netController hasn't been initialized yet and so we can't proceed.
+	// TODO(aker): If we hit this case, the endpoint state won't be cleaned up (ie. no call to cleanOperationalData).
 	if daemon.netController == nil {
 		return
 	}
-	if container.HostConfig.NetworkMode.IsContainer() || container.Config.NetworkDisabled {
+	// If the container uses the network namespace of another container, it doesn't own it -- nothing to do here.
+	if container.HostConfig.NetworkMode.IsContainer() {
+		return
+	}
+	if container.NetworkSettings == nil {
 		return
 	}