From 9664f33e0db88feaa8d08cd6b5be6ef90afc508d Mon Sep 17 00:00:00 2001 From: payall4u Date: Tue, 15 Jun 2021 18:46:43 +0800 Subject: [PATCH] daemon: release sandbox even when NetworkDisabled When the default bridge is disabled by setting dockerd's `--bridge=none` option, the daemon still creates a sandbox for containers with no network attachment specified. In that case `NetworkDisabled` will be set to true. However, currently the `releaseNetwork` call will early return if NetworkDisabled is true. Thus, these sandboxes won't be deleted until the daemon is restarted. If a high number of such containers are created, the daemon would then take few minutes to start. See https://github.com/moby/moby/issues/42461. Signed-off-by: payall4u Signed-off-by: Albin Kerouanton --- daemon/container_operations.go | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/daemon/container_operations.go b/daemon/container_operations.go index 3fd7d30626..652f347689 100644 --- a/daemon/container_operations.go +++ b/daemon/container_operations.go @@ -967,10 +967,17 @@ func (daemon *Daemon) getNetworkedContainer(containerID, connectedContainerID st func (daemon *Daemon) releaseNetwork(container *container.Container) { start := time.Now() + // If live-restore is enabled, the daemon cleans up dead containers when it starts up. In that case, the + // netController hasn't been initialized yet and so we can't proceed. + // TODO(aker): If we hit this case, the endpoint state won't be cleaned up (ie. no call to cleanOperationalData). if daemon.netController == nil { return } - if container.HostConfig.NetworkMode.IsContainer() || container.Config.NetworkDisabled { + // If the container uses the network namespace of another container, it doesn't own it -- nothing to do here. + if container.HostConfig.NetworkMode.IsContainer() { + return + } + if container.NetworkSettings == nil { return }