[Proposal] Handle "docker run --rm" inside the daemon instead of the client

[codablock]

The problem

Currently, docker handles the "--rm" on the client side, which means that the client will do the appropriate API calls to the daemon when it exits to remove the image on exit. This works great when you work locally in a simple setup, but may result in "garbage" containers existing forever under some circumstances. This may for example happen when:

• You connect through the TCP endpoints, either directly or through a tunnel, and loose the connection. (see ssh: docker run --rm #16546 for example)
• Your docker client crashes
• Your docker client gets killed for whatever reason

The problem in our environment (CI)

Especially the last point hits me hard at the moment. We currently implement CI builds based on docker. The CI system calls a simple shell script, which builds the "builder" image and then runs it. The "builder" container is meant to be temporary and should vanish in case the build is finished or forcefully stopped (e.g. from the CI systems UI). We tried to use "run --rm" to accomplish this, which works fine when the build exits by itself. In case we externally stop the build, the CI system simply kills the script, which results in the "docker run --rm" process to die as well, but leaves the container running until it exits by itself. This leaves us with 2 problems:

• The container is still running. This is already bad, but will get even worse in case one of our builds gets stuck, resulting in the container to run forever.
• The container won't be deleted on completion.

We also want to spawn temporary containers (e.g. databases for testing) on the host docker daemon from inside the "builder" container, which makes the problem even worse, as all these containers would live forever.

Proposal/Feature request

When using "docker run", it should be possible to instruct the docker daemon what to do in case it looses the connection to the docker client. For example, we should be able to instruct the daemon to stop or kill and optionally rm the container on connection loss. This could for example look like:

docker run -ti --on-connection-loss=stop,rm myimage mycommand

I don't know much about the daemon internals or the API, so I can not really say how to implement it in a good way. One thing that I could imagine is an API call that says "do action X with name Y after Z seconds", where future calls to the same API with the same name Y would overwrite the old action and timeout Z. This would be comparable to TTL in services like etcd. The client could then do the following for the above "docker run" example:

• Create and start the container as usual
• After start, do an API call that says "stop and rm container after 30 seconds"
• Wait 15 seconds and do the API call again. Repeat forever, until exit.

"docker rm" supports the -v flag to also delete the container volumes. I would expect that the proposed feature would also support something like "rm -v".

[fentas]

Thanks for writing down the proposal! Defiantly want to see that this becomes reality. 👍

[aidanhs]

#6003 #10545

[thaJeztah]

/cc @estesp @duglin who did some investigation into this (iirc)

[duglin]

if I'm remembering correctly, I don't think the issue is whether or not the daemon can be told that the container should go away when its done, rather I think the issue was more around how the daemon persists that information. For example, take an extreme case where the daemon itself dies while the container is running, and the client is still connected. When the daemon restarts it should remove that container.

I'm not really sure why we don't just add a flag to the container's metadata to indicate that it should be deleted when stopped, other than there may be some concern about modifying that config file to add a new field. Then we can check it as each container stops, and upon daemon startup we can check each container for potential cleanup. I don't think this is that different from a 'restart' policy field.

[jonathanperret]

@duglin, the parallel with the restart policy is very interesting! You could view the current restart policy setting as a subset of a hypothetical "exit policy" setting, and just add one (or two) cases:

Restart policy	Exit policy	Action on container exit
never	do-nothing	do nothing
on-failure	restart-if-failed	if clean exit, do nothing, else restart container
always	restart	restart container
n/a	remove	remove container
n/a	remove-with-volumes	remove container and volumes

Just a thought.

[codablock]

@duglin @jonathanperret This would only fix the issues when the container exits by itself or the daemon dies. Containers would still continue running in case connection is lost or the client dies. This is not so bad if you run the container by yourself, as you may be aware that you just left some "garbage" containers running and can kill them by yourself. It gets problematic in case you are in some form of automated environment, e.g. in a CI system or comparable that automatically runs containers.

Edit: Maybe a combination of the proposed API and the new exit strategy would work. A simple "exit after 30 seconds" API, where future calls override the old call and timer, would be enough in combination with the "remove on exit" strategy.

[jonathanperret]

@ablock84 You're correct that an "exit policy" does not handle the use case of a disconnecting client. I guess I see that as somewhat orthogonal, though both would be useful on a CI server.

I'm not sure about an "exit after 30 seconds" API; it seems to me, this would still require a client to sit around to keep the container running, even in cases where you'd just like to fire a process and have it be killed after a set amount of time if it hasn't exited by then. One way to see that is as a new kind of resource limitation: wall clock time?

For the (perhaps more common) case of a client disconnecting, SIGHUP comes to mind. Perhaps sending SIGHUP to the container upon client disconnection would be a good start (if not already done)? Though you'd want to kill it anyway after a grace period…

[duglin]

I view the disconnected client as a different case as well. The description of the --rm flag says Automatically remove the container when it exits - which to me is more about what action to take based on the container's state, and not about any CLI's connection to it. Which is why the use of the -d flag on docker run wouldn't change how --rm would work.

I'd prefer for the disconnected client case to be a new flag (if we wanted to support it at all). This flag could control whether or not the container is stopped upon CLI disconnect. Having its own flag gives it a clear scope and doesn't get confused with some other flag/semantics. You could then combine this new flag with the --rm flag to control not just whether the container stops but then also control whether it is deleted.

[AkihiroSuda]

Any progress on this?

If not, I would like to suggest adding Attachers to /containers/(id)/json as the following.
#20171 (comment)

Proposal

Proposal: add Attachers to /containers/(id)/json for detection of "garbage" containers

Example

Terminal 1:

$ docker run -it --rm ubuntu
root@foobar:/# 

Terminal 2:

$ docker inspect foobar | jq .[0].State.Attachers
['127.0.0.1:4242']
$ kill -9 $TERMINAL1_DOCKER_CLIENT
$ docker inspect foobar | jq .[0].State.Attachers
[]

If .[0].State.Attachers is empty even when .[0].Config.AttachStdout is true, you can find that the container is now "garbage".

Maybe returning the number of the attachers is enough rather than returning all the ip:port list.

Pros and Cons

Pro:

• Easy to implement
• Can keep the current API semantic
• User can control how to handle "garbage" containers.

Con:

• User has to write a script for handling "garbage" containers.

Implementation Issue (not specific to my proposal, also affects others' proposals)

For Go >= 1.6, I think we can use the new-designed http.CloseNotifier that supports http.Hijacker used in daemon/attach.go.
But I'm not sure how we can easily detect closes for Go < 1.6, because http.Hijacker.Hijack() fails with an error http: Hijack is incompatible with use of CloseNotifier.
I suggest using the null value as Attachers for Go < 1.6.

https://github.com/docker/docker/blob/da58ee42bb1d4e17c5b525d161f29ad8efc0569e/daemon/attach.go#L41
golang/go@99fb191

---

If I can receive positive reactions to my proposal (or even others' proposal; I don't stick to my proposal), I can work on it.

[cancan101]

Is there anyway to incorporate either a time based gc mechanism into the daemon or better yet a hook that fires when the attachers list changes to run gc procedures?