Docker daemon is leaking file descriptors (with reproduction)

[tzickel]

Description

Not sure this is related, but I have in production after a few days / weeks that dockerd starts leaking tons of file descriptors of dead connections that it simply stops responding at all (not even to SIGUSR1).

While trying to understand how this can happen (since when it happens I can't do anything but kill it), I tried to figure out how you get a dead connection, and have found some conclusions on how to get dockerd to leak such file descriptors, although I'm not sure that what I'm about to say is the issue that is happening in production.

How do those leaked file descriptors look ? I run the command on linux:
ss | grep docker.sock
and I see tons of entries that most look like this:
u_str ESTAB 0 0 /var/run/docker.sock 272245 * 0
u_str ESTAB 0 0 /var/run/docker.sock 279780 * 0
u_str ESTAB 0 0 /var/run/docker.sock 279118 * 0
u_str ESTAB 0 0 /var/run/docker.sock 272201 * 0
u_str ESTAB 0 0 /var/run/docker.sock 272217 * 0

You can see this are dead connections because the peer info (the * 0 in the end) points to nothing which means the other side closed the unix domain socket, but the docker daemon did not.

also this sockets take up file descriptors (as expected):
ls -l /proc/$(pidof dockerd)/fd
...
lrwx------ 1 root root 64 may 31 08:37 33 -> socket:[272217]
...

an alive connection looks like this (there is peer info):
u_str ESTAB 0 0 /var/run/docker.sock 280489 * 279381

I'm going now to show you a convoluted way to cause this resource leak, but remember that still dockerd shouldn't leak resources and that in the end there might be similar code that really needs to do something like this...

This also seems to happen on variety of docker versions from old to new.

Steps to reproduce the issue:

1. docker create -it --rm python:2.7 python -c "while True: print 1;"
   <container id>
2. docker start <container id>
   <container id>
3. python2

import socket
s = socket.socket(socket.AF_UNIX)
s.connect('/var/run/docker.sock')
s.send('POST /v1.24/containers/<container id>/attach?logs=1&stream=0&stdout=1 HTTP/1.1\r\nHost: localhost\r\n\r\n')
s.recv(1024)
s.close()

You can also try changing the logs=1&stream=0 with logs=0&stream=1
Also don't think the v1.24 is of particulate importance.
Also you can kill the python instead of s.close() (sometimes it acts differently)

4. ss | grep docker.sock
   u_str ESTAB 0 0 /var/run/docker.sock 280489 * 0

Describe the results you received:

There is a dead unclosed unix domain socket on the docker daemon side.

Describe the results you expected:

The docker daemon should figure the socket has been closed on the other side, and close it's side as well.

Versions

Tried on multiple versions, now both client and server: 17.12.1-ce and on ubuntu 16.04.4 with kernel 4.13.0-36-generic with default settings.

[cpuguy83]

Confirmed there are a few leaks per attach (depending on what's attached).

[cpuguy83]

#37184 should fix this.

[tzickel]

Isn't the problem more deeply rooted ? let's change my example code to:
docker create -it --rm python:2.7 python -c "while True: pass"
Where no output it sent to neither stdout nor stderr. In this case wouldn't:
https://github.com/cpuguy83/docker/blob/0f5147701775a6c5d4980a7b7c0ed2e830688034/container/stream/attach.go#L111
Block because nothing is written to the streampipe, and thus that code is blocked while stream is already dead ?

[cpuguy83]

The pipes are still closed and thus unblock the copy call.
Note I tested this just as you have here and at least there are no goroutines left behind.

You can see the goroutine count if you run dockerd with debug mode, and then check docker info.

[tzickel]

I do not understand why is streamPipe (which is the stdout/stderr of the container) closed. I would think that this line would block (called from pools.Copy line) because the container stdout/stderr still exists (although nobody writes to it):
https://github.com/golang/go/blob/15ac56fd60a28879fd65f6d761cc30c4c57ec0f1/src/io/io.go#L402
Pretty sure this is what I saw on the current code base where if I listen to stderr, but nothing is written to it, this line never happens until I kill the container:

moby/container/stream/attach.go

Line 131 in 71cd53e

logrus.Debugf("attach: %s: end", name)

(and only after i kill the container, that line shows and the leak stops, and the only think blocking before this line is the pools.Copy).
I am talking about the case where I do not attach to stdin, just to stdout/err which are not written to from the container.

[cpuguy83]

In this case, it's because the stdin stream from the client is closed.
However you are correct that when stdin is not attached there is a leak still.

[tzickel]

So I guess before calling pools.Copy there should be some kind of select on both pipes to see if one has data and if the other has been closed and only then decide if to quit or actually Copy

[cpuguy83]

I was thinking of handling this by passing down the context from the API and making sure the context is cancelled when the client disconnects.

[cpuguy83]

Oh that doesn't work because of the hijacked connection.

[cpuguy83]

I started messing around with a fix for this, but am taking some time off after today.

Idea is to use epoll on the client FD and cancel the attach context when we get a close event from epoll.
It's not really working yet as it's getting the close event immediately for some reason. I only have a little experience with epoll.... if someone wants to take a look in the meantime:

https://github.com/moby/moby/compare/master...cpuguy83:attach_leak_no_data?expand=1