Decouple removing the fileWatcher from reading

[tombooth]

Fixes #27779

Description

When a container exits the state change will bubble up through libcontainerd into the daemon causing the container to be reset. As part of this it will close the LogDriver associated with the container and the driver will close all of its children. We have observed a race condition between closing a reader and receiving the final data from the log.

followLogs will receive a IN_MODIFY event while it is trying to close the fileWatcher. This causes a deadlock as https://github.com/docker/docker/blob/master/vendor/src/gopkg.in/fsnotify.v1/inotify.go#L266 is trying to put the modify event on the Events channel, but because https://github.com/docker/docker/blob/master/daemon/logger/jsonfilelog/read.go#L235 is trying to process the close it cannot take the event off the channel. Remove is blocked because it is waiting on a condition to be broadcast https://github.com/docker/docker/blob/master/vendor/src/gopkg.in/fsnotify.v1/inotify.go#L157, this would be triggered by receiving an IN_IGNORE event https://github.com/docker/docker/blob/master/vendor/src/gopkg.in/fsnotify.v1/inotify.go#L289, but due to the code stuck trying to push the IN_MODIFY onto the Events channel this is never processed.

We initially saw this behaviour with v1.12.1, but have replicated it building the daemon from master. Additionally, we first observed this using the HTTP API to follow the logs, but the same behaviour can been seen with docker logs -f

Here is a gist that should show you the order of events that is causing this deadlock: https://gist.github.com/tombooth/e38175f07233c683704528cf406c3120

Steps to reproduce the issue:

1. Run the attached script, eventually the docker logs -f command will hang

#!/bin/bash

while true
do
        container_id="$(docker run -d ubuntu:latest /bin/bash -e -c "echo -n \"foo\"")"
        docker logs -f "${container_id}"
done

Describe the results you received:
The logs function hung

Describe the results you expected:
It should have exited

Additional information you deem important (e.g. issue happens only occasionally):
This doesn't occur on every execution of the the loop block. On my local machine, running Linux in a container, it seems to hang one in two-three times.

Output of docker version:

Client:
Version: 1.12.2
API version: 1.24
Go version: go1.6.3
Git commit: bb80604
Built: Tue Oct 11 18:29:41 2016
OS/Arch: linux/amd64

Server:
Version: 1.12.2
API version: 1.24
Go version: go1.6.3
Git commit: bb80604
Built: Tue Oct 11 18:29:41 2016
OS/Arch: linux/amd64

Output of docker info:

Containers: 209
Running: 1
Paused: 0
Stopped: 208
Images: 109
Server Version: 1.12.2
Storage Driver: aufs
Root Dir: /var/lib/docker/aufs
Backing Filesystem: extfs
Dirs: 505
Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host null overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options: apparmor seccomp
Kernel Version: 4.4.0-45-generic
Operating System: Ubuntu 16.04.1 LTS
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 3.859 GiB
Name: vagrant
ID: QXD3:X4JO:E52F:CWCS:IY3J:RN36:EV36:I2KK:7JH4:WOJ3:MSL5:7O7P
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
Insecure Registries:
127.0.0.0/8

Additional environment details (AWS, VirtualBox, physical, etc.):

We've seen this on AWS, in VMWare Fusion and on a physical machine.

[tombooth]

I added in the initial commit because golint failed by build because it claimed we didn't need the cast. Now the build fails because the cast isn't there, is there a way of ignoring that lint fail?

[cpuguy83]

Nice, I've observed this deadlock as well.
Good catch!

[cpuguy83]

13:35:42 daemon/logger/jsonfilelog/read.go:123: cannot use bytes.NewBuffer(bytes.Join(ls, ([]byte)("\n"))) (type *bytes.Buffer) as type io.ReadSeeker in assignment:
13:35:42    *bytes.Buffer does not implement io.ReadSeeker (missing Seek method)

[tombooth]

@cpuguy83 see my comment above, I changed the signature of a reader because golint on your build servers didn't think the io.Reader from io.ReadSeeker cast was needed. It seems it was though as it fails the build. I'm not 100% sure what to do.

FYI without the removal of the cast the tests all happily passed locally.

[tombooth]

I could do something like:

diff --git a/daemon/logger/jsonfilelog/read.go b/daemon/logger/jsonfilelog/read.go
index df67fb0..d628dc3 100644
--- a/daemon/logger/jsonfilelog/read.go
+++ b/daemon/logger/jsonfilelog/read.go
@@ -113,7 +113,7 @@ func (l *JSONFileLogger) readLogs(logWatcher *logger.LogWatcher, config logger.R
 }

 func tailFile(f io.ReadSeeker, logWatcher *logger.LogWatcher, tail int, since time.Time) {
-   var rdr io.Reader = f
+   var rdr io.Reader
    if tail > 0 {
        ls, err := tailfile.TailFile(f, tail)
        if err != nil {
@@ -121,6 +121,8 @@ func tailFile(f io.ReadSeeker, logWatcher *logger.LogWatcher, tail int, since ti
            return
        }
        rdr = bytes.NewBuffer(bytes.Join(ls, []byte("\n")))
+   } else {
+       rdr = f.(io.Reader)
    }
    dec := json.NewDecoder(rdr)
    l := &jsonlog.JSONLog{}

That should keep both lint and the build happy.

[tombooth]

I've pushed that, so lets see what happens 🍀

[cpuguy83]

There should be no need to cast here.
Maybe just for simplicity (removing the else) we can do:

var rdr io.Reader
rdr = f
if tail > 0 {
...
}

And the linter may be happy?

[tombooth]

I'll let this build run to see if everything is happy and then make that change.

[tombooth]

I've pushed the change. Last time it passed all test suites, so as this update has got passed lint I am hopeful 😄

[cpuguy83]

Looking at the watch loop below, I think we need some way to cancel this goroutine since the loop may exit without logwatcher closing. May be time to whip out a context.

[tombooth]

Good shout! I've just pushed an update to the code, does it look a little better? If it's not quite how you imagined let me know.

[tombooth]

What do you reckon the chances of this making it into v1.13.0 are @cpuguy83 ?

[cpuguy83]

Maybe instead of creating this channel, we can do context.WithCancel(ctx) to create a nested context.

[tombooth]

Agreed and done.

[cpuguy83]

Sorry, one more thing, I think this need to run in either case

[tombooth]

It's no problem, I had assumed the deferred fileWatcher.Close() would have taken care of it but looking at the source it doesn't clear up any open inotify watchers so we would be leaking descriptors. Fix incoming.

[tombooth]

Pushed

[cpuguy83]

:) defer filewatcher.Remove above the select, but no worries.

[tombooth]

Sorry, it is a little late over here. I've just been having a think about the order of execution. If a fileWatcher.Remove happens after fileWatcher.Close it would likely hang as Remove would be waiting for an IN_IGNORE event but readEvents (in https://github.com/docker/docker/blob/362eb4cfbb09b5dc0fe648360a2e6d0546bf6613/vendor/src/gopkg.in/fsnotify.v1/inotify.go) would have exited because the watcher was closed so it would never receive it. This makes me a little concerned about the Remove after ctx.Done() as the fileWatcher.Close() in the second defer could have run by the time Remove is called.

I'm fairly new to Go so if that doesn't sounds right (could also be because I'm tried) let me know, otherwise I might switch to a fileWatcher.Remove before the Close in the defer above the go block. If it has already been removed it should have no issue, it will just return an error that we ignore anyway: https://github.com/docker/docker/blob/362eb4cfbb09b5dc0fe648360a2e6d0546bf6613/vendor/src/gopkg.in/fsnotify.v1/inotify.go#L135

[cpuguy83]

LGTM if janky is happy

[LK4D4]

this is not compatible with go1.6 I think, you should use golang.org/x/net/context I think.

[tombooth]

I've switched this, thanks for the pointer.

[LK4D4]

I think top context is unnecessary(maybe we'll pass it from api call later).
So, I think this line should look like:

ctx, cancel := context.WithCancel(ctx)
defer cancel()

[cpuguy83]

We need one to notify that the watcher is closed, and the other to notify that the goroutine needs to exit.

[LK4D4]

I don't really understand why we can't use one for both?

[cpuguy83]

Other than multiple owners of cancel()? It's probably ok. I prefer the separation, but assuming nothing panics it seems ok.

[tombooth]

I've moved it to a single context.

[LK4D4]

LGTM

[cpuguy83]

LGTM

[tombooth]

Thanks @cpuguy83 @LK4D4 😄

[michael-holzheu]

Does this fix #16462 as well? /cc @michael-holzheu

Perhaps.

Unfortunately in the last months I never saw the TestLogsFollowSlowStdoutConsumer testcase failing again. I would be fine with closing #16462.

[thaJeztah]

thanks @michael-holzheu, let me close it for now, we can reopen if it occurs again

[kolyshkin]

For the sake of people reading this: the bug causing the issue is a bug in fsnotify package (fsnotify/fsnotify#195, fsnotify/fsnotify#123, fsnotify/fsnotify#115), which has since been fixed by commit fsnotify/fsnotify@4da3e2c "Fix deadlock in Remove (linux/inotify)". The fix has appeared in fsnotify v.1.4.7, which was vendored to moby/moby in commit 9f016c0.

The fix in this PR was just a workaround for the above fsnotify bug.

All this means the workarond can be now removed.