Container start hangs if it was created from another container (Portainer scenario)

Question

Container start hangs if it was created from another container (Portainer scenario)

Herr-Sepp opened this issue 3 months ago · 7 comments

Describe the bug
Scenario: Creation of new Compose "stacks" using Portainer (Container Management Software).
Portainer itself runs within a container and has received access to the Docker Engine from the host as npipe mount.

No problems under Linux, under Windows the start of the second stack is never completed.

To Reproduce
No Portainer or Compose is required for recreation:

Start a container that itself has a port published (important), contains the Docker CLI and can access \.\pipe\docker_engine from the host.
(It does not matter in which network the container is located)
Create a new network
(Whether from within the container or directly on the host does not matter)
Start a new container from within the container with a published port inside this network
Repeat 3
(Container 3 can also run in a seconds new network, same result)

Copy-Item C:\Windows\System32\docker.exe .
@"
FROM mcr.microsoft.com/windows/nanoserver:ltsc2022

USER ContainerAdministrator
COPY docker.exe C:
ENTRYPOINT .\docker network create -d nat 1 & \
           .\docker run -d -p 5001:5000 --network 1 --entrypoint cmd mcr.microsoft.com/windows/nanoserver:ltsc2022 /c ping 127.0.0.1 -n 500 & \
           .\docker run -d -p 5002:5000 --network 1 --entrypoint cmd mcr.microsoft.com/windows/nanoserver:ltsc2022 /c ping 127.0.0.1 -n 500
"@ > dockerfile
docker build -t recreator .
docker run -p 5000:5000 -v \\.\pipe\docker_engine:\\.\pipe\docker_engine recreator

The first container can be created successfully, the second is stuck in the "Create" step.
The load of the HostNetworkService remains permanently at 100% utilization of a core.
You can try to remove all container "docker rm-f $docker ps -aq)" which often normalizes the state.
But if you wait too long the docker engine does not react anymore.

Same result with WindowsServerCore

The error does not occur if:

The containers are started directly on the host
or
No ports are published
or
The new container (step 3&4) are in the same network as the first one (step 1)

Expected behavior
Both new container can be started successfully

Logs
There are many but none contain anything meaningful:
I hope with the recreator it is not necessary to add all logs here

last Docker Engine Debug Massage:

debug: [POST]=>[/endpoints/] Request : {"VirtualNetwork":"69394ECA-AD67-4F23-9877-0BDE73E01EA7","Policies":[{"Type":"NAT","Protocol":"tcp","InternalPort":5000,"ExternalPort":5
                     002,"ExternalPortReserved":true}],"EnableInternalDNS":true}

last HNS Log:

HNS-Endpoint-Attach:- 
 Endpunkt-ID = '{00ad573e-6d73-4459-8060-d525c8a02bc1}'.
  Netzwerk-ID = '{aeb11f9e-b474-4cd3-8bd5-dee485484ac7}'.
  Netzwerktyp = 'NAT'.
  Ergebniscode = '0x0'.

Configuration:

Edition: Windows Server 2022
Base Image being used: Windows Server Core or Windows Nano Server
Container engine: Docker
Container Engine version: 26.0.0

Additional context
I have tried to recreate it with containerd and nerdctl, but it is probably not possible at the moment.
The creation of a container from inside another one always fails with an error message.

/c ping 127.0.0.1 -n 500 is a way to keep the cmd alive, Has nothing to do with the bug.
You could also take a powershell-image and use start-sleep

Answer 1 · 2024-04-16T14:49:18.000Z

Hey @Herr-Sepp, thanks for raising this issue. We'll look at this issue shortly. Could you help me understand your use case with using Portainer with windows containers? I haven't seen much usage Portainer, and understanding this would help us prioritize this issue.

Answer 2 · 2024-04-16T15:53:11.000Z

@fady-azmy-msft with pleasure
We have containerized the components of our application.
However, many project managers do not feel comfortable working on the command line or working with scripts.
We needed an easy way to create container groups, edit envs, update image (and so on).
As an alternative to the (Docker Compose) CLI, we have found Portainer to be a great solution to manage container.

This has absolutely proven itself under Linux and has been well received.
Now that we have also created Windows containers for Windows Server, we thought we could offer the same user experience. Unfortunately, this is currently not possible.

(Or only with tricks that circumvent the bug)

Answer 3 · 2024-04-17T17:09:28.000Z

Got it. So project managers manage the deployment/configs of your apps with Portainer's GUI. Are these apps on the cloud or on-premises?

I've raised this issue with engineer, they'll look at this soon (ref ID #50179324).

Answer 4 · 2024-05-18T10:32:58.000Z

This issue has been open for 30 days with no updates.
no assignees, please provide an update or close this issue.

Answer 5 · 2024-05-23T23:29:55.000Z

@fady-azmy-msft the root cause of this bug is the same as 140: Can't start any two docker-compose environments and 486: Can not start three containers with published ports

I recommend this issue be closed and 140 be used to track as it is currently assigned.

Answer 6 · 2024-06-24T16:03:39.000Z

This issue has been open for 30 days with no updates.
no assignees, please provide an update or close this issue.