Container displays label from another container

Question

Container displays label from another container

aviratna opened this issue 6 years ago · 5 comments

Background
We are using docker label for various use cases like chargeback, load balancer etc. We came across below issue with docker label.

Issue: If we create a container with docker label and use same docker image to create another container, new container will get created with same docker label though we did not provide the docker label for new container.

vSphere and vCenter Server version
vSphere 6.5

VIC version
VIC 1.5 (probably all versions in the past too)

##### Steps to reproduce

Create a container with docker label
e.g. docker run --label xyz :
Check for docker label
docker inspect <container id 1>
Create another container using same docker image. do not pass label parameter
docker run :
Check the docker label
docker inspect <container id 2>
New docker container also shows the same docker label from previous container created using same docker image though we did not provided the docker label in docker run.

##### Actual behavior
Container copies the label from another container which are created using same docker image.

##### Expected behavior
Container should only show docker label which are part of docker image or docker label provided during docker run command. Container should not copy label from another container.

Docker Image is immutable, it should not get updated with docker label provided during docker run.

##### Observation
We tried the docker inspect on docker image. Labels got updated for that docker image which were provided during docker run command.

@malikkal

Answer 1 · 2019-05-09T02:50:49.000Z

@aviratna I cannot reproduce the issue in VIC 1.5.2, and I think there is no change related to label between VIC 1.5.0 and VIC 1.5.2. You may double check here.

Answer 2 · 2019-05-16T10:12:40.000Z

@wjun we verified this issue on VIC 1.5.2, we are able to reproduce it.

Below are steps and our observation:

Create a 1st container from docker image and pass --label parameter.
docker inspect container id shows the label which is expected.
Same label gets updated for docker image as well. you can verify it by doing "docker inspect image."
docker inspect image should not show labels which were attached to container.
When we try creating 2nd container from same docker image without --label parameter, labels gets attached from docker image. This container should get create without any docker label.

We can not use different docker labels for different containers created from same docker image because of this issue.

Docker Image Inspect: Labels updated for docker image which were passed as parameter during container creation.

Please let us know if any logs or any additional details are required.

@malikkal

Answer 3 · 2019-05-17T03:27:27.000Z

These are the steps I use when trying to reproduce by creating two containers from the same image and one with label another one without. it works as expected:
551 docker -H 10.192.200.165:2376 --tls --tlscacert=certs/ca.pem --tlscert=certs/client-crt.pem --tlskey=certs/client-key.pem run -id --label pen: busybox
552 docker -H 10.192.200.165:2376 --tls --tlscacert=certs/ca.pem --tlscert=certs/client-crt.pem --tlskey=certs/client-key.pem ps
553 docker -H 10.192.200.165:2376 --tls --tlscacert=certs/ca.pem --tlscert=certs/client-crt.pem --tlskey=certs/client-key.pem inspect flamboyant_bell
554 docker -H 10.192.200.165:2376 --tls --tlscacert=certs/ca.pem --tlscert=certs/client-crt.pem --tlskey=certs/client-key.pem run -id busybox
555 docker -H 10.192.200.165:2376 --tls --tlscacert=certs/ca.pem --tlscert=certs/client-crt.pem --tlskey=certs/client-key.pem ps
556 docker -H 10.192.200.165:2376 --tls --tlscacert=certs/ca.pem --tlscert=certs/client-crt.pem --tlskey=certs/client-key.pem inspect modest_carson

Please paste the docker commands you use here and see if we can reproduce. Or you can try the above commands in your local environment.

Answer 4 · 2019-05-28T04:04:41.000Z

@wjun Hi, I did some test on docker label to reproduce it.

Issue is reproducible on docker image which already has some label
Issue is not reproducible if docker image has no label or null

E.g
Docker Image without Label: golang:1.10
Docker Image with label: nginx:1.13.5-alpine or rhel:7.4-152

Step:

When you create a container from docker image which already some labels and
docker run --label="service_name=web1" nginx:1.13.5-alpine
Container will get created, if you do docker inspect . You can see image label as well custom label pass during container creation
Docker image inspect nginx:1.13.5-alpine shows the previous labels as well as label parameter provided during container creation. Docker Image should not get updated with container label.
When we try to provision another container from same docker image without any custom label parameter, newly provisioned container also gets attached with labels from previous container.

Docker Image inspect:

Please let us know if any logs or additional details are required.

One more observation: If we restart the VCH endpoint, issue will be fixed. Custom Docker label will be deleted from docker image and container which was created without docker label parameter.
Issue is reproducible again if we follow the above mentioned steps.

Not sure if its related to VCH cache.

@malikkal

Answer 5 · 2019-05-29T02:58:14.000Z

@aviratna Thanks for the information, and now I understand when the issue happens. The PR above should able to fix this issue.