Troubleshooting the Docker daemon
This page describes how to troubleshoot and debug the daemon if you run into issues.
You can turn on debugging on the daemon to learn about the runtime activity of
the daemon and to aid in troubleshooting. If the daemon is unresponsive, you can
also
force a full stack trace of all
threads to be added to the daemon log by sending the SIGUSR
signal to the
Docker daemon.
Daemon
Unable to connect to the Docker daemon
Cannot connect to the Docker daemon. Is 'docker daemon' running on this host?
This error may indicate:
- The Docker daemon isn't running on your system. Start the daemon and try running the command again.
- Your Docker client is attempting to connect to a Docker daemon on a different host, and that host is unreachable.
Check whether Docker is running
The operating-system independent way to check whether Docker is running is to
ask Docker, using the docker info
command.
You can also use operating system utilities, such as
sudo systemctl is-active docker
or sudo status docker
or
sudo service docker status
, or checking the service status using Windows
utilities.
Finally, you can check in the process list for the dockerd
process, using
commands like ps
or top
.
Check which host your client is connecting to
To see which host your client is connecting to, check the value of the
DOCKER_HOST
variable in your environment.
$ env | grep DOCKER_HOST
If this command returns a value, the Docker client is set to connect to a Docker daemon running on that host. If it's unset, the Docker client is set to connect to the Docker daemon running on the local host. If it's set in error, use the following command to unset it:
$ unset DOCKER_HOST
You may need to edit your environment in files such as ~/.bashrc
or
~/.profile
to prevent the DOCKER_HOST
variable from being set erroneously.
If DOCKER_HOST
is set as intended, verify that the Docker daemon is running on
the remote host and that a firewall or network outage isn't preventing you from
connecting.
Troubleshoot conflicts between the daemon.json
and startup scripts
If you use a daemon.json
file and also pass options to the dockerd
command
manually or using start-up scripts, and these options conflict, Docker fails to
start with an error such as:
unable to configure the Docker daemon with file /etc/docker/daemon.json:
the following directives are specified both as a flag and in the configuration
file: hosts: (from flag: [unix:///var/run/docker.sock], from file: [tcp://127.0.0.1:2376])
If you see an error similar to this one and you are starting the daemon manually
with flags, you may need to adjust your flags or the daemon.json
to remove the
conflict.
メモ
If you see this specific error message about
hosts
, continue to the next section for a workaround.
If you are starting Docker using your operating system's init scripts, you may need to override the defaults in these scripts in ways that are specific to the operating system.
Configure the daemon host with systemd
One notable example of a configuration conflict that's difficult to
troubleshoot is when you want to specify a different daemon address from the
default. Docker listens on a socket by default. On Debian and Ubuntu systems
using systemd
, this means that a host flag -H
is always used when starting
dockerd
. If you specify a hosts
entry in the daemon.json
, this causes a
configuration conflict and results in the Docker daemon failing to start.
To work around this problem, create a new file
/etc/systemd/system/docker.service.d/docker.conf
with the following contents,
to remove the -H
argument that's used when starting the daemon by default.
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd
There are other times when you might need to configure systemd
with Docker,
such as
configuring a HTTP or HTTPS proxy.
メモ
If you override this option without specifying a
hosts
entry in thedaemon.json
or a-H
flag when starting Docker manually, Docker fails to start.
Run sudo systemctl daemon-reload
before attempting to start Docker. If Docker
starts successfully, it's now listening on the IP address specified in the
hosts
key of the daemon.json
instead of a socket.
重要
Setting
hosts
in thedaemon.json
isn't supported on Docker Desktop for Windows or Docker Desktop for Mac.
Out of memory issues
If your containers attempt to use more memory than the system has available, you may experience an Out of Memory (OOM) exception, and a container, or the Docker daemon, might be stopped by the kernel OOM killer. To prevent this from happening, ensure that your application runs on hosts with adequate memory and see Understand the risks of running out of memory.
Kernel compatibility
Docker can't run correctly if your kernel is older than version 3.10, or if it's
missing kernel modules. To check kernel compatibility, you can download and run
the
check-config.sh
script.
$ curl https://raw.githubusercontent.com/docker/docker/master/contrib/check-config.sh > check-config.sh
$ bash ./check-config.sh
The script only works on Linux.
Kernel cgroup swap limit capabilities
On Ubuntu or Debian hosts, you may see messages similar to the following when working with an image.
WARNING: Your kernel does not support swap limit capabilities. Limitation discarded.
If you don't need these capabilities, you can ignore the warning.
You can turn on these capabilities on Ubuntu or Debian by following these instructions. Memory and swap accounting incur an overhead of about 1% of the total available memory and a 10% overall performance degradation, even when Docker isn't running.
Log into the Ubuntu or Debian host as a user with
sudo
privileges.Edit the
/etc/default/grub
file. Add or edit theGRUB_CMDLINE_LINUX
line to add the following two key-value pairs:GRUB_CMDLINE_LINUX="cgroup_enable=memory swapaccount=1"
Save and close the file.
Update the GRUB boot loader.
$ sudo update-grub
An error occurs if your GRUB configuration file has incorrect syntax. In this case, repeat steps 2 and 3.
The changes take effect when you reboot the system.
Networking
IP forwarding problems
If you manually configure your network using systemd-network
with systemd
version 219 or later, Docker containers may not be able to access your network.
Beginning with systemd version 220, the forwarding setting for a given network
(net.ipv4.conf.<interface>.forwarding
) defaults to off. This setting prevents
IP forwarding. It also conflicts with Docker's behavior of enabling the
net.ipv4.conf.all.forwarding
setting within containers.
To work around this on RHEL, CentOS, or Fedora, edit the <interface>.network
file in /usr/lib/systemd/network/
on your Docker host, for example,
/usr/lib/systemd/network/80-container-host0.network
.
Add the following block within the [Network]
section.
[Network]
...
IPForward=kernel
# OR
IPForward=true
This configuration allows IP forwarding from the container as expected.
DNS resolver issues
DNS resolver found in resolv.conf and containers can't use it
Linux desktop environments often have a network manager program running, that
uses dnsmasq
to cache DNS requests by adding them to /etc/resolv.conf
. The
dnsmasq
instance runs on a loopback address such as 127.0.0.1
or
127.0.1.1
. It speeds up DNS look-ups and provides DHCP services. Such a
configuration doesn't work within a Docker container. The Docker container uses
its own network namespace, and resolves loopback addresses such as 127.0.0.1
to itself, and it's unlikely to be running a DNS server on its own loopback
address.
If Docker detects that no DNS server referenced in /etc/resolv.conf
is a fully
functional DNS server, the following warning occurs:
WARNING: Local (127.0.0.1) DNS resolver found in resolv.conf and containers
can't use it. Using default external servers : [8.8.8.8 8.8.4.4]
If you see this warning, first check to see if you use dnsmasq
:
$ ps aux | grep dnsmasq
If your container needs to resolve hosts which are internal to your network, the public nameservers aren't adequate. You have two choices:
Specify DNS servers for Docker to use.
Turn off
dnsmasq
.Turning off
dnsmasq
adds the IP addresses of actual DNS nameservers to/etc/resolv.conf
, and you lose the benefits ofdnsmasq
.
You only need to use one of these methods.
Specify DNS servers for Docker
The default location of the configuration file is /etc/docker/daemon.json
. You
can change the location of the configuration file using the --config-file
daemon flag. The following instruction assumes that the location of the
configuration file is /etc/docker/daemon.json
.
Create or edit the Docker daemon configuration file, which defaults to
/etc/docker/daemon.json
file, which controls the Docker daemon configuration.$ sudo nano /etc/docker/daemon.json
Add a
dns
key with one or more DNS server IP addresses as values.{ "dns": ["8.8.8.8", "8.8.4.4"] }
If the file has existing contents, you only need to add or edit the
dns
line. If your internal DNS server can't resolve public IP addresses, include at least one DNS server that can. Doing so allows you to connect to Docker Hub, and your containers to resolve internet domain names.Save and close the file.
Restart the Docker daemon.
$ sudo service docker restart
Verify that Docker can resolve external IP addresses by trying to pull an image:
$ docker pull hello-world
If necessary, verify that Docker containers can resolve an internal hostname by pinging it.
$ docker run --rm -it alpine ping -c4 <my_internal_host> PING google.com (192.168.1.2): 56 data bytes 64 bytes from 192.168.1.2: seq=0 ttl=41 time=7.597 ms 64 bytes from 192.168.1.2: seq=1 ttl=41 time=7.635 ms 64 bytes from 192.168.1.2: seq=2 ttl=41 time=7.660 ms 64 bytes from 192.168.1.2: seq=3 ttl=41 time=7.677 ms
Turn off dnsmasq
If you prefer not to change the Docker daemon's configuration to use a specific
IP address, follow these instructions to turn off dnsmasq
in NetworkManager.
Edit the
/etc/NetworkManager/NetworkManager.conf
file.Comment out the
dns=dnsmasq
line by adding a#
character to the beginning of the line.# dns=dnsmasq
Save and close the file.
Restart both NetworkManager and Docker. As an alternative, you can reboot your system.
$ sudo systemctl restart network-manager $ sudo systemctl restart docker
To turn off dnsmasq
on RHEL, CentOS, or Fedora:
Turn off the
dnsmasq
service:$ sudo systemctl stop dnsmasq $ sudo systemctl disable dnsmasq
Configure the DNS servers manually using the Red Hat documentation.
Docker networks disappearing
If a Docker network, such as the docker0
bridge or a custom network, randomly
disappears or otherwise appears to be working incorrectly, it could be because
another service is interfering with or modifying Docker interfaces. Tools that
manage networking interfaces on the host are known to sometimes also
inappropriately modify Docker interfaces.
Refer to the following sections for instructions on how to configure your network manager to set Docker interfaces as un-managed, depending on the network management tools that exist on the host:
- If
netscript
is installed, consider uninstalling it - Configure the network manager to treat Docker interfaces as un-managed
- If you're using Netplan, you may need to apply a custom Netplan configuration
Uninstall netscript
If netscript
is installed on your system, you can likely fix this issue by
uninstalling it. For example, on a Debian-based system:
$ sudo apt-get remove netscript-2.4
Un-manage Docker interfaces
In some cases, the network manager will attempt to manage Docker interfaces by default. You can try to explicitly flag Docker networks as un-managed by editing your system's network configuration settings.
If you're using NetworkManager
, edit your system network configuration under
/etc/network/interfaces
Create a file at
/etc/network/interfaces.d/20-docker0
with the following contents:iface docker0 inet manual
Note that this example configuration only "un-manages" the default
docker0
bridge, not custom networks.Restart
NetworkManager
for the configuration change to take effect.$ systemctl restart NetworkManager
Verify that the
docker0
interface has theunmanaged
state.$ nmcli device
If you're running Docker on a system using systemd-networkd
as a networking
daemon, configure the Docker interfaces as un-managed by creating configuration
files under /etc/systemd/network
:
Create
/etc/systemd/network/docker.network
with the following contents:# Ensure that the Docker interfaces are un-managed [Match] Name=docker0 br-* veth* [Link] Unmanaged=yes
Reload the configuration.
$ sudo systemctl restart systemd-networkd
Restart the Docker daemon.
$ sudo systemctl restart docker
Verify that the Docker interfaces have the
unmanaged
state.$ networkctl
Prevent Netplan from overriding network configuration
On systems that use
Netplan through
cloud-init
, you may
need to apply a custom configuration to prevent netplan
from overriding the
network manager configuration:
Follow the steps in Un-manage Docker interfaces for creating the network manager configuration.
Create a
netplan
configuration file under/etc/netplan/50-cloud-init.yml
.The following example configuration file is a starting point. Adjust it to match the interfaces you want to un-manage. Incorrect configuration can lead to network connectivity issues.
/etc/netplan/50-cloud-init.ymlnetwork: ethernets: all: dhcp4: true dhcp6: true match: # edit this filter to match whatever makes sense for your system name: en* renderer: networkd version: 2
Apply the new Netplan configuration.
$ sudo netplan apply
Restart the Docker daemon:
$ sudo systemctl restart docker
Verify that the Docker interfaces have the
unmanaged
state.$ networkctl
Volumes
Unable to remove filesystem
Error: Unable to remove filesystem
Some container-based utilities, such
as
Google cAdvisor, mount Docker system
directories, such as /var/lib/docker/
, into a container. For instance, the
documentation for cadvisor
instructs you to run the cadvisor
container as
follows:
$ sudo docker run \
--volume=/:/rootfs:ro \
--volume=/var/run:/var/run:rw \
--volume=/sys:/sys:ro \
--volume=/var/lib/docker/:/var/lib/docker:ro \
--publish=8080:8080 \
--detach=true \
--name=cadvisor \
google/cadvisor:latest
When you bind-mount /var/lib/docker/
, this effectively mounts all resources of
all other running containers as filesystems within the container which mounts
/var/lib/docker/
. When you attempt to remove any of these containers, the
removal attempt may fail with an error like the following:
Error: Unable to remove filesystem for
74bef250361c7817bee19349c93139621b272bc8f654ae112dd4eb9652af9515:
remove /var/lib/docker/containers/74bef250361c7817bee19349c93139621b272bc8f654ae112dd4eb9652af9515/shm:
Device or resource busy
The problem occurs if the container which bind-mounts /var/lib/docker/
uses statfs
or fstatfs
on filesystem handles within /var/lib/docker/
and does not close them.
Typically, we would advise against bind-mounting /var/lib/docker
in this way.
However, cAdvisor
requires this bind-mount for core functionality.
If you are unsure which process is causing the path mentioned in the error to
be busy and preventing it from being removed, you can use the lsof
command
to find its process. For instance, for the error above:
$ sudo lsof /var/lib/docker/containers/74bef250361c7817bee19349c93139621b272bc8f654ae112dd4eb9652af9515/shm
To work around this problem, stop the container which bind-mounts
/var/lib/docker
and try again to remove the other container.