Thanks @bryce for the detailed updates. For us personally its the second time we run into a docker daemon restart on production (including all container restarts).
The only reason why this time it got much more attention is that a bug prevented a clean restart of the daemon, leaving containers offline. This fact tells us that most of the people never noticed that their containers were also during the last update restartet. (Which is fine because mostly a short restart, for example of a webserver nobody would notice) This is also fine of most of our servers because they running lightweight containers. The only reason why we noticed it (this and last time) is that we running heavy database containers (for example elasticsearch with couple of TBs) which have a restart time of minutes instead of seconds. Especially its critical (and loosing consistency) when containers of the same kind get restarted at the same time. All of this chain is triggered by the unattended updates. Thats why we excluded the automatic updates for the docker package. But this doesnt help if depending package updates still restarting the docker daemon/containers. Since the unattended package is still marked as 'wont-fix', and the dependencies problem is explained above.. The only way to safely prevent docker daemon restarts is to fully disable the whole unattended updates? Can someone confirm this? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to unattended-upgrades in Ubuntu. https://bugs.launchpad.net/bugs/1906364 Title: unattended-upgrade still restarts blacklisted daemons Status in docker.io package in Ubuntu: In Progress Status in unattended-upgrades package in Ubuntu: Won't Fix Status in docker.io source package in Xenial: In Progress Status in unattended-upgrades source package in Xenial: Won't Fix Status in docker.io source package in Bionic: In Progress Status in unattended-upgrades source package in Bionic: Won't Fix Status in docker.io source package in Focal: In Progress Status in unattended-upgrades source package in Focal: Won't Fix Status in docker.io source package in Groovy: In Progress Status in unattended-upgrades source package in Groovy: Won't Fix Status in docker.io source package in Hirsute: In Progress Status in unattended-upgrades source package in Hirsute: Won't Fix Bug description: Hello, Today plenty of our systems running ubuntu 20.04 were restarting the docker daemon, even if i blacklisted the docker package. Since docker has an dependency on containerd thats the reason why it was restarted. IMO the blacklist should also check the full tree of dependencies... This should NOT happen! From the log you find: 2020-12-01 06:40:13,881 INFO Starting unattended upgrades script 2020-12-01 06:40:13,882 INFO Allowed origins are: o=Ubuntu,a=focal, o=Ubuntu,a=focal-security, o=UbuntuESMApps,a=focal-apps-security, o=UbuntuESM,a=focal-infra-security 2020-12-01 06:40:13,882 INFO Initial blacklist: docker docker.io 2020-12-01 06:40:13,882 INFO Initial whitelist (not strict): 2020-12-01 06:40:19,139 INFO Packages that will be upgraded: containerd qemu-block-extra qemu-kvm qemu-system-common qemu-system-data qemu-system-gui qemu-system-x86 qemu-utils 2020-12-01 06:40:19,140 INFO Writing dpkg log to /var/log/unattended-upgrades/unattended-upgrades-dpkg.log 2020-12-01 06:40:46,996 INFO All upgrades installed 2020-12-01 06:40:50,732 INFO Starting unattended upgrades script 2020-12-01 06:40:50,732 INFO Allowed origins are: o=Ubuntu,a=focal, o=Ubuntu,a=focal-security, o=UbuntuESMApps,a=focal-apps-security, o=UbuntuESM,a=focal-infra-security 2020-12-01 06:40:50,733 INFO Initial blacklist: docker docker.io 2020-12-01 06:40:50,733 INFO Initial whitelist (not strict): Also this happened for us on plenty of our servers almost at the same (why the unattended updates are not spread over time?), which destroyed the second time an production environment. This is not how unattended-upgraded should be, sadly this package lost our trust and we disable it and schedule the 'unattended updates' now on our own. PS: Not to say that on some servers the docker daemon did not even restart.. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1906364/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
