8000 Unable to Remove Containers: driver "windowsfilter" failed to remove root filesystem · Issue #36218 · moby/moby · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Unable to Remove Containers: driver "windowsfilter" failed to remove root filesystem #36218

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
harbertc opened this issue Feb 6, 2018 · 15 comments · Fixed by #37712
Closed

Unable to Remove Containers: driver "windowsfilter" failed to remove root filesystem #36218

harbertc opened this issue Feb 6, 2018 · 15 comments · Fixed by #37712
Assignees
@johnstep @lowenna
Labels
platform/windows version/17.06

Comments

@harbertc
Copy link
harbertc commented Feb 6, 2018

Description

While conducting a load test with Windows containers, Docker commands became unresponsive (expected). In order to recover the system, the Docker service was restarted. After the restart, the previously created containers can't be started or removed.

Steps to reproduce the issue:

  1. Add containers until the system becomes unresponsive.
  2. Restart the Docker service.
  3. Try to remove one of the containers [FAIL]:
docker rm -f testsite1
  1. Try to start on of the containers [FAIL].
docker start testsite1

Describe the results you received:

Trying to remove the container fails:

> docker rm -f testsite1
Error response from daemon: driver "windowsfilter" failed to remove root filesystem for 9442da524e13337b7b8b69ad9a26882c94140dfa39460034e2f62f9cf0296837: rename C:\ProgramData\docker\windowsfilter\9442da524e13337b7b8b69ad9a26882c94140dfa39460034e2f62f9cf0296837 C:\ProgramData\docker\windowsfilter\9442da524e13337b7b8b69ad9a26882c94140dfa39460034e2f62f9cf0296837-removing: Access is denied.

Trying to start the container fails:

> docker start testsite1
Error response from daemon: Container is marked for removal and cannot be started.
Error: failed to start containers: testsite1

Describe the results you expected:

I expected after restarting the Docker service for the containers to be stopped (but visible when running "docker ps -a". Running "docker start " should restart the containers. Running "docker rm -f " should remove them.

Additional information you deem important (e.g. issue happens only occasionally):

Output of docker version:

> docker version
Client:
 Version:      17.06.2-ee-6
 API version:  1.30
 Go version:   go1.8.3
 Git commit:   e75fdb8
 Built:        Mon Nov 27 22:46:09 2017
 OS/Arch:      windows/amd64

Server:
 Version:      17.06.2-ee-6
 API version:  1.30 (minimum version 1.24)
 Go version:   go1.8.3
 Git commit:   e75fdb8
 Built:        Mon Nov 27 22:55:16 2017
 OS/Arch:      windows/amd64
 Experimental: false

Output of docker info:

Containers: 18
 Running: 0
 Paused: 0
 Stopped: 18
Images: 10
Server Version: 17.06.2-ee-6
Storage Driver: windowsfilter
 Windows:
Logging Driver: json-file
Plugins:
 Volume: local
 Network: l2bridge l2tunnel nat null overlay transparent
 Log: awslogs etwlogs fluentd json-file logentries splunk syslog
Swarm: inactive
Default Isolation: process
Kernel Version: 10.0 16299 (16299.15.amd64fre.rs3_release.170928-1534)
Operating System: Windows Server Datacenter
OSType: windows
Architecture: x86_64
CPUs: 2
Total Memory: 16GiB
Name: DockerTest
ID: 5IKI:MYU2:AC2W:RABM:W7SX:NPUC:Z2VF:R5BA:43W2:BUM3:V7VR:JSTQ
Docker Root Dir: C:\ProgramData\docker
Debug Mode (client): false
Debug Mode (server): false
Username: harbertc
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

Additional environment details (AWS, VirtualBox, physical, etc.):

The Docker host is running in Azure.
@Francommit
Copy link
Francommit commented Feb 6, 2018
edited
Loading

Having the same issue. Not running in Azure.

Tried the latest build of 17.03 as well and having the same issue.

@GAAOPS
Copy link
GAAOPS commented May 19, 2018
edited
Loading

I have also the same problem on windows server 2016:

Windows Edition                  Version    OS Build  
Windows Server 2016 Datacenter   1607       14393.2273

and here is my docker installation:

Client:
 Version:      18.03.1-ce
 API version:  1.37
 Go version:   go1.9.5
 Git commit:   9ee9f40
 Built:        Thu Apr 26 07:12:48 2018
 OS/Arch:      windows/amd64
 Experimental: false
 Orchestrator: swarm

Server:
 Engine:
  Version:      18.03.1-ce
  API version:  1.37 (minimum version 1.24)
  Go version:   go1.9.5
  Git commit:   9ee9f40
  Built:        Thu Apr 26 07:21:42 2018
  OS/Arch:      windows/amd64
  Experimental: false

On windows 10 i have not experienced this problem but on Windows server, i cannot remove the containers even after restarting docker.
I also tried to remove it with force like this:
docker rm -f -v

still, i get access denied error.
I found the other issue also here: #30278

I have stopped the docker and tried to manually remove the container folder from the windowsfilter folder with Administrator account but it will say:
You need permission to perform this action, you require permission from Administrators to make changes to this folder.

After restarting the Server i was able to remove the containers. but the problem is still there and restarting the server is not an option :)

@coryheuschkel
Copy link
coryheuschkel commented Jun 18, 2018
edited
Loading

Any update on this issue? I am also seeing it on Windows Server 2016 build 10.0.14393.

@Francommit
Copy link

So after lots and lots of messing around I've come to the understanding that it has to be something environmental related that no-one has much of an idea of.

I've managed to get Docker fully working on another server but sitting in a different rack that we own. The only different in the servers is the rack it's sitting on. (and the disk type)

The initial server that I was experimenting with is in some sort of 'corrupt' state I'm fairly certain. I've removed all the containers, images and pruned all the volumes and I still can't uninstall the Windows 'Containers feature'.

It's very important to note here that I performed the installation in an 'offline state'. So I simply downloaded the zip, set up dockerd.exe as a Windows service and then turned it on with a path variable set to docker.exe. So I can't 'uninstall' Docker as a lot of other people are suggesting, you have to manually clean it up yourself.

If you can potentially afford it, I'd suggest re-build your Windows Server from scratch and try to get Docker Working before you start putting other things on it.

I've tried to contact the Docker EE Support team and have just had my queries ignored/forgotten it seems.

@coryheuschkel
Copy link

Thanks for the response @Francommit, but unfortunately this is a clean Windows Server 2016 VM that was created specifically for Docker. So there's nothing else that should have interfered with the installation process. We did, however, create a D:\ volume to store Docker data; I'm starting to think this is the root cause of the issue as well.

A restart, as you suggested, does actually fix the problem temporarily. After a restart I can delete containers using the CLI. However, if I'm running a Dockerfile (I was following the guide for Windows Containers and Docker 101 at https://www.youtube.com/watch?v=066-9yw8-7c), the intermediate containers created from nanoserver ultimately cause the permissions problem again and I'm back to square one. Below is the output from running the Dockerfile from the tutorial:

Sending build context to Docker daemon  4.096kB
Step 1/3 : FROM microsoft/nanoserver
 ---> a6688cd24441
Step 2/3 : COPY print-env.ps1 c:\\print-env.ps1
 ---> 0e4e48d2bdd0
Error removing intermediate container 8d3b21307237: driver "windowsfilter" failed to remove root filesystem for 8d3b21307237151b06aca3aabaef0927d587b7b8648d0c2094ab819c891b0a63: rename D:\windowsfilter\8d3b21307237151b06aca3aabaef0927d587b7b8648d0c2094ab819c891b0a63 D:\windowsfilter\8d3b21307237151b06aca3aabaef0927d587b7b8648d0c2094ab819c891b0a63-removing: Access is denied.
Step 3/3 : CMD powershell.exe c:\print-env.ps1
 ---> Running in 068fa95fb722
 ---> 440958e00780
Error removing intermediate container 8d3b21307237: driver "windowsfilter" failed to remove root filesystem for 8d3b21307237151b06aca3aabaef0927d587b7b8648d0c2094ab819c891b0a63: rename D:\windowsfilter\8d3b21307237151b06aca3aabaef0927d587b7b8648d0c2094ab819c891b0a63 D:\windowsfilter\8d3b21307237151b06aca3aabaef0927d587b7b8648d0c2094ab819c891b0a63-removing: Access is denied.
Successfully built 440958e00780
Successfully tagged print-env:latest

I would really hope that someone could look at this issue. A scheduled restart to fix this is not a good workaround. I am hoping only creating images is the root cause of the problem but simply don't know at this point.

@Francommit
Copy link

@coryheuschkel try using the 'default' docker installation (without switching drives) and try to manually import the microsoft/nanoserver container. That's what I've been doing up to this point.

On your own machine

docker pull microsoft/nanoserver
docker save -o nano-image.zip microsoft/nanoserver

Then on the server

docker load --input nano-image.zip
docker run -it microsoft/nanoserver

I can't run the very last command and it stops at the HCSSCHIM command:
https://user-images.githubusercontent.com/11533365/41086250-c2c934f0-6a7c-11e8-8c6d-1039ee41b863.png

Also raised similar issues here:
docker/for-win#686
#34807

@coryheuschkel
Copy link

Update:
I completely wiped our VM and started fresh with default settings and this issue is present. I am using out of the box configuration for Windows Server 2016 Version 1607 (OS Build 14393.2339) with the current Docker EE version (17.06.2-ee-14) available from installing Docker via Powershell.

After installing Docker, running a container from the hello-world:nanoserver image worked OK. However, when running a container from the microsoft/windowsservercore:ltsc2016 image, all of the intermediate containers that are supposed to be removed force the issue to occur.

I'm very surprised that storing Docker data on a separate volume was not the root cause of the bug. We are currently stuck in the mud with setting up our Windows build server while we wait for some sort of help.

Docker version:

docker version
Client:
 Version:      17.06.2-ee-14
 API version:  1.30
 Go version:   go1.8.7
 Git commit:   6345dd7
 Built:        Thu Jun 21 18:16:45 2018
 OS/Arch:      windows/amd64

Server:
 Engine:
  Version:      17.06.2-ee-14
  API version:  1.30 (minimum version 1.24)
  Go version:   go1.8.7
  Git commit:   6345dd7
  Built:        Thu Jun 21 18:28:51 2018
  OS/Arch:      windows/amd64
  Experimental: false

Docker info:

 docker info
Containers: 3
 Running: 0
 Paused: 0
 Stopped: 3
Images: 4
Server Version: 17.06.2-ee-14
Storage Driver: windowsfilter
 Windows:
Logging Driver: json-file
Plugins:
 Volume: local
 Network: l2bridge l2tunnel nat null overlay transparent
 Log: awslogs etwlogs fluentd json-file logentries splunk syslog
Swarm: inactive
Default Isolation: process
Kernel Version: 10.0 14393 (14393.2339.amd64fre.rs1_release_inmarket.180611-1502)
Operating System: Windows Server 2016 Standard
OSType: windows
Architecture: x86_64
CPUs: 4
Total Memory: 8GiB
Name: TSI-SV-BUILDWINP-01
ID: 4QAF:LKHY:NYKN:IX7L:VF5V:V6JE:74VU:EMSL:YUZV:7JWD:3RVO:G33T
Docker Root Dir: C:\ProgramData\docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

Output from attempting to build microsoft/windowsservercore:ltsc2016:

docker build -t [removed] .
Sending build context to Docker daemon  6.144kB
Step 1/8 : FROM microsoft/windowsservercore:ltsc2016
ltsc2016: Pulling from microsoft/windowsservercore
3889bb8d808b: Pull complete
8e9da9bbe3af: Pull complete
Digest: sha256:c06b4bfaf634215ea194e6005450740f3a230b27c510cf8facab1e9c678f3a99
Status: Downloaded newer image for microsoft/windowsservercore:ltsc2016
 ---> 9dbf7f740334
Step 2/8 : MAINTAINER Cory Heuschkel, cory.heuschkel@tsi.com
 ---> Running in d97239569e61
 ---> 7631bc4f8a11
Error removing intermediate container d97239569e61: driver "windowsfilter" failed to remove root filesystem for d97239569e611f487900360c91adf444b09c60a7c04a777bf5777ee40192c323: rename C:\ProgramData\docker\windowsfilter\d97239569e611f487900360c91adf444b09c60a7c04a777bf5777ee40192c323 C:\ProgramData\docker\windowsfilter\d97239569e611f487900360c91adf444b09c60a7c04a777bf5777ee40192c323-removing: Access is denied.
Step 3/8 : SHELL powershell.exe -ExecutionPolicy Bypass -Command
 ---> Running in 84ea4350c9de
 ---> 32910b987c93
Error removing intermediate container d97239569e61: driver "windowsfilter" failed to remove root filesystem for d97239569e611f487900360c91adf444b09c60a7c04a777bf5777ee40192c323: rename C:\ProgramData\docker\windowsfilter\d97239569e611f487900360c91adf444b09c60a7c04a777bf5777ee40192c323 C:\ProgramData\docker\windowsfilter\d97239569e611f487900360c91adf444b09c60a7c04a777bf5777ee40192c323-removing: Access is denied.

@johnstep
Copy link
Member
johnstep commented Jul 5, 2018

@coryheuschkel I am unable to reproduce the issue following your steps above (at least using a Dockerfile with the first 3 of the 8 steps). Does it reproduce every time?

Is your VM local or hosted, and if hosted, where? You mentioned it is clean, so this seems unlikely, but are there any special drivers or scanning software (malware detection, etc.) installed? What does fltmc instances show?

@coryheuschkel
Copy link

@johnstep Unfortunately the error comes up every time I try to pull a windowsservercore image. Our VM is local; it's running on a server rack in our offices. We do use Cisco AMP so I suppose it's not truly a "clean" VM but I am working to get the Docker program data directory whitelisted. I'll go ahead and dump the output of fltmc instances below:

λ  fltmc instances
Filter                Volume Name                              Altitude        Instance Name       Frame   SprtFtrs  VlStatus
--------------------  -------------------------------------  ------------  ----------------------  -----   --------  --------
ImmunetProtectDriver                                            320650     ImmunetProtect Instance    0     00000000
ImmunetProtectDriver  C:                                        320650     ImmunetProtect Instance    0     00000000
ImmunetSelfProtectDriver                                            320850     ImmunetSelfProtect Instance    0     00000000
ImmunetSelfProtectDriver  C:                                        320850     ImmunetSelfProtect Instance    0     00000000
WdFilter                                                        328010     WdFilter Instance         0     00000003
WdFilter              C:                                        328010     WdFilter Instance         0     00000003
WdFilter              \Device\Mup                               328010     WdFilter Instance         0     00000003
Wof                   C:                                         40700     Wof Instance              0     00000003
luafv                 C:                                        135000     luafv                     0     00000003
npsvctrig             \Device\NamedPipe                          46000     npsvctrig                 0     00000000

@johnstep
Copy link
Member
johnstep commented Jul 5, 2018

It is possible that ImmunetProtectDriver is scanning the directory and somehow preventing it from being renamed. It also likely slows things down as well. You might be able to remove the contrainers sometime later, but I am not sure.

Please let us know what happens with ImmunetProtectDriver disabled, or ignoring the Docker data directory, if possible.

@coryheuschkel
Copy link

My IT group whitelisted the Docker ProgramData directory on our VM and the issue has not come up again. Cisco AMP (ImmunetProtectDriver) was definitely the culprit here. Thanks for all the help.

@Francommit
Copy link

So I figured out the problem. (potentially unrelated?)

When you tell docker to run in certain modes in windows and it kills the processs it locks all docker functionality. How do I replicate this scenario?

  1. Install Docker EE on a Win server 2016
  2. Load your image on said container
  3. Attempt to get some other program to run said container with the -it flag where using -it isn't compatible (in my case it was Bamboo)
  4. Have that docker.exe process killed in some fashion

From here all 'docker run' commands fail just before the daemon loads them.
Rebooting, uninstalling the Containers feature and even 'zapping' the existing docker windows files leftover don't work. While zapping the files REMOVES them, it leaves Docker functionality on your windows server instance corrupted.

The solution? Don't run docker with -it flags where it's not meant to be used.

@lowenna lowenna mentioned this issue Aug 24, 2018
Merged
@lowenna
Copy link
Member
lowenna commented Aug 24, 2018

The -original- issue reported would be fixed by #37712.

@thaJeztah thaJeztah mentioned this issue Nov 9, 2018
Merged
@vikramhh vikramhh mentioned this issue Aug 15, 2019
Merged
@TBBle
Copy link
Contributor
TBBle commented Apr 30, 2021

Based on containerd/containerd#5422, I suspect this issue may have reappeared (but with a different error message) on Windows Server LTSC 2019 due to changes in go-winio which would have arrived in 0.4.13 (#38541 in 19.03.0) or 0.4.14 (#39679 in 20.10.0).

Pending work is to work out if my diagnosis is correct and go-winio needs to be fixed for this API to work on LTSC2019, or if not, what was going on that made it look that way.

A possible improvement would be to make the same change as containerd, and use hcsshim.DeactivateLayer instead of vhd.DetachVhd, in order to decouple from any possible go-winio issue here.

Mainly leaving this comment so this issue can sit on my notifications until the root issue that lead to containerd/containerd#5422 is diagnosed, and to generate relevant cross-issue links.

@thaJeztah thaJeztah mentioned this issue Apr 30, 2021
Merged
@TBBle TBBle mentioned this issue May 11, 2021
Merged
@navdotnetreqs
Copy link

Same issue.

docker : Error response from daemon: container 7a042a0976a9b8db4112075b061d198a14b79128fe166db1c515a7679379b747: driver "windowsfilter" failed to remove root filesystem: failed to detach VHD: failed to open virtual disk: The process cannot access the file because it
is being used by another process.: rename C:\ProgramData\docker\windowsfilter\7a042a0976a9b8db4112075b061d198a14b79128fe166db1c515a7679379b747 C:\ProgramData\docker\windowsfilter\7a042a0976a9b8db4112075b061d198a14b79128fe166db1c515a7679379b747-removing: Access is denied.

@mthalman mthalman mentioned this issue May 17, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@johnstep johnstep

@lowenna lowenna

Labels
platform/windows version/17.06
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Windows: Try to detach sandbox on cleanup to avoid permission denied microsoft/docker
9 participants
@TBBle @harbertc @johnstep @GAAOPS @lowenna @GordonTheTurtle @Francommit @navdotnetreqs @coryheuschkel
0