Bug 1011680

Summary: Docker and IP forwarding
Product: [Fedora] Fedora Reporter: Lokesh Mandvekar <lsm5>
Component: docker-ioAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: alexl, ccoleman, jkeck, jpoimboe, lsm5, mattdm, mgoldman, mmcgrath, nick, sgordon
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-29 03:51:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lokesh Mandvekar 2013-09-24 20:07:37 UTC
Description of problem:

Marek Goldmann pointed out that IP forwarding is disabled by default.

What would be the preferred default IP forwarding behavior with regards to docker?

And is it better to have it in a conf file, or perhaps in the systemd service file?


Version-Release number of selected component (if applicable): 0.6.2-14.devicemapper

Comment 1 Nick Stinemates 2013-09-24 20:30:07 UTC
Just to add that.. IP forwarding is essential any sort of network communication, either to the broader internet or intranet.

Comment 2 Marek Goldmann 2013-09-25 07:03:14 UTC
For the first time when I launched a container I've had no network connectivity outside of the docker's network. Of course I expected it to work out of the box.

If we cannot make it system wide by default when installing/running docker on Fedora - it would be good to check the value of net.ipv4.ip_forward and print a warning in docker's log files. This may be a good candidate to add this upstream either case.

Comment 3 Matthew Miller 2013-09-25 12:37:10 UTC
We could consider making the start script or docker itself

1. check and save the value for net.ipv4.ip_forward
2. set to 1 if it isn't
3. restore on exit

(Also, what's the right thing for ipv6?)

Comment 4 Stephen Gordon 2013-10-03 15:47:31 UTC
(In reply to Matthew Miller from comment #3)
> (Also, what's the right thing for ipv6?)

I believe for ipv6 you want net.ipv6.conf.all.forwarding = 1

Comment 5 Lokesh Mandvekar 2013-10-05 02:04:13 UTC
So this is what docker.service looks like currently:


[Unit]
Description=Docker container management daemon

[Service]
Type=simple
ExecStartPre=/usr/sbin/sysctl -w net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1
ExecStart=/usr/bin/docker -d
Restart=on-failure

[Install]
WantedBy=multi-user.target

Comment 6 Lokesh Mandvekar 2013-10-05 02:09:39 UTC
As far as restore goes, is undoing possible? Or maybe ExecStartPre could also dump pre-existing values to some file and restore it on ExecStopPost?

Comment 7 Matthew Miller 2013-10-05 03:38:44 UTC
(In reply to Lokesh Mandvekar from comment #6)
> As far as restore goes, is undoing possible? Or maybe ExecStartPre could
> also dump pre-existing values to some file and restore it on ExecStopPost?

Yeah. But that's kind of ugly. Plus, in testing, I notice that libvirt doesn't do that. And I assume that it hasn't done that for years, and I've never heard anyone complain. So let's just go with the simple approach.