Bug 1011680 - Docker and IP forwarding
Summary: Docker and IP forwarding
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: docker-io
Version: 20
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Lokesh Mandvekar
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-09-24 20:07 UTC by Lokesh Mandvekar
Modified: 2014-07-01 22:59 UTC (History)
10 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2013-10-29 03:51:47 UTC


Attachments (Terms of Use)

Description Lokesh Mandvekar 2013-09-24 20:07:37 UTC
Description of problem:

Marek Goldmann pointed out that IP forwarding is disabled by default.

What would be the preferred default IP forwarding behavior with regards to docker?

And is it better to have it in a conf file, or perhaps in the systemd service file?


Version-Release number of selected component (if applicable): 0.6.2-14.devicemapper

Comment 1 Nick Stinemates 2013-09-24 20:30:07 UTC
Just to add that.. IP forwarding is essential any sort of network communication, either to the broader internet or intranet.

Comment 2 Marek Goldmann 2013-09-25 07:03:14 UTC
For the first time when I launched a container I've had no network connectivity outside of the docker's network. Of course I expected it to work out of the box.

If we cannot make it system wide by default when installing/running docker on Fedora - it would be good to check the value of net.ipv4.ip_forward and print a warning in docker's log files. This may be a good candidate to add this upstream either case.

Comment 3 Matthew Miller 2013-09-25 12:37:10 UTC
We could consider making the start script or docker itself

1. check and save the value for net.ipv4.ip_forward
2. set to 1 if it isn't
3. restore on exit

(Also, what's the right thing for ipv6?)

Comment 4 Stephen Gordon 2013-10-03 15:47:31 UTC
(In reply to Matthew Miller from comment #3)
> (Also, what's the right thing for ipv6?)

I believe for ipv6 you want net.ipv6.conf.all.forwarding = 1

Comment 5 Lokesh Mandvekar 2013-10-05 02:04:13 UTC
So this is what docker.service looks like currently:


[Unit]
Description=Docker container management daemon

[Service]
Type=simple
ExecStartPre=/usr/sbin/sysctl -w net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1
ExecStart=/usr/bin/docker -d
Restart=on-failure

[Install]
WantedBy=multi-user.target

Comment 6 Lokesh Mandvekar 2013-10-05 02:09:39 UTC
As far as restore goes, is undoing possible? Or maybe ExecStartPre could also dump pre-existing values to some file and restore it on ExecStopPost?

Comment 7 Matthew Miller 2013-10-05 03:38:44 UTC
(In reply to Lokesh Mandvekar from comment #6)
> As far as restore goes, is undoing possible? Or maybe ExecStartPre could
> also dump pre-existing values to some file and restore it on ExecStopPost?

Yeah. But that's kind of ugly. Plus, in testing, I notice that libvirt doesn't do that. And I assume that it hasn't done that for years, and I've never heard anyone complain. So let's just go with the simple approach.


Note You need to log in before you can comment on or make changes to this bug.