Bug 1011680 - Docker and IP forwarding
Docker and IP forwarding
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: docker-io (Show other bugs)
20
x86_64 Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Lokesh Mandvekar
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-24 16:07 EDT by Lokesh Mandvekar
Modified: 2014-07-01 18:59 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-10-28 23:51:47 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Lokesh Mandvekar 2013-09-24 16:07:37 EDT
Description of problem:

Marek Goldmann pointed out that IP forwarding is disabled by default.

What would be the preferred default IP forwarding behavior with regards to docker?

And is it better to have it in a conf file, or perhaps in the systemd service file?


Version-Release number of selected component (if applicable): 0.6.2-14.devicemapper
Comment 1 Nick Stinemates 2013-09-24 16:30:07 EDT
Just to add that.. IP forwarding is essential any sort of network communication, either to the broader internet or intranet.
Comment 2 Marek Goldmann 2013-09-25 03:03:14 EDT
For the first time when I launched a container I've had no network connectivity outside of the docker's network. Of course I expected it to work out of the box.

If we cannot make it system wide by default when installing/running docker on Fedora - it would be good to check the value of net.ipv4.ip_forward and print a warning in docker's log files. This may be a good candidate to add this upstream either case.
Comment 3 Matthew Miller 2013-09-25 08:37:10 EDT
We could consider making the start script or docker itself

1. check and save the value for net.ipv4.ip_forward
2. set to 1 if it isn't
3. restore on exit

(Also, what's the right thing for ipv6?)
Comment 4 Stephen Gordon 2013-10-03 11:47:31 EDT
(In reply to Matthew Miller from comment #3)
> (Also, what's the right thing for ipv6?)

I believe for ipv6 you want net.ipv6.conf.all.forwarding = 1
Comment 5 Lokesh Mandvekar 2013-10-04 22:04:13 EDT
So this is what docker.service looks like currently:


[Unit]
Description=Docker container management daemon

[Service]
Type=simple
ExecStartPre=/usr/sbin/sysctl -w net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1
ExecStart=/usr/bin/docker -d
Restart=on-failure

[Install]
WantedBy=multi-user.target
Comment 6 Lokesh Mandvekar 2013-10-04 22:09:39 EDT
As far as restore goes, is undoing possible? Or maybe ExecStartPre could also dump pre-existing values to some file and restore it on ExecStopPost?
Comment 7 Matthew Miller 2013-10-04 23:38:44 EDT
(In reply to Lokesh Mandvekar from comment #6)
> As far as restore goes, is undoing possible? Or maybe ExecStartPre could
> also dump pre-existing values to some file and restore it on ExecStopPost?

Yeah. But that's kind of ugly. Plus, in testing, I notice that libvirt doesn't do that. And I assume that it hasn't done that for years, and I've never heard anyone complain. So let's just go with the simple approach.

Note You need to log in before you can comment on or make changes to this bug.