Red Hat Bugzilla – Bug 1011680
Docker and IP forwarding
Last modified: 2014-07-01 18:59:26 EDT
Description of problem:
Marek Goldmann pointed out that IP forwarding is disabled by default.
What would be the preferred default IP forwarding behavior with regards to docker?
And is it better to have it in a conf file, or perhaps in the systemd service file?
Version-Release number of selected component (if applicable): 0.6.2-14.devicemapper
Just to add that.. IP forwarding is essential any sort of network communication, either to the broader internet or intranet.
For the first time when I launched a container I've had no network connectivity outside of the docker's network. Of course I expected it to work out of the box.
If we cannot make it system wide by default when installing/running docker on Fedora - it would be good to check the value of net.ipv4.ip_forward and print a warning in docker's log files. This may be a good candidate to add this upstream either case.
We could consider making the start script or docker itself
1. check and save the value for net.ipv4.ip_forward
2. set to 1 if it isn't
3. restore on exit
(Also, what's the right thing for ipv6?)
(In reply to Matthew Miller from comment #3)
> (Also, what's the right thing for ipv6?)
I believe for ipv6 you want net.ipv6.conf.all.forwarding = 1
So this is what docker.service looks like currently:
Description=Docker container management daemon
ExecStartPre=/usr/sbin/sysctl -w net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1
As far as restore goes, is undoing possible? Or maybe ExecStartPre could also dump pre-existing values to some file and restore it on ExecStopPost?
(In reply to Lokesh Mandvekar from comment #6)
> As far as restore goes, is undoing possible? Or maybe ExecStartPre could
> also dump pre-existing values to some file and restore it on ExecStopPost?
Yeah. But that's kind of ugly. Plus, in testing, I notice that libvirt doesn't do that. And I assume that it hasn't done that for years, and I've never heard anyone complain. So let's just go with the simple approach.