1011680 – Docker and IP forwarding

Bug 1011680 - Docker and IP forwarding

Summary: Docker and IP forwarding

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	docker-io
Sub Component:
Version:	20
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lokesh Mandvekar
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-09-24 20:07 UTC by Lokesh Mandvekar
Modified:	2014-07-01 22:59 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2013-10-29 03:51:47 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Lokesh Mandvekar 2013-09-24 20:07:37 UTC

Description of problem:

Marek Goldmann pointed out that IP forwarding is disabled by default.

What would be the preferred default IP forwarding behavior with regards to docker?

And is it better to have it in a conf file, or perhaps in the systemd service file?


Version-Release number of selected component (if applicable): 0.6.2-14.devicemapper

Comment 1 Nick Stinemates 2013-09-24 20:30:07 UTC

Just to add that.. IP forwarding is essential any sort of network communication, either to the broader internet or intranet.

Comment 2 Marek Goldmann 2013-09-25 07:03:14 UTC

For the first time when I launched a container I've had no network connectivity outside of the docker's network. Of course I expected it to work out of the box.

If we cannot make it system wide by default when installing/running docker on Fedora - it would be good to check the value of net.ipv4.ip_forward and print a warning in docker's log files. This may be a good candidate to add this upstream either case.

Comment 3 Matthew Miller 2013-09-25 12:37:10 UTC

We could consider making the start script or docker itself

1. check and save the value for net.ipv4.ip_forward
2. set to 1 if it isn't
3. restore on exit

(Also, what's the right thing for ipv6?)

Comment 4 Stephen Gordon 2013-10-03 15:47:31 UTC

(In reply to Matthew Miller from comment #3)
> (Also, what's the right thing for ipv6?)

I believe for ipv6 you want net.ipv6.conf.all.forwarding = 1

Comment 5 Lokesh Mandvekar 2013-10-05 02:04:13 UTC

So this is what docker.service looks like currently:


[Unit]
Description=Docker container management daemon

[Service]
Type=simple
ExecStartPre=/usr/sbin/sysctl -w net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1
ExecStart=/usr/bin/docker -d
Restart=on-failure

[Install]
WantedBy=multi-user.target

Comment 6 Lokesh Mandvekar 2013-10-05 02:09:39 UTC

As far as restore goes, is undoing possible? Or maybe ExecStartPre could also dump pre-existing values to some file and restore it on ExecStopPost?

Comment 7 Matthew Miller 2013-10-05 03:38:44 UTC

(In reply to Lokesh Mandvekar from comment #6)
> As far as restore goes, is undoing possible? Or maybe ExecStartPre could
> also dump pre-existing values to some file and restore it on ExecStopPost?

Yeah. But that's kind of ugly. Plus, in testing, I notice that libvirt doesn't do that. And I assume that it hasn't done that for years, and I've never heard anyone complain. So let's just go with the simple approach.

Note You need to log in before you can comment on or make changes to this bug.