Enable ipv4 forwarding for docker managed bridge #1722
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bencord0
force-pushed
the
bridge_forwarding
branch
from
4cd67c6 to
d82374a
Compare
Signed-off-by: Ben Cordero <[email protected]>
bencord0
force-pushed
the
bridge_forwarding
branch
from
d82374a to
d4e314b
Compare
|
You can also replicate the test without needing a second host using the |
|
flannel-io/flannel#872 May be of interest as an alternative workaround. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When enabling packet forwarding for a bridge managed by docker, set the
sysctlfor the bridge.The previous behaviour would set the forwarding flag for the global default. This patch unifies the behaviour between ipv4 and ipv6, since the ipv4 code path to set the forwarding behaviour explicitly for the bridge being managed.
Context: I can't find any design documents or tests around this area for what the expected behaviour is supposed to be. However, for me I see the following behaviour.
Using docker 17.04.0 with flannel 0.6.2 in host-gw mode (
{"Network": "10.0.0.0/16", "Backend": {"Type": "host-gw"}})Docker is started (via systemd) using the following resulting command line.
/usr/bin/dockerd -H fd:// --bip=10.0.80.1/24 --ip-masq=true --mtu=1500Start a container and grab it's IPAddress
docker inspect $(docker run -d nginx)|grep IPAddressFrom another host (that is part of the flannel network, and has it's routes setup correctly)
ping $IPADDRESSorcurl $IPADDRESS.Expected results:
I can successfully ping/curl the container from another host.
Actual results:
The IP packets are for forwarded from the host interface,
enp1s0, through to thedocker0interface. Usingtcpdump, I can follow the packets entering the host's network interface (enp1s0->docker0), but response packets are not forwarded back (docker0->enp1s0).This can be verified with
cat /proc/sys/net/ipv4/conf/docker0/forwarding-> 0With this patch packet forwarding can be enabled after taking into account https://github.com/docker/libnetwork/blob/4dd9c0603ab3c0cf34e165f9678511c18b4f4f17/drivers/bridge/bridge.go#L756
/usr/bin/dockerd -H fd:// --bip=10.0.80.1/24 --ip-masq=true --mtu=1500 --icc=falseNow, forwarding is enabled.
cat /proc/sys/net/ipv4/conf/docker0/forwarding-> 1and I can ping/curl the container from another host.