Official/documented way to set MTU

[David Nolan]

Using flexible-custom, I need to communicate with multiple regional databases including outside of our GCP netblocks, so we have a DNS VM with the appropriate entries as well as Cloud VPN. What I've found in practice is that Docker does not inherit the host's MTU (intentional, see moby GitHub project for discussion), but neither does Docker do Path MTU Discovery on the bridge network correctly. This combines to mean that we have to manually set MTU lower on the container in order to not see packet fragmentation issues on the other end of our VPN link.

When I try and set MTU for a Debian container it seems rather difficult. App Engine doesn't seem to have a way to pass the Docker --mtu flag, and using ip link set dev eth0 mtu does work from SSH, but seems not to work if run as part of the container's CMD.

Has anyone had to set MTU in App Engine for any reason and, if so, how do you get it to happen on startup and actually stick?

[Jordan (Cloud Platform Support)]

You can find the appropriate reported Issue Tracker that covers this exact discussion. Our engineering team is working on a fix so that the MTU of Docker (currently 1500) and the MTU of the Compute Engine VM that is your GAE Flex instance (currently 1460) are in sync. 

[David Nolan]

Thanks Jordan, appreciated. I can see that solution will work for configs for packets without the IPsec header, but ours do, which further lowers the max MTU to 1432. It sounds like there is not necessarily going to be a customisable MTU, but the new value will instead be fixed at 1460?

I can add a comment to the Issue Tracker if it's appropriate, so that the engineering team takes the VPN case into account when implementing a fix.

[Jordan (Cloud Platform Support)]

Yes, it is indeed recommended to move all further communications directly to the issue tracker in order to update the engineering team.