IP Forwarding
355 views
Skip to first unread message
Tianon
Dec 27, 2013, 1:58:35 PM12/27/13
to docke...@googlegroups.com
We've had quite a bit of discussion around the subject of IP Forwarding. It's still one of our largest usability issues, and deserves some kind of peaceful resolution.
For reference, the existing discussion has occurred between https://github.com/dotcloud/docker/issues/2396 and https://github.com/dotcloud/docker/pull/2696.
What I would propose (given the background of the comments on those two threads), is that we add a new daemon flag to Docker that enables ip_forward automatically, and default it to true. That way, people who want to control their own destiny and own all the pieces can do so easily, and people who want Docker to "just work" can also do so without much fanfare. This would also open the possibility of adding a debconf-style configuration option to preseed a default, since it would be as easy as putting something like DOCKER_OPTS="-ipforward=false" in /etc/default/docker as part of the installation (which should be pretty easy).
Josh Poimboeuf
Jan 2, 2014, 10:36:52 AM1/2/14
to Tianon, docke...@googlegroups.com
On Fri, Dec 27, 2013 at 10:58:35AM -0800, Tianon wrote:
> What I would propose (given the background of the comments on those two
> threads), is that we add a new daemon flag to Docker that enables
> ip_forward automatically, and default it to true.
+1. This makes Docker "just work" but allows power users to leave IP
> What I would propose (given the background of the comments on those two
> threads), is that we add a new daemon flag to Docker that enables
> ip_forward automatically, and default it to true.
forwarding disabled if they need to.
--
Josh
gwfran
Jan 2, 2014, 4:02:41 PM1/2/14
to docke...@googlegroups.com
I'll second Josh's sentiments!
Jérôme Petazzoni
Jan 3, 2014, 2:40:04 PM1/3/14
to gwfran, docker-dev
+1.
It's less magic than tweaking per-interface forwarding flags, but at least it's clear and easy to understand, and has virtually zero side-effect.
Jeroen van Bemmel
Feb 18, 2014, 1:32:29 AM2/18/14
to docke...@googlegroups.com
Would it make sense to also set ip forwarding to false when people disable networking on a container? ( using --networking=false )
From what I understand, it's enabled by default to make Docker networking work. However, if users put their own networking in place, it's better to set IP forwarding back to its system default ( == false ) for security reasons.
I ran into this when connecting Docker to OpenVSwitch, my container was forwarding packets and sending ICMP redirects without being told to do so
Josh Poimboeuf
Feb 18, 2014, 11:06:24 AM2/18/14
to Jeroen van Bemmel, docke...@googlegroups.com
isn't used. But it couldn't be done on a per-container basis because
enabling IP forwarding is a global thing that's done on daemon startup.
Maybe it would make sense to not enable forwarding in the case of "-b
none" (which tells the docker daemon not to create or use a bridge).
--
Josh
Jeroen van Bemmel
Feb 18, 2014, 2:29:02 PM2/18/14
to Josh Poimboeuf, docke...@googlegroups.com
I'm assuming each container has its own /sys instance? So enabling IP
forwarding being global is a limitation of the current implementation,
and not fundamentally impossible? Would you agree that ultimately
enabling/disabling IP forwarding should be possible on a per-container
basis?
I tried disabling the standard bridge (and iptables), but in my setup
this breaks the building of images because Docker spins up some
containers implicitly and I haven't figured out yet how to integrate
my custom OVS-based networking in that case
forwarding being global is a limitation of the current implementation,
and not fundamentally impossible? Would you agree that ultimately
enabling/disabling IP forwarding should be possible on a per-container
basis?
I tried disabling the standard bridge (and iptables), but in my setup
this breaks the building of images because Docker spins up some
containers implicitly and I haven't figured out yet how to integrate
my custom OVS-based networking in that case
Leen Besselink
Feb 18, 2014, 3:05:42 PM2/18/14
to docke...@googlegroups.com
On Tue, Feb 18, 2014 at 12:29:02PM -0700, Jeroen van Bemmel wrote:
> I'm assuming each container has its own /sys instance? So enabling IP
> forwarding being global is a limitation of the current implementation,
> and not fundamentally impossible? Would you agree that ultimately
> enabling/disabling IP forwarding should be possible on a per-container
> basis?
>
That would not work, it is the host that is forwarding packets, the container
> I'm assuming each container has its own /sys instance? So enabling IP
> forwarding being global is a limitation of the current implementation,
> and not fundamentally impossible? Would you agree that ultimately
> enabling/disabling IP forwarding should be possible on a per-container
> basis?
>
isn't the one which would have to forward packets. So setting the container /sys
setting won't have any effect.
If anyone cares, my opinion would be that Docker not even enable forwarding itself.
The reason is, that other things on the host might depend on forwarding being enabled.
If Docker is reconfigured to not use forwarding (or maybe restart or something else along
those lines) automatically disabling forwarding might break other things.
So in that case the admin of the box should explicitly enable forwarding.
Didn't an older version of Docker just print a warning that forwarding wasn't enabled ?
That could be the right behaviour.
> I tried disabling the standard bridge (and iptables), but in my setup
> this breaks the building of images because Docker spins up some
> containers implicitly and I haven't figured out yet how to integrate
> my custom OVS-based networking in that case
>
> On Tue, Feb 18, 2014 at 9:06 AM, Josh Poimboeuf <jpoi...@redhat.com> wrote:
> > On Mon, Feb 17, 2014 at 10:32:29PM -0800, Jeroen van Bemmel wrote:
> >> Would it make sense to also set ip forwarding to false when people disable
> >> networking on a container? ( using --networking=false )
> >>
> >> From what I understand, it's enabled by default to make Docker networking
> >> work. However, if users put their own networking in place, it's better to
> >> set IP forwarding back to its system default ( == false ) for security
> >> reasons.
> >>
> >> I ran into this when connecting Docker to OpenVSwitch, my container was
> >> forwarding packets and sending ICMP redirects without being told to do so
> >
> > In general I like the idea of not enabling IP forwarding when networking
> > isn't used. But it couldn't be done on a per-container basis because
> > enabling IP forwarding is a global thing that's done on daemon startup.
> > Maybe it would make sense to not enable forwarding in the case of "-b
> > none" (which tells the docker daemon not to create or use a bridge).
> >
> > --
> > Josh
>
> You received this message because you are subscribed to the Google Groups "docker-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to docker-dev+...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
Tianon Gravi
Feb 18, 2014, 3:34:21 PM2/18/14
to le...@consolejunkie.net, docker-dev
The daemon still has a flag to disable this automatic-enablement (it won't ever auto-disable): --ip-forward=false
This was the compromise to make everybody happy.
Cheers,
- Tianon
You received this message because you are subscribed to a topic in the Google Groups "docker-dev" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/docker-dev/DCjF5Prx7HA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to docker-dev+...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages