On Tue, Feb 18, 2014 at 12:29:02PM -0700, Jeroen van Bemmel wrote:
> I'm assuming each container has its own /sys instance? So enabling IP
> forwarding being global is a limitation of the current implementation,
> and not fundamentally impossible? Would you agree that ultimately
> enabling/disabling IP forwarding should be possible on a per-container
> basis?
>
That would not work, it is the host that is forwarding packets, the container
isn't the one which would have to forward packets. So setting the container /sys
setting won't have any effect.
If anyone cares, my opinion would be that Docker not even enable forwarding itself.
The reason is, that other things on the host might depend on forwarding being enabled.
If Docker is reconfigured to not use forwarding (or maybe restart or something else along
those lines) automatically disabling forwarding might break other things.
So in that case the admin of the box should explicitly enable forwarding.
Didn't an older version of Docker just print a warning that forwarding wasn't enabled ?
That could be the right behaviour.
> I tried disabling the standard bridge (and iptables), but in my setup
> this breaks the building of images because Docker spins up some
> containers implicitly and I haven't figured out yet how to integrate
> my custom OVS-based networking in that case
>
> On Tue, Feb 18, 2014 at 9:06 AM, Josh Poimboeuf <
jpoi...@redhat.com> wrote:
> > On Mon, Feb 17, 2014 at 10:32:29PM -0800, Jeroen van Bemmel wrote:
> >> Would it make sense to also set ip forwarding to false when people disable
> >> networking on a container? ( using --networking=false )
> >>
> >> From what I understand, it's enabled by default to make Docker networking
> >> work. However, if users put their own networking in place, it's better to
> >> set IP forwarding back to its system default ( == false ) for security
> >> reasons.
> >>
> >> I ran into this when connecting Docker to OpenVSwitch, my container was
> >> forwarding packets and sending ICMP redirects without being told to do so
> >
> > In general I like the idea of not enabling IP forwarding when networking
> > isn't used. But it couldn't be done on a per-container basis because
> > enabling IP forwarding is a global thing that's done on daemon startup.
> > Maybe it would make sense to not enable forwarding in the case of "-b
> > none" (which tells the docker daemon not to create or use a bridge).
> >
> > --
> > Josh
>
> --
> You received this message because you are subscribed to the Google Groups "docker-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to
docker-dev+...@googlegroups.com.
> For more options, visit
https://groups.google.com/groups/opt_out.