Disable Userland proxy by default #14856
Comments
|
@thaJeztah SGTM. I will push a PR once we get a few more thumbs up from @docker/maintainers. ping @icecrime as well |
|
I personally think @thaJeztah's proposal makes sense. +1 on changing default to false but keeping the flag just in case we have reports of other weird issues. |
|
I think we should check if netlink for Hairpin isn't supported with |
|
👍
|
|
I'm all for it, I'm just a bit worried as I don't think so many people are giving |
|
@icecrime true, but holding off longer won't help there. We've got the flag to give users a way to restore the old behaviour, so even if it results in issues, we can offer users a solution without having to release an update. |
|
@thaJeztah I agree. Do you want to try this for 1.8.0? I'm assuming we'd need a libnetwork PR to give us |
|
I think it would be good to have this in 1.8. @mrjana is already in this discussion and offered to create a PR to accommodate the changes (#14856 (comment)) I'll add it to the milestone (unless @calavera has objections) |
|
sounds great! |
|
I have a question, does libnetwork or docker checks if a random allocated port is currently used by other processes with |
|
After I used --userland-proxy=false then I have this problem |
|
Thanks @winggundamth, we've actually reverted the change that sets this to default because we saw the same thing on our CI. I'll re-open this now. |
|
Thanks @cpuguy83. Hope this can fix soon. In our high load production environment with --userland-proxy=true docker-proxy eat 35% of host memory and continue going up. this really critical for us. Since I'm not a good coder so I'll be a good tester for this case. |
|
I want to highlight that #5618 is pretty critical and seems to affect event the most recent kernels. But I agree on the fact that the userland proxy should be disabled. The question is, what's the best workaround then? |
|
For reference; this was reverted for now in #16347, more details can be found on that PR as well |
|
@thaJeztah Is there any blocker to move this forward? |
|
Thanks for the pointer. Can we disable |
|
I am not aware of any reason why it would be needed for ipv4. Although it sounds like given ipv6 NAT seems to be only weeks away from a merge maybe it would be more consistent to wait until then and just disable it entirely once that is done. Not that it really matters either way though |
|
I added this one to the v21.x planning board (https://github.com/moby/moby/projects/11#card-46682701), to be considered for the next release after v20.10 |
|
As I've just dealt with an issue of Docker not preserving the source IP address for incoming UDP packets over a bridge network, I tried disabling the I then stumbled across moby/libnetwork#2423 and I think this is also an issue that would need fixing before userland-proxy can be safely disabled by default? Basically when any incoming UDP packets hit the machine running Docker before its iptables rules are ready, conntrack stores an incorrect state and until that state expires, none of the packets will ever hit the actual container. As in my case I was dealing with IPFIX which permanently sends UDP packets, this conntrack state never expires by itself. The only workaround I've found was to run Just wanted to mention this in case it is not already tracked. |
|
@ppmathis thanks! I edited the top description, and linked some tickets related to disabling the user land proxy, so that those can be looked into before switching the default. |
|
I also chatted with the Docker Desktop team, and Docker Desktop now sets up networking without relying on the userland-proxy being enabled, so from their side, switching the default won't be an issue; I think they still set up a proxy though, but through other means. |
This comment has been minimized.
This comment has been minimized.
|
Hi, Can I ask the current status of this issue? Is this something you are actively working on? |
|
For Docker Desktop for Mac and Windows, we're looking at disabling the proxy in the default configuration; on Desktop we have more "control" / "insight" in the exact configuration / setup in which the daemon runs. For Linux, it's a bit more complicated, because there are many setups/scenarios where the daemon runs, which makes it more risky to change the default (as mentioned in this ticket, we tried changing the default, and got reports from users where changing the default caused issues). Note that if you want it disabled, you can already do this by setting the A good starting point to get the default changed would be if people could help testing the scenarios linked in the top description (and other issues linked to this ticket), to verify if they're still relevant and/or if changing the default would cause a regression for those. |
|
I tried to switch off the userland-proxy to have access to the external client IP addresses but my docker network is only reachable from internet with userland-proxy: true. The comments here sound like the reason for my problem is probably IPv6. |
|
@4ndreasH you need the userland proxy for ipv6 or set up the necessary firewall rules yourself. an alternative may be to use host networking (ie no network isolation at all), but that comes with its own tradeoffs. |
|
Potentially relevant issue: #44721 (comment) If disabling becomes the default, I imagine working around the issue when changing to UPDATE: Instead of needing to reboot with config updated to enable the proxy, you can fix it by deleting the There is a lingering postrouting masquerade rule that |
Signed-off-by: Simon L <szaimen@e.mail.de>
I went over most of the remaining checklist items and commented on each (except for multi-port and swarm overlay network). All but the last one below seem resolved now? Checklist itemsSummaryUPDATE: As it's been three weeks without the actual checklist being updated since I commented, here's an updated reference:
Additional checklist (presently not tracked):
Click to view reasoning for checklist status changeCan close
Can technically close as duplicate? Still an issueSummarized and verified in #38784 (comment)
Click to view reasoning for additional checklist status changeAdditional references in this discussionThis was a lengthy and old discussion to wade through, and a common pain point users run into. I summarized the issue: #15086 (comment) Majority of problems there were related to IPv6 and
I believe improved IPv6 docs will resolve this. While macOS / Windows Docker Desktop users and anyone using Like other additional checklist items detailed below, I think it should be closed as reasoned by the summary I linked. Let a fresh new issue(s) continue to track any remaining concerns, and gather additional context so those can be addressed (likely via documentation). Related to the quoted comment, two comments after it discuss
This was a big issue to go over, but I summarized it and my investigation: #5618 (comment) That problem was a motivator for reverting the previous attempt to disable
No longer valid: #17443 (comment)
It doesn't look like this issue needs to be open anymore: #11185 (comment) If it does, it'd be better served with a new issue, just like #5618 would due to the amount of time that has passed and how the history of discussion is filled with noise that doesn't help towards further investigating / resolving. It's also considered that
UDP was another common issue I have seen reported. I think that was resolved earlier this year with: #44742
Not sure if this is a concern. I think originally before the optional They could perhaps be documented with the other A comment queried about IPv6 with It may have been a lack of Actually it was probably an IPv6-only host with IPv4 only docker network which |
and others
The userland proxy was made optional in #12165 (ported to libnetwork in moby/libnetwork#171),
but still enabled by default because (if I remember correctly) disabling it caused issues on RHEL6 (cf #10676).
Now that we will stop supporting RHEL6 with the coming 1.8 release, I think we can change the default to "disabled". We can still keep the
--userland-proxyoption around so that users are able to enable it by setting--userland-proxy=true. We can remove the proxy altogether in a future release.Changing the default might help resolving #11185 (possibly others)
Some issues related to disabling the userland-proxy that we should look into;
userland-proxy: falsedoes not clean-up NAT rule when switching touserland-proxy: true#44721The text was updated successfully, but these errors were encountered: