-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ip-forwarding broken in 1.13.0 due to #28257 fix #30338
Comments
cc @sanimej |
@AlmirKadric If you were relying on the earlier behavior the work around I would suggest is to set the default FORWARD policy explicitly rather than relying on Docker doing it. |
@sanimej thank you for your speedy response. Whilst I do understand this being a conscious decision, the community needs replacements for existing behaviours, we can't just condemn them. EDIT: also just an FYI in case it becomes a solution, editing the daemon config is a pain, we need a way to make these changes via command line so that the process can be automated. |
@sanimej any news on this? |
Based on the discussion and issues this has raised in the community where it has broken functionality (see this pipeline issue) this is feeling like a botched feature release. The iptables manipulation is under-documented and should be called out as a separate sub-topic in the docker-engine network guide--it seems a bit hidden in the "how containers communicate" sub-sub-section. Additionally, this feature shouldn't be buried far down the release notes, because it can break so many setups. It really seems like it would have been preferable to make this opt-in functionality in this release, with well-advertised notices and discussion of appropriate workarounds on the different supported platforms. |
@AlmirKadric With Docker for Mac/Windows you can't directly SSH to the docker host. But you can run a privileged container, The reason for setting the default FORWARD policy to DROP is to disallow inadvertent access to local containers from other hosts in the network. Its not clear how this affects you in the case of Docker for Mac. Can you explain what exactly you are doing ? |
@adamaig Like I mentioned the earlier behavior was considered a security hole and that is the reason for changing the default behavior. Note that when you upgrade to 1.13 if the host already has If your setup needs the previous behavior you can configure the default FORWARD policy to ACCEPT. |
@sanimej my point is that if by default this is the iptables config in a distribution (e.g., ubuntu-16.04 and fedora-24)...
and the docker 1.13 release changes that behavior by default, then I think there is a problem with the approach. The problem is that someone maybe leveraging that lack of necessary configuration for non-docker work, and then rather than installing an iptables config that is externally accessible, users now have to research and discover the right load order and tools to revert this override. So, the documentation needs to cover how to undo what docker is doing to the system. Fundamentally changing the rule default, and not giving clear instruction on how to override the docker daemon's changes is frustrating and wastes user's time. The company needs to advertise a "contract" with the user for how they can configure and manage their systems without it suddenly breaking without deprecation warnings. |
@sanimej I forgot to get back on here and let you know that your suggestion worked |
Description
#28257 introduced a fix which switched the default iptables FORWARDING policy to DROP. However existing setups rely on this to route traffic into the guest containers from the host.
I was able to work around the issue by disabling iptables in the daemon configuration. But this is probably unacceptable for most.
The only suggestions I can think of would be to either allow the configuration of default iptables FORWARDING policies via the dameon config or similar AND/OR allow the configuring of these policies per configured network (i.e. netwoks section in docker-compose files (I understand docker-compose is a separate project, but its what I'm using so dropped example for context)).
Steps to reproduce the issue:
Describe the results you received:
Unable to reach address
Describe the results you expected:
Successful ping
Additional information you deem important (e.g. issue happens only occasionally):
Output of
docker version
:Output of
docker info
:Additional environment details (AWS, VirtualBox, physical, etc.):
Windows 10, Docker for Windows
The text was updated successfully, but these errors were encountered: