New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Networking - userland-proxy
could better clarify impact
#17312
Comments
/cc @akerouanton @dvdksn |
Presently
|
There hasn't been any activity on this issue for a long time. Prevent issues from auto-closing with a /lifecycle stale |
Still relevant. Sorry my system died while I was working on this in June/July. Unfortunately, I also have no remaining bandwidth in my volunteer time to continue revising this further. I understand the above information is a verbose mess, but I hope in that current form it is still helpful. Many of the issues in the tracking issue for disabling the feature were investigated and many have been resolved. The last item I recall working on while revising this was a table that better communicated some of the information above. I had shared an iteration of that earlier, and while the link provides some other information, I'll include that table here too (hope it helps @dvdksn , I recall having
|
userland-proxy |
Remote (H) | Host (L) 2 | Host (H) | Host (C) | Container (H) | Container (C) | Self (H) | Self (C) |
---|---|---|---|---|---|---|---|---|
true |
✔️ 1a | ❌ | ✔️ 1a | ❌ | ❌ 4 | ✔️ | ❌ | ✔️ |
false |
✔️ 1b | ❌ | ❌ 1b, 3 | ❌ | ✔️ 5 | ✔️ | ❌ | ✔️ |
- If the Host IP is IPv6 and
ip6tables: false
(default):
a. Source Address becomes the Gateway IP
b. Connection fails (hangs if the container was assigned an IPv6 address) localhost
/127.0.0.1
as the Source Address would be ambiguous between host and container (the Docker Gateway IP helps disambiguate that?)- Gateway IP (Resolvable)
- Gateway IP (Resolvable)
- Connection hangs trying to connect across separate docker networks (Resolvable)
Legend
curl
request (with source IP originating from the Remote, Host, a separate Container, or the same container Self) to the target container (eg: traefik/whoami
) via destination IP:
- L =>
localhost
(127.0.0.1
/[::1]
, indirect) - H => Host IP (indirect)
- C => Container IP (direct)
RemoteAddr
(Connection source address) is:
- ✔️ => Preserved.
- ❌ => Replaced with the Docker Gateway IP associated to the target container.
- If the docker gateway lacks an IPv6 address, then IPv6 connections receive an IPv4 gateway address instead.
@polarathene thanks a lot for taking the time to write down this information. It's very useful. I haven't got the capacity to start working on this just yet, but I'll get back to this as soon as I can. |
Problem description
The daemon setting
userland-proxy
no longer appears to be documented? Disabling it still applies configuration, behavioural difference is not clearly explained.Prior documentation since removed
The option was originally introduced in May 2015 with docs at
docs/sources/articles/networking.md
docs/userguide/networking/default_network/binding.md
via direct commit in Nov 2015.There is not much history on those changes to derive information on if this was intentional. Considering the size and intent of the two changes, it was likely accidental and difficult for any review to catch without investing significant time to be thorough.
All that seems to exist now is this: https://docs.docker.com/engine/reference/commandline/dockerd/
That does not communicate much to the user, or the actual differences in network behaviour when the setting is enabled / disabled.
Problem location
I couldn't find the information I wanted. I expected to find it near the following URL https://docs.docker.com/network/ or https://docs.docker.com/config/daemon/
Either section may be relevant. The previous docs location was regarding information on network port binding, and provided the information as a note admonition. Perhaps config (container networking) and network (iptables) are good candidates.
Project version(s) affected
Docs since Feb 2018.
Suggestions for a fix
I think it is planned to eventually drop the
userland-proxy
feature once it has been disabled by default and reaches a level of compatibility that makes enabling redundant.Most users may not need this information documented, thus this issue alone may be a sufficient resource. Below is relevant information for users to be aware of regarding the feature toggles.
Previous docs content
Click to expand
userland-proxy
setting.Resolved
EDIT: This feedback was actually addressed, my bad 😅
An earlier PR attempt for the
--userland-proxy
feature has a relevant comment about the documentedloopback
reference:This is relevant information AFAIK. Along with the
route_localnet
kernel change. You can query127.0.0.1
, but not the IPv6 equivalent[::1]
(which has no equivalentroute_localnet
). As the default binding0.0.0.0
also includes IPv6 interfaces, this behaviour fromuserland-proxy: false
is not obvious to track down. Works fine withuserland-proxy: true
.The text was updated successfully, but these errors were encountered: