Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Windows container inherits host route table #12297

Closed
brnleehng opened this issue Oct 22, 2021 · 2 comments
Closed

Windows container inherits host route table #12297

brnleehng opened this issue Oct 22, 2021 · 2 comments
Labels
lifecycle/locked lifecycle/stale

Comments

@brnleehng
Copy link

brnleehng commented Oct 22, 2021
edited
Loading

Actual behavior

When we add a persistent route to our host route table, we noticed that the container also inherits these routes as well.

Expected behavior

The windows containers should be isolated from these persistent routes.

Information

  • Windows Version:
  • Docker Desktop Version: 4.0.1
  • WSL2 or Hyper-V backend? WSL2
  • Are you running inside a virtualized Windows e.g. on a cloud server or a VM: Azure VM

This is reproducible issue.
We added extra network configuration by adding a persistent route from the container host of the default docker nat bridge to connect with the instance metadata service endpoint. When running the windows container, the windows container inherits the host route table.

Why does the window containers inherit the host route table for persistent routes? Are there any downsides of taking a dependency on this behavior?

Steps to reproduce the behavior

No Persistent Routes Added

PS D:\Users\test> route print
===========================================================================
Interface List
 13...00 0d 3a 15 9a 96 ......Microsoft Hyper-V Network Adapter #2
  1...........................Software Loopback Interface 1
  8...00 15 5d 09 0a 9a ......Hyper-V Virtual Ethernet Adapter
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0         10.1.0.1         10.1.0.5     10
         10.1.0.0    255.255.255.0         On-link          10.1.0.5    266
         10.1.0.5  255.255.255.255         On-link          10.1.0.5    266
       10.1.0.255  255.255.255.255         On-link          10.1.0.5    266
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
    168.63.129.16  255.255.255.255         10.1.0.1         10.1.0.5     11
    169.254.169.0    255.255.255.0         On-link      172.19.112.1   5001
  169.254.169.254  255.255.255.255         10.1.0.1         10.1.0.5     11
  169.254.169.255  255.255.255.255         On-link      172.19.112.1   5256
     172.19.112.0    255.255.240.0         On-link      172.19.112.1   5256
     172.19.112.1  255.255.255.255         On-link      172.19.112.1   5256
   172.19.127.255  255.255.255.255         On-link      172.19.112.1   5256
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link          10.1.0.5    266
        224.0.0.0        240.0.0.0         On-link      172.19.112.1   5256
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link          10.1.0.5    266
  255.255.255.255  255.255.255.255         On-link      172.19.112.1   5256
===========================================================================

Container Route Table with no persistent route

PS D:\Users\test> docker run -it --user ContainerUser mcr.microsoft.com/windows/servercore:ltsc2019
Microsoft Windows [Version 10.0.17763.2237]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\>route print
===========================================================================
Interface List
 12...........................Software Loopback Interface 2
 17...00 15 5d 09 0c 39 ......Hyper-V Virtual Ethernet Adapter #2
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     172.19.112.1   172.19.125.142   5256
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
     172.19.112.0    255.255.240.0         On-link    172.19.125.142   5256
   172.19.125.142  255.255.255.255         On-link    172.19.125.142   5256
   172.19.127.255  255.255.255.255         On-link    172.19.125.142   5256
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link    172.19.125.142   5256
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link    172.19.125.142   5256
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0     172.19.112.1  Default
===========================================================================

Persistent Routes:
  None

Added Persistent Route

PS D:\Users\test> route -p add 169.254.169.0 mask 255.255.255.0 172.19.112.1
 OK!
PS D:\Users\test> route print
===========================================================================
Interface List
 13...00 0d 3a 15 9a 96 ......Microsoft Hyper-V Network Adapter #2
  1...........................Software Loopback Interface 1
  8...00 15 5d 09 0a 9a ......Hyper-V Virtual Ethernet Adapter
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0         10.1.0.1         10.1.0.5     10
         10.1.0.0    255.255.255.0         On-link          10.1.0.5    266
         10.1.0.5  255.255.255.255         On-link          10.1.0.5    266
       10.1.0.255  255.255.255.255         On-link          10.1.0.5    266
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
    168.63.129.16  255.255.255.255         10.1.0.1         10.1.0.5     11
    169.254.169.0    255.255.255.0         On-link      172.19.112.1   5001
  169.254.169.254  255.255.255.255         10.1.0.1         10.1.0.5     11
  169.254.169.255  255.255.255.255         On-link      172.19.112.1   5256
     172.19.112.0    255.255.240.0         On-link      172.19.112.1   5256
     172.19.112.1  255.255.255.255         On-link      172.19.112.1   5256
   172.19.127.255  255.255.255.255         On-link      172.19.112.1   5256
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link          10.1.0.5    266
        224.0.0.0        240.0.0.0         On-link      172.19.112.1   5256
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link          10.1.0.5    266
  255.255.255.255  255.255.255.255         On-link      172.19.112.1   5256
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
    169.254.169.0    255.255.255.0     172.19.112.1       1
===========================================================================

Container Route Table with persistent route

PS D:\Users\test> docker run -it --user ContainerUser mcr.microsoft.com/windows/servercore:ltsc2019
Microsoft Windows [Version 10.0.17763.2237]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\>route print
===========================================================================
Interface List
 12...........................Software Loopback Interface 2
 17...00 15 5d 09 09 98 ......Hyper-V Virtual Ethernet Adapter #2
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     172.19.112.1   172.19.119.124   5256
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
    169.254.169.0    255.255.255.0     172.19.112.1   172.19.119.124   5001
     172.19.112.0    255.255.240.0         On-link    172.19.119.124   5256
   172.19.119.124  255.255.255.255         On-link    172.19.119.124   5256
   172.19.127.255  255.255.255.255         On-link    172.19.119.124   5256
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link    172.19.119.124   5256
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link    172.19.119.124   5256
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
    169.254.169.0    255.255.255.0     172.19.112.1       1
          0.0.0.0          0.0.0.0     172.19.112.1  Default
===========================================================================
@docker-robott
Copy link
Collaborator

Issues go stale after 90 days of inactivity.
Mark the issue as fresh with /remove-lifecycle stale comment.
Stale issues will be closed after an additional 30 days of inactivity.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows.
/lifecycle stale

@docker-robott
Copy link
Collaborator

Closed issues are locked after 30 days of inactivity.
This helps our team focus on active issues.

If you have found a problem that seems similar to this, please open a new issue.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows.
/lifecycle locked

@docker docker locked and limited conversation to collaborators Mar 21, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
lifecycle/locked lifecycle/stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brnleehng @docker-robott