New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disabling userland proxy in rootless installation #43090
Comments
Expected behavior |
Is there just no way to disable the userland proxy when running in rootless mode, or would there be an alternative like allowing passwordless sudo for the |
https://docs.docker.com/engine/security/rootless/#networking-errors mentions "This is an expected behavior, as the daemon is namespaced inside RootlessKit’s network namespace.". Thus, I don't think it is possible to disable the userland proxy. I'm not sure why you are looking to disable userland proxy, but if it is to propogate source IP addresses (see the real IP address of connecting external clients to your container) then see the docs under the section " |
Thanks for the link I must have overlooked that section. The IP was one of the reasons I wanted to disable it. The other was to improve performance by removing the proxy, which I read about in some other issue, where it was also referenced, that removing the userland proxy might become default in the future within moby. However I can't find the issue anymore. However following the documentation and creating the file does not seem to work, as it crashes the daemon / prevents it from starting and there does not seem an easy way to view the logs of the rootless daemon. Though that is off topic for this issue. |
I also spent a fair bit of time today to find the workaround and only found this Github issue because you had the same problem as me. I also read about performance issues with the proxy, and it looks like this method further reduces performance according to the linked benchmark. I wish there was a way to get the same performance as rootful docker. I would consider For me, adding the file and restarting the daemon worked perfectly the first time. Maybe this was because I am running on a freshly provisioned minimal headless Debian server. Too bad you had issues with |
Probably your slirp4netns is too old. Needs to be v0.4.0 or later. v1.1.x is recommended. Logs can be fetched via Or just run systemctl --user stop docker
DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=slirp4netns dockerd-rootless.sh |
Even better, in mkdir ~/.config/systemd/user/docker.service.d/ In: [Service]
Environment=DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER="slirp4netns" See: #42293 (comment) But in fact I was missing: At the end it still not worked, so I used different ports for each container. |
Description
When updating the
daemon.json
to contain"userland-proxy": false
, no network connectivity at all seems to be possible to the docker containers. Is this a bug or is this a limitiation of the rootless mode?Steps to reproduce the issue:
~/.config/docker/daemon.json
to besystemctl --user restart docker
Describe the results you received:
Connecting to the exposed port of the container is no longer possible. This does not change by adding
"iptables": true
to the daemon config json object.Describe the results you expected:
Connecting to the container should be possible just as before.
Output of
docker version
Output of
docker info
Additional environment details (AWS, VirtualBox, physical, etc.):
VPS machine, not sure what technology they use for their VPSs
The text was updated successfully, but these errors were encountered: