Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Proposal: exposing SCTP ports for container #9689

Closed
rickhofstede opened this issue Dec 16, 2014 · 27 comments
Closed

Proposal: exposing SCTP ports for container #9689

rickhofstede opened this issue Dec 16, 2014 · 27 comments

Comments

@rickhofstede
Copy link

@rickhofstede rickhofstede commented Dec 16, 2014

While trying to expose an incoming SCTP port for my container, I found out that something like -p x:y/sctp is not yet supported. It would be great to have the flexibility of exposing ports for any protocol for a container, although SCTP currently has the highest priority on my wish list.

@scottstamp
Copy link
Contributor

@scottstamp scottstamp commented Dec 16, 2014

-- from IRC --
From what I can see, the components that back things should be compatible, but the client is parsing the spec as x:y(/proto) where /proto defaults to tcp, and can only validate to udp or tcp.

I'm not very familiar with this part of the code base and there seems to be a large number of references, so this change might be better looked at by someone more experienced. It seems like just modifying the checks for the -p flag would be sufficient.

@duglin
Copy link
Contributor

@duglin duglin commented Jul 14, 2015

ping @crosbymichael @mavenugo is there any reason, aside from trying to fail fast, that we don't just let the protocol string be passed all the way down to the iptables call and let unknown/invalid protocols be detected at that point? Then we don't need to check in docker itself and just let the underlying OS decide.

@thaJeztah
Copy link
Member

@thaJeztah thaJeztah commented Aug 15, 2015

ping @mavenugo could you answer this?

@mavenugo
Copy link
Contributor

@mavenugo mavenugo commented Aug 16, 2015

With CNM (Container Networking Model), container connectivity across multiple hosts can be achieved through various drivers/plugins. Some of the drivers such as the in-built overlay, supports these container connectivity without the need to port mapping. Hence SCTP or other protocols can just work without the need to map or expose ports.

But, in order to expose the service provided by a container to external networks that are not managed under CNM, we would have to do port-mapping and hence this request must be addressed. Also, the concept of external connectivity varies under different deployment scenario. This enhancement request should be included in that context when making design decisions.

@mavenugo mavenugo added this to the 1.9.0 milestone Aug 16, 2015
@icecrime icecrime removed this from the 1.9.0 milestone Oct 10, 2015
@LK4D4
Copy link
Contributor

@LK4D4 LK4D4 commented Sep 16, 2016

@mavenugo @mrjana @sanimej @aboch still need to be addressed?

@razaborg
Copy link

@razaborg razaborg commented Apr 21, 2017

What is the current status of this feature ?
I'm facing the problem to expose a sctp port on the host, and that still seems to be unsupported

@AkihiroSuda
Copy link
Member

@AkihiroSuda AkihiroSuda commented Jul 3, 2017

@AkihiroSuda
Copy link
Member

@AkihiroSuda AkihiroSuda commented Jul 11, 2017

libnetwork-side PR has been opened as moby/libnetwork#1825

Anyone please look into the PR?

@Peter-eid
Copy link

@Peter-eid Peter-eid commented Jan 9, 2018

@mavenugo What is the current status of this feature ?

@rkbug
Copy link

@rkbug rkbug commented Jan 9, 2018

@mavenugo (Madhu), Can you please update the current status of this feature?

@verizonold
Copy link

@verizonold verizonold commented Mar 6, 2018

hi can you please provide details on how SCTP is now supported? Any examples that you can share?

@thaJeztah
Copy link
Member

@thaJeztah thaJeztah commented Mar 6, 2018

I think all PR's are merged now, and will be included in Docker 18.03 (release candidates are available); see

Closing this issue, because it looks like we're done, but feel free to comment in case I missed something

@thaJeztah thaJeztah closed this Mar 6, 2018
@verizonold
Copy link

@verizonold verizonold commented Mar 6, 2018

do you know if Kubernetes supports SCTP?

@verizonold
Copy link

@verizonold verizonold commented Mar 6, 2018

@thaJeztah Can you please provide me a pointer to Docker 18.03? Should I see this in Edge releases?

@thaJeztah
Copy link
Member

@thaJeztah thaJeztah commented Mar 6, 2018

It's not released yet; release candidates are available in the "test" channel, or through the install script at https://test.docker.com

@verizonold
Copy link

@verizonold verizonold commented Mar 6, 2018

@thaJeztah thanks...so I just run this script on my CentOS VM? Also, I would like to try the support for SCTP. Can you please provide some doc/info on how to use this feature in docker?

@thaJeztah
Copy link
Member

@thaJeztah thaJeztah commented Mar 6, 2018

@verizonold from docker's perspective it's mainly allowing you to specify sctp in addition to tcp or udp when publishing container ports. What to use it for / how you use it for things running in your container is a bit out of scope.

@verizonold
Copy link

@verizonold verizonold commented Mar 6, 2018

@thaJeztah thanks...so what is the link to the release candidates in the "test" channel?

@AkihiroSuda
Copy link
Member

@AkihiroSuda AkihiroSuda commented Mar 6, 2018

@verizonold you just need to do

# For test builds (ie. release candidates):
#   $ curl -fsSL test.docker.com -o test-docker.sh
#   $ sh test-docker.sh

Kubernetes-part hasn't been worked out yet.

@teknoraver
Copy link

@teknoraver teknoraver commented May 10, 2018

Hi all.

Are memory cgroups limits enforced for SCTP kernel buffers?
I hope I'm wrong, but looking at the code it seems not.
Please do proper testing before enabling SCTP by default.

@thaJeztah
Copy link
Member

@thaJeztah thaJeztah commented May 10, 2018

@AkihiroSuda ^^ think you may have more insight into that

@AkihiroSuda
Copy link
Member

@AkihiroSuda AkihiroSuda commented May 11, 2018

@teknoraver You're talking about SCTP-equivalent of memory.kmem.tcp.limit_in_bytes, right?
I'm not sure Linux has equivalent of that for SCTP.

@teknoraver
Copy link

@teknoraver teknoraver commented May 11, 2018

@AkihiroSuda exactly that one. One to avoid that a process will waste all the system memory?

@AkihiroSuda
Copy link
Member

@AkihiroSuda AkihiroSuda commented May 11, 2018

Although not specific to SCTP buffer, does docker run --kernel-memory (which sets memory.kmem.limit_in_bytes) works for you?

@Jacob-E
Copy link

@Jacob-E Jacob-E commented May 16, 2018

Is there a way to run userspace sctp stack in the container?
Currently , if we try that, the kernel sctp ends up sending an ABORT .

@teknoraver
Copy link

@teknoraver teknoraver commented May 25, 2018

I don't think so.
Running an userspace layer 4 protocol requires you to have RAW socket permissions, which is unlikely in containers.

@teknoraver
Copy link

@teknoraver teknoraver commented Mar 27, 2019

Hi,

I recently discovered this, which is strictly related to this issue:

https://access.redhat.com/security/cve/cve-2019-3874

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
You can’t perform that action at this time.