docker-proxy accepts connections before NAT rules are set up #47951
Assignees
Labels
area/networking/portmapping
area/networking
kind/bug
Bugs are bugs. The cause may or may not be known at triage time so debugging may be needed.
status/0-triage
Comments
robmry
added
status/0-triage
kind/bug
|
Funny enough, binding the socket in the daemon and passing the socket fd off to the proxy process was also the plan last year! And with this plan, we could get the kernel to pick the host port for us! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Tracking review comment #47871 (comment)
#47871 means the
docker-proxyprocess is started before NAT rules are set up.That ensures the daemon doesn't trample iptables rules for a port that's already in-use by some other process, but it leaves a window in which
docker-proxymay accept connections that it would not see once the NAT rules are in place. Those connections will be doomed, and eventually reset.From discussion in today's networking maintainers call (@corhere, @akerouanton) - the plan is to bind the socket in the daemon, to make sure it's reserved and available, set up the iptables rules, then pass the socket to a modified
docker-proxy(which can start accepting connections straight away).The
dummyProxycan then be eliminated, because all it does is bind the socket.The text was updated successfully, but these errors were encountered: