You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
#47871 means the docker-proxy process is started before NAT rules are set up.
That ensures the daemon doesn't trample iptables rules for a port that's already in-use by some other process, but it leaves a window in which docker-proxy may accept connections that it would not see once the NAT rules are in place. Those connections will be doomed, and eventually reset.
From discussion in today's networking maintainers call (@corhere, @akerouanton) - the plan is to bind the socket in the daemon, to make sure it's reserved and available, set up the iptables rules, then pass the socket to a modified docker-proxy (which can start accepting connections straight away).
The dummyProxy can then be eliminated, because all it does is bind the socket.
The text was updated successfully, but these errors were encountered:
Description
Tracking review comment #47871 (comment)
#47871 means the
docker-proxy
process is started before NAT rules are set up.That ensures the daemon doesn't trample iptables rules for a port that's already in-use by some other process, but it leaves a window in which
docker-proxy
may accept connections that it would not see once the NAT rules are in place. Those connections will be doomed, and eventually reset.From discussion in today's networking maintainers call (@corhere, @akerouanton) - the plan is to bind the socket in the daemon, to make sure it's reserved and available, set up the iptables rules, then pass the socket to a modified
docker-proxy
(which can start accepting connections straight away).The
dummyProxy
can then be eliminated, because all it does is bind the socket.The text was updated successfully, but these errors were encountered: