profile
viewpoint

arkodg/buildkit 0

concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit

arkodg/cli 0

The Docker CLI

arkodg/containerd 0

An open and reliable container runtime

arkodg/docker-ce 0

Docker CE

arkodg/docker-ce-packaging 0

Packaging scripts for Docker CE

arkodg/docker.github.io 0

Source repo for Docker's Documentation

arkodg/istio 0

Connect, secure, control, and observe services.

arkodg/jsonschema2md 0

Convert Complex JSON Schemas into Markdown Documentation

arkodg/libnetwork 0

Docker Networking

arkodg/moby 0

Moby Project - a collaborative project for the container ecosystem to assemble container-based systems

push eventarkodg/docker-ce

Arko Dasgupta

commit sha 855b0a0806b55d7825b7efd4439baac47ff2cc16

Bump version to 19.03.6.rc1 Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>

view details

push time in 4 hours

push eventarkodg/docker-ce

Arko Dasgupta

commit sha 09a10bd5f84f1e2ae0f2de786839a45205e9502f

Bump version to 19.03.6.rc1 Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>

view details

push time in 4 hours

push eventarkodg/docker-ce

Arko Dasgupta

commit sha e66282a72ae2f3dbf962da20a8b0d51edf80a267

Bump version to 19.03.6.rc1 Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>

view details

push time in 4 hours

issue commentdocker/for-linux

docker-ce package for ARM debian

@antony-rheneus this issue should be resolved now, apologies for the temporary disruption

antony-rheneus

comment created time in 6 hours

issue commentdocker/for-linux

Broken Debian repository / incomplete Release gpg signatures

folks, this issue should be resolved now, apologies for the temporary disruption

mika

comment created time in 6 hours

pull request commentdocker/docker-ce

Bump version to 19.03.6.rc1

PTAL @thaJeztah @tonistiigi @tiborvass

arkodg

comment created time in 8 hours

PR opened docker/docker-ce

Bump version to 19.03.6.rc1
+23 -1

0 comment

2 changed files

pr created time in 8 hours

push eventarkodg/docker-ce

Arko Dasgupta

commit sha 2c9030e1f53817e115a0894637e41718484b6ddd

Bump version to 19.03.6.rc1 Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>

view details

push time in 8 hours

issue commentdocker/for-linux

Broken Debian repository / incomplete Release gpg signatures

@cpuguy83 this issue is resolved in staging, should be out in prod soon

mika

comment created time in a day

push eventarkodg/moby

Arko Dasgupta

commit sha 92e809a6807210a3d1ecd7949314367e82f5b683

Support host.docker.internal in dockerd on Linux Docker Desktop (on MAC and Windows hosts) allows containers running inside a Linux VM to connect to the host using the host.docker.internal DNS name, which is implemented by VPNkit (DNS proxy on the host) This PR allows containers to connect to Linux hosts by appending a special string "host-gateway" to --add-host e.g. "--add-host=host.docker.internal:host-gateway" which adds host.docker.internal DNS entry in /etc/hosts and maps it to host-gateway-ip This PR also add a daemon flag call host-gateway-ip which defaults to the default bridge IP Docker Desktop will need to set this field to the Host Proxy IP so DNS requests for host.docker.internal can be routed to VPNkit Addresses: https://github.com/docker/for-linux/issues/264 Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>

view details

push time in a day

push eventarkodg/moby

Arko Dasgupta

commit sha fb481eb9af286267f967f26926b344af5fed2b1f

Added TestDaemonHostGatewayIP integration test Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com> Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>

view details

push time in a day

issue commentdocker/for-linux

Broken Debian repository / incomplete Release gpg signatures

@mika thanks for raising this issue, we're working on getting this fixed asap

mika

comment created time in a day

push eventarkodg/moby

Arko Dasgupta

commit sha d9013a4c51939985ebe38482d1f507c1d80c97cf

Added TestDaemonHostGatewayIP integration test Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com> Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>

view details

push time in 2 days

PR opened docker/engine

Bump 19.03 libnetwork refpoint

[19.03 backport] bridge: Fix hwaddr set race between us and udev

+8 -9

0 comment

3 changed files

pr created time in 7 days

push eventarkodg/moby

Akihiro Suda

commit sha 5bd4233d7b0710005e0a520c137c64631c7e6664

rootless: harden slirp4netns with mount namespace and seccomp When slirp4netns v0.4.0+ is used, now slirp4netns is hardened using mount namespace ("sandbox") and seccomp to mitigate potential vulnerabilities. bump up rootlesskit: https://github.com/rootless-containers/rootlesskit/compare/2fcff6ceae968a1d895e6205e5154b107247356f...791ac8cb209a107505cd1ca5ddf23a49913e176c Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> (cherry picked from commit e20b7323fb3546d5974d0ed49de099e4b127e96a) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 54a58760b6f0b3e50d6a592525413ac6599570a4

[19.03 backport] revert controller: Check if IPTables is enabled for arrangeUserFilterRule This change caused a regression, causing the DOCKER-USER chain to not be created, despite iptables being enabled on the daemon. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Andrew Hsu

commit sha adfac697dc5b74998c6a5229f1e4e9b2e0406af4

Merge pull request #404 from thaJeztah/19.03_revert_iptables_check2 [19.03 backport] revert controller: Check if IPTables is enabled for arrangeUserFilterRule ENGCORE-1114

view details

Brian Goff

commit sha e037bade8cac920cc2927c194c77778ddd041101

Use ocischema package instead of custom handler Previously we were re-using schema2.DeserializedManifest to handle oci manifests. The issue lies in the fact that distribution started validating the media type string during json deserialization. This change broke our usage of that type. Instead distribution now provides direct support for oci schemas, so use that instead of our custom handlers. Signed-off-by: Brian Goff <cpuguy83@gmail.com> (cherry picked from commit e443512ce4799380941374ef64fc30edc989650e) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Brian Goff

commit sha fd169c00bf19a392276d52867c1a5032d22b7b21

Propagate GetContainer error from event processor Before this change we just accept that any error is "not found" and it could be something else, but even if it it is just a "not found" kind of error this should be dealt with from the container store and not the event processor. Signed-off-by: Brian Goff <cpuguy83@gmail.com> (cherry picked from commit 54e30a62d3ca39c912c8e291e80cfbf80860d607) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Akihiro Suda

commit sha a8b454a9345bc446c89ffdb9a1b53da23c4ba4a4

docs/rootless.md: update Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> (cherry picked from commit e76dea157e3b6a1ff0812e52c630b7cc8f363da5) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 9c388fb11928e2a1cb3e821f3d6ba802b1b5533c

Jenkinsfile: set repo and branch for DCO check as well Commit 7019b60d0d6f3d69e6ccf481ca0a912905a9c1d7 added these env-vars to other stages, but forgot to update the DCO stage, which also does a diff to validate commits that are in a PR. Also adding openssh-client, for situations where the upstream needs to be accessed through an ssh connection. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 7c5fd83c22d9540b6e31393abdf62e54c4ff6060) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Tibor Vass

commit sha 645f5593522440ce488425861f62309a9f8d3e0c

Merge pull request #411 from thaJeztah/19.03_backport_fix_dco_branch [19.03 backport] Jenkinsfile: set repo and branch for DCO check as well

view details

Kunal Kushwaha

commit sha ce74774c096b1abcf872b45a3aa15c08120ff0c7

builder entitlements configutation added. buildkit supports entitlements like network-host and security-insecure. this patch aims to make it configurable through daemon.json file. by default network-host is enabled & secuirty-insecure is disabled. Signed-off-by: Kunal Kushwaha <kunal.kushwaha@gmail.com> (cherry picked from commit 8b7bbf180fc65013bc9ec0269b4a475d3eb038ee) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Tibor Vass

commit sha 1e26b431c944402e62f0e652362b54ac24925cfc

daemon/config: fix filter type in BuildKit GC config For backwards compatibility, the old incorrect object format for builder.GC.Rule.Filter still works but is deprecated in favor of array of strings akin to what needs to be passed on the CLI. Signed-off-by: Tibor Vass <tibor@docker.com> (cherry picked from commit fbdd437d295595e88466b33a550a8707b9ebb709) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Tibor Vass

commit sha dae4436d1c742c88bba1a4e50a46f38f87f7ae17

daemon/config: add MarshalJSON for future proofing If anything marshals the daemon config now or in the future this commit ensures the correct canonical form for the builder GC policies' filters. Signed-off-by: Tibor Vass <tibor@docker.com> (cherry picked from commit 85733620ebea3da75abe7d732043354aa0883f8a) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha e5a0bc6a50ef924ed6c0f333693857ab22ca47fa

Add GoDoc to fix linting validation The validate step in CI was broken, due to a combination of 086b4541cf9d27d9c2654f316a6f69b0d9caedd9, fbdd437d295595e88466b33a550a8707b9ebb709, and 85733620ebea3da75abe7d732043354aa0883f8a being merged to master. ``` api/types/filters/parse.go:39:1: exported method `Args.Keys` should have comment or be unexported (golint) func (args Args) Keys() []string { ^ daemon/config/builder.go:19:6: exported type `BuilderGCFilter` should have comment or be unexported (golint) type BuilderGCFilter filters.Args ^ daemon/config/builder.go:21:1: exported method `BuilderGCFilter.MarshalJSON` should have comment or be unexported (golint) func (x *BuilderGCFilter) MarshalJSON() ([]byte, error) { ^ daemon/config/builder.go:35:1: exported method `BuilderGCFilter.UnmarshalJSON` should have comment or be unexported (golint) func (x *BuilderGCFilter) UnmarshalJSON(data []byte) error { ^ ``` Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit 9d726f1c18216a127572310fccb0fab8fcfdc678) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Andrew Hsu

commit sha d91a85a9b53c397101a9b9ba75a4bf18b52c3ab1

Merge pull request #397 from thaJeztah/19.03_backport_slirp4netns_sandbox [19.03 backport] rootless: harden slirp4netns with mount namespace and seccomp

view details

Andrew Hsu

commit sha 83bcde8f600bf02916d6e59c27bed44a965a5961

Merge pull request #408 from thaJeztah/19.03_backport_update_rootless_docs [19.03 backport] docs/rootless.md: update

view details

Andrew Hsu

commit sha 967aa3a9ef93330f08d19d61e9819426139d4b5e

Merge pull request #405 from thaJeztah/19.03_backport_oci_regression [19.03 backport] Use ocischema package instead of custom handler

view details

Andrew Hsu

commit sha 0e8949a003204b63f4c55cb5beb38754efed020c

Merge pull request #407 from thaJeztah/19.03_backport_better_container_error [19.03 backport] Propagate GetContainer error from event processor

view details

Andrew Hsu

commit sha e2e3abec71f30e533a01e8f1f9669e55b1361fc1

Merge pull request #410 from thaJeztah/19.03_backport_fix_buildkit_prunegc_filter_config [19.03 backport] daemon/config: fix filter type in BuildKit GC config

view details

Andrew Hsu

commit sha 370def6b30a6566bc6a3413ad1b5bac37a82db16

Merge pull request #412 from thaJeztah/19.03_backport_builder_entitilement_confg [19.03 backport] builder entitlements configuration added.

view details

Kir Kolyshkin

commit sha 92a8618ddc48e0c6fe464035d618d0996a1ff266

Bump golang 1.12.12 Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

view details

Andrew Hsu

commit sha ddb60aa6d1ba1d9bfbb655fa1f3c3359f82979aa

Merge pull request #418 from kolyshkin/19.03-go1.12.12 [19.03] Bump golang 1.12.12

view details

push time in 7 days

push eventarkodg/moby

Arko Dasgupta

commit sha 4c407caada2a81bb40b4f9766b1e0097837409a5

Bump libnetwork to latest refpoint Commits: feeff4f0 Merge pull request #2380 from liskin/bridge-atomic-hwaddr fec6476d Merge pull request #2489 from suwang48404/doc 8757597e Added document describing libnetwork traffic flow. eaea5722 Merge pull request #2445 from kdomanski/ipv6-addr-in-hosts 1680ce71 Merge pull request #2462 from arkodg/fix-key-spi-panic 4420ee92 Fix panic in drivers/overlay/encryption.go 57178323 Merge pull request #2472 from thaJeztah/bump_golang_1.12.12 f741dc9c Update Golang 1.12.12 (CVE-2019-17596) 79c19d09 Merge pull request #2461 from suwang48404/master 94facacc Added API to set ephemeral port allocator range. Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>

view details

push time in 7 days

create barncharkodg/docker-ce-packaging

branch : add-centos-8

created branch time in 7 days

push eventarkodg/moby

Arko Dasgupta

commit sha 3aff8a401fed7cdf70490a82246e49789d7c9071

Bump Libnetwork to latest refpoint Commits: feeff4f0 Merge pull request #2380 from liskin/bridge-atomic-hwaddr fec6476d Merge pull request #2489 from suwang48404/doc 8757597e Added document describing libnetwork traffic flow. eaea5722 Merge pull request #2445 from kdomanski/ipv6-addr-in-hosts 1680ce71 Merge pull request #2462 from arkodg/fix-key-spi-panic 4420ee92 Fix panic in drivers/overlay/encryption.go 57178323 Merge pull request #2472 from thaJeztah/bump_golang_1.12.12 f741dc9c Update Golang 1.12.12 (CVE-2019-17596) 79c19d09 Merge pull request #2461 from suwang48404/master 94facacc Added API to set ephemeral port allocator range. Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>

view details

push time in 7 days

PR opened moby/moby

Reviewers
Bump Libnetwork to latest refpoint

Commits: feeff4f0 Merge pull request #2380 from liskin/bridge-atomic-hwaddr fec6476d Merge pull request #2489 from suwang48404/doc 8757597e Added document describing libnetwork traffic flow. eaea5722 Merge pull request #2445 from kdomanski/ipv6-addr-in-hosts 1680ce71 Merge pull request #2462 from arkodg/fix-key-spi-panic 4420ee92 Fix panic in drivers/overlay/encryption.go 57178323 Merge pull request #2472 from thaJeztah/bump_golang_1.12.12 f741dc9c Update Golang 1.12.12 (CVE-2019-17596) 79c19d09 Merge pull request #2461 from suwang48404/master 94facacc Added API to set ephemeral port allocator range.

Signed-off-by: Arko Dasgupta arko.dasgupta@docker.com

+2 -2

0 comment

2 changed files

pr created time in 7 days

create barncharkodg/moby

branch : bump-libnetwork-latest

created branch time in 7 days

issue commentmoby/moby

Intermittent connection resets in Swarm using IPVS due to invalid conntrack packets

@sbillet

INPUT -m conntrack --ctstate INVALID -j DROP

will be applied to all host traffic and cannot be isolated to a docker interface so this solution will be intrusive

and

net.netfilter.nf_conntrack_tcp_be_liberal=1

will be applied in the host network namespace as well, since AFAIK for all the cases, its the host that ends up sending the RST.

sbillet

comment created time in 7 days

issue commentmoby/moby

Intermittent connection resets in Swarm using IPVS due to invalid conntrack packets

@sbillet both these options work, but affect host networking traffic, which makes these changes in docker a little too intrusive

sbillet

comment created time in 8 days

issue commentmoby/moby

Intermittent connection resets in Swarm using IPVS due to invalid conntrack packets

this seems related to https://github.com/docker/libnetwork/pull/2275

sbillet

comment created time in 9 days

pull request commentdocker/libnetwork

Limited bridge netfilter application.

@thaJeztah no, only suggesting we rewrite it to

{d.config.EnableIPTables, setupBridgeNetFiltering},)
tomkcook

comment created time in 9 days

pull request commentdocker/libnetwork

special DNS record for host.docker.internal + gateway.docker.internal

@0xbad0c0d3 can you please close this PR in favor of https://github.com/moby/moby/pull/40007

0xbad0c0d3

comment created time in 9 days

push eventarkodg/moby

Arko Dasgupta

commit sha bdad16b0eeaefd4313e92ee6f6978e4285bfaf8d

Handle error case when fixed-cidr-ipv6 is empty When IPv6 is enabled, make sure fixed-cidr-ipv6 is set by the user since there is no default IPv6 local subnet in the IPAM Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>

view details

push time in 10 days

pull request commentmoby/moby

Handle the error case when fixed-cidr-ipv6 is empty and ipv6 is enabled

There are none for IPv6 . We can introduce private IPv6 subnets if and when IPv6 NAT is supported

arkodg

comment created time in 12 days

PR opened moby/moby

Handle the error case when fixed-cidr-ipv6 is empty and ipv6 is enabled

When IPv6 is enabled, make sure fixed-cidr-ipv6 is set by the user since there is no default IPv6 local subnet in the IPAM

Fixes : https://github.com/docker/for-linux/issues/829

<!-- Please make sure you've read and understood our contributing guidelines; https://github.com/moby/moby/blob/master/CONTRIBUTING.md

** Make sure all your commits include a signature generated with git commit -s **

For additional information on our contributing process, read our contributing guide https://docs.docker.com/opensource/code/

If this is a bug fix, make sure your description includes "fixes #xxxx", or "closes #xxxx"

Please provide the following information: -->

- What I did

Handled the error case when fixed-cidr-ipv6 is empty and ipv6 is enabled

- How to verify it

dockerd --ipv6 &
[1] 465
failed to start daemon: Error initializing network controller: Please specify a IPv6 subnet using --fixed-cidr-v6 when IPv6 is enabled on the default bridge
1]+  Exit 1                  dockerd --ipv6
+3 -1

0 comment

1 changed file

pr created time in 13 days

push eventarkodg/moby

Arko Dasgupta

commit sha 74d2ddd1dc9e6ab1d5328320a8716686e5984975

Handle error case when fixed-cidr-ipv6 is empty When IPv6 is enabled, make sure fixed-cidr-ipv6 is set by the user since there is no default IPv6 local subnet in the IPAM Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>

view details

push time in 13 days

create barncharkodg/moby

branch : check-cidr-ipv6

created branch time in 13 days

issue commentdocker/for-linux

failed to get network during CreateEndpoint

@dingzhengkai thanks for raising this issue, it seems to be related to the docker container restart call specifically tied to attachable overlay networks I can consistently produce this issue by running

docker network create --driver overlay --attachable --subnet 172.40.200.0/24 fooNet
docker run -d --name foo --net fooNet alpine
docker container restart foo

from the errors my hunch is its a race between https://github.com/moby/moby/blob/a9507c6f76627fdc092edc542d5a7ef4a6df5eec/daemon/container_operations.go#L736 which succeeds in finding the overlay network on the local node but meanwhile DetachNetwork has wiped out the network once the container is stopped. @cpuguy83 do you think we need to leverage this lock https://github.com/moby/moby/blob/a9507c6f76627fdc092edc542d5a7ef4a6df5eec/daemon/container_operations.go#L395 in the DetachNetwork call from the worker node to make sure findAndAttachNetwork is not attempting to find the network while a detach is taking place

dingzhengkai

comment created time in 15 days

pull request commentdocker/libnetwork

Limited bridge netfilter application.

these changes look good @tomkcook we might need to remove the check you brought up earlier https://github.com/docker/libnetwork/issues/2488#issuecomment-571746499 thoughts ? @euanh @selansen @thaJeztah

tomkcook

comment created time in 15 days

issue commentdocker/libnetwork

libnetwork forces iptables on all bridges system-wide

good catch, I don't think this check is relevant anymore https://github.com/docker/libnetwork/blob/feeff4f0a3fd2a2bb19cf67c826082c66ffaaed9/drivers/bridge/bridge.go#L727 and the dependency on config.EnableICC should be removed since we rely on iptables for so much more than just restricting inter container communication

tomkcook

comment created time in 16 days

Pull request review commentdocker/libnetwork

Limited bridge netfilter application.

 func checkBridgeNetFiltering(config *networkConfiguration, i *bridgeInterface) e 		if err != nil { 			logrus.Warnf("failed to check %s forwarding: %v", ipVerName, err) 		} else if enabled {-			enabled, err := getKernelBoolParam(getBridgeNFKernelParam(ipVer))+			bridgeName := i.Link.Attrs().Name

I see that we already have something similar in https://github.com/docker/libnetwork/blob/feeff4f0a3fd2a2bb19cf67c826082c66ffaaed9/drivers/bridge/setup_bridgenetfiltering.go#L55 Can we use any one way of deriving the bridgeName and reference it everywhere else

tomkcook

comment created time in 16 days

pull request commentdocker/libnetwork

Limited bridge netfilter application.

Thanks for raising a PR @tomkcook Can you please

  1. Sign your PR using the steps mentioned above
  2. Elaborate what you did, and why you did it in the commit message (by sharing the links you had shared in the Issue)
tomkcook

comment created time in 16 days

issue commentdocker/libnetwork

Internal macvlan network doesn't work in swarm

@lemrouch regarding https://github.com/docker/libnetwork/pull/2419 I think the authors intended internal (for macvlan drivers) to mean internal to the local node based on this comment https://github.com/docker/libnetwork/pull/964#issuecomment-193152590 cc : @nerdalert @mavenugo

lemrouch

comment created time in 17 days

pull request commentdocker/libnetwork

FIX ParseIP error

thanks for raising this issue @mimuret , from the fix in the PR its still not clear how we encountered this bug, is the issue that this line is not setting the ipvsSvcAttrAddressFamily attribute https://github.com/docker/libnetwork/blob/6edb83eaba190ffcf71281ebc504a2f82532c418/ipvs/netlink.go#L77

mimuret

comment created time in 20 days

issue closeddocker/libnetwork

Missing weighted scheduling-methods constants for ipvs

Hey guys, I noticed that weighted scheduling methods are missing in ipvs constants while working on a PR in project using this library. I would like to add them so I can use these constants in code configuring ipvs.

closed time in 20 days

jdrahos

issue commentdocker/libnetwork

libnetwork forces iptables on all bridges system-wide

@tomkcook thanks for highlighting this issue, looks like this API can be extended to receive the bridge interface and only enable filtering per bridge - https://github.com/docker/libnetwork/blob/feeff4f0a3fd2a2bb19cf67c826082c66ffaaed9/drivers/bridge/setup_bridgenetfiltering.go#L111

tomkcook

comment created time in 20 days

issue commentdocker/libnetwork

Please update "github.com/miekg/dns"

@onlyjob, thanks for highlighting this issue, would you like to commit this change you can edit vendor.conf https://github.com/docker/libnetwork/blob/feeff4f0a3fd2a2bb19cf67c826082c66ffaaed9/vendor.conf#L37 and run vndr github.com/miekg/dns to generate/import the newer package files

onlyjob

comment created time in 20 days

issue commentdocker/libnetwork

Internal macvlan network doesn't work in swarm

Thanks for the clarification, so the issue is that this statement doesn't hold true for you - When a container is connected to multiple networks, its external connectivity is provided via the first non-internal network, in lexical order. . In your case your containers have 2 endpoints (VXLAN and MACVLAN) and you want north-south traffic to egress via the VXLAN endpoint, so you're attempting to make the MACVLAN network internal ?

Sharing some docker commands and using net=host to mimic the legacy server might help me and anyone else interested in this issue, understand the problem better.

lemrouch

comment created time in 20 days

issue commentmoby/moby

Docker Swarm Node keeps up and down almost the same time everyday

I see some errors - Bulk sync to node 8645b70c8e41 timed out firewalld[3005]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POSTROUTING -m ipvs --ipvs -d 10.255.0.0/16 -j SNAT --to-source 10.255.0.3' failed: iptables: No chain/target/match by that name. kernel: IPVS: rr: FWM 1516 0x000005EC - no destination available

Do you have the iptables extension for ipvs installed ?

cc: @dani-docker

sangnguyen7

comment created time in 20 days

issue openeddocker/libnetwork

Port Forwarding does not work on RHEL 8 with Firewalld running with `FirewallBackend=nftables`

With RHEL8 and Firewalld with FirewallBackend=nftables enabled, docker port forwarding (e.g. docker run --name test-nginx -p 8080:80 -d nginx )does not work

Might need to revisit the logic in https://github.com/docker/libnetwork/blob/master/iptables/firewalld.go to get this to work

Workaround -

  1. Use FirewallBackend=iptables
  2. or Include the interface firewall-cmd --permanent --zone=trusted --add-interface=docker0; firewall-cmd --reload

created time in 20 days

issue commentmoby/moby

RHEL 8 officially supported by docker-ce/docker-ee ?

hi @kakoni , I believe you are referring to RHEL8 with firewalld installed . And we've noticed that firewalld with FirewallBackend=nftables doesn't go well with Docker And so two options to fix this issue are

  1. Use FirewallBackend=iptables
  2. or Include the interface firewall-cmd --permanent --zone=trusted --add-interface=docker0; firewall-cmd --reload A more permanent solution could be to automate this plumbing this libnetwork - https://github.com/docker/libnetwork/blob/master/iptables/firewalld.go
taclano

comment created time in 20 days

issue commentdocker/libnetwork

Internal macvlan network doesn't work in swarm

hi @lemrouch , I'm not sure how an internal network would work for macvlan networks , from my understanding, internal is limiting traffic to east-west / disallowing north-south

This can taken care in overlay networks by not connecting the container endpoints to the docker_gwbridge - https://github.com/docker/libnetwork/blob/feeff4f0a3fd2a2bb19cf67c826082c66ffaaed9/default_gateway.go#L127

This also makes sense for bridge drivers which can apply iptable policies to achieve this https://github.com/docker/libnetwork/blob/feeff4f0a3fd2a2bb19cf67c826082c66ffaaed9/drivers/bridge/setup_ip_tables.go#L338

lemrouch

comment created time in 21 days

pull request commentdocker/libnetwork

Improving load balancer performance

thanks for running the tests and contributing ! Had a few questions -

  1. should we also set net/ipv4/vs/expire_quiescent_template to 1 which should expire persistent connections to the real server with weight 0 (after the backend is down thanks to the net/ipv4/vs/expire_nodest_conn=1 setting ), but I see there is an open issue https://github.com/kubernetes/kubernetes/issues/81775 so would like to understand the negative implications of setting net/ipv4/vs/conn_reuse_mode to 0 cc: @lbernail

  2. will this setting work for most kernels ?

ahjumma

comment created time in 24 days

fork arkodg/buildkit

concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit

https://github.com/moby/moby/issues/34227

fork in a month

fork arkodg/jsonschema2md

Convert Complex JSON Schemas into Markdown Documentation

fork in a month

delete branch arkodg/docker-ce-packaging

delete branch : 19.03

delete time in a month

pull request commentdocker/docker-ce-packaging

[19.03] Support ubuntu-disco and ubuntu-eoan

there seems to be many commits that have not been cherry-picked between master and 19.03, cherrypicked the minimum amount of commits to support ubuntu-eoan

arkodg

comment created time in a month

pull request commentdocker/docker-ce-packaging

[19.03] Support ubuntu-disco and ubuntu-eoan

PTAL @thaJeztah @tonistiigi @tiborvass @StefanScherer @zelahi

arkodg

comment created time in a month

push eventarkodg/docker-ce-packaging

Sebastiaan van Stijn

commit sha ac49079ee227bb44e5af3bc5d0e6ff89b8a7ecf8

Add Ubuntu 19.10 "eoan" Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit ccc2ee38126c26c0d6fd787ed997231521ece7e5) Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>

view details

Arko Dasgupta

commit sha 3b0f0f0ee3b14a54ea237658c14aae938b14f001

Add ubuntu-disco and ubuntu-eoan to deb Makefile Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>

view details

push time in a month

pull request commentdocker/docker-ce-packaging

Add build target for ubuntu-eoan

@seemethere thanks for the hint . I'm guessing this PR needs to get merged and another PR similar to https://github.com/docker/release-packaging/pull/318 needs to be raised in release-packaging

arkodg

comment created time in a month

issue closeddocker/for-linux

Docker CE deletes IPv6 Default route

  • [x] This is a bug report
  • [ ] This is a feature request
  • [x] I searched existing issues before opening this one

Expected behavior

When the docker service is started, IPv6 routes for containers should be added to the routing table and viewed by using ip -6 route. The ipv6 route should be visible.

fdaa:bbbb:cccc::/48 dev docker0 proto kernel metric 256 pref medium
fdaa:bbbb:cccc::/48 dev docker0 metric 1024 pref medium
fe80::/64 dev docker0 proto kernel metric 256 pref medium
fe80::/64 dev veth79ca3f0 proto kernel metric 256 pref medium
fe80::/64 dev vethc3d607c proto kernel metric 256 pref medium
fe80::/64 dev veth3ba6f32 proto kernel metric 256 pref medium
fe80::/64 dev vethd95f545 proto kernel metric 256 pref medium
fe80::/64 dev ens160 proto kernel metric 256 pref medium
default via fe80::xxx:xxx:xxx:xx dev ens160 proto ra metric 1024 expires 1791sec hoplimit 64 pref medium

Actual behavior

When docker is started the default ipv6 route is removed

fdaa:bbbb:cccc::/48 dev docker0 proto kernel metric 256 pref medium
fdaa:bbbb:cccc::/48 dev docker0 metric 1024 pref medium
fe80::/64 dev docker0 proto kernel metric 256 pref medium
fe80::/64 dev ens160 proto kernel metric 256 pref medium
fe80::/64 dev veth898a7b8 proto kernel metric 256 pref medium
fe80::/64 dev veth8c91d52 proto kernel metric 256 pref medium
fe80::/64 dev vethe10abab proto kernel metric 256 pref medium
fe80::/64 dev veth61e9e90 proto kernel metric 256 pref medium

Steps to reproduce the behavior

enable ipv6 in daemon.json

{
"bip": "192.168.0.1/16",
"fixed-cidr": "192.168.0.0/16",
"fixed-cidr-v6": "fdaa:bbbb:cccc::/48",
"ipv6": true
}

re-start docker systemctl stop docker systemctl start docker

run ip -6 route and see default via is removed

recover by running systemctl restart network

Output of docker version:

Client: Docker Engine - Community
 Version:           19.03.4
 API version:       1.40
 Go version:        go1.12.10
 Git commit:        9013bf583a
 Built:             Fri Oct 18 15:52:22 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.4
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.12.10
  Git commit:       9013bf583a
  Built:            Fri Oct 18 15:50:54 2019
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.2.6
  GitCommit:        894b81a4b802e4eb2a91d1ce216b8817763c29fb
 runc:
  Version:          1.0.0-rc8
  GitCommit:        425e105d5a03fabd737a126ad93d62a9eeede87f
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

Output of docker info:

Client:
 Debug Mode: false

Server:
 Containers: 5
  Running: 4
  Paused: 0
  Stopped: 1
 Images: 599
 Server Version: 19.03.4
 Storage Driver: overlay2
  Backing Filesystem: xfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 894b81a4b802e4eb2a91d1ce216b8817763c29fb
 runc version: 425e105d5a03fabd737a126ad93d62a9eeede87f
 init version: fec3683
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 3.10.0-1062.1.2.el7.x86_64
 Operating System: CentOS Linux 7 (Core)
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 7.634GiB
 Name: REDACTED
 ID: NHGB:7LC2:73T4:VN3B:XEHJ:WPKE:FSQT:TZLP:GATX:I22X:XTT6:77FG
 Docker Root Dir: /app/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

Additional environment details (AWS, VirtualBox, physical, etc.) vmware centos 7

closed time in 2 months

i2blind

pull request commentdocker/docker-ce-packaging

Add build target for ubuntu-eoan

PTAL @tiborvass @tonistiigi @andrewhsu @zelahi @thaJeztah

arkodg

comment created time in 2 months

PR opened docker/docker-ce-packaging

Add build target for ubuntu-eoan

Signed-off-by: Arko Dasgupta arko.dasgupta@docker.com

+1 -1

0 comment

1 changed file

pr created time in 2 months

create barncharkodg/docker-ce-packaging

branch : build-ubuntu-eoan

created branch time in 2 months

fork arkodg/runc

CLI tool for spawning and running containers according to the OCI specification

https://www.opencontainers.org/

fork in 2 months

fork arkodg/containerd

An open and reliable container runtime

https://containerd.io

fork in 2 months

issue openeddocker/docker.github.io

Increasing MTU for overlay networks might increase network performance

Default MTU for overlay networks is 1500 . This is a conservative value . Increasing the MTU to the MTU of the primary host interface will significantly increase the BW performance for overlay networks .

Experiments in - https://github.com/moby/moby/issues/37855#issuecomment-561437543 File: network/overlay.md

created time in 2 months

PR closed docker/engine

[18.09] Bump SwarmKit to b0bc4017ad110cd20898d8c44be03c1e78e4e979
  1. Includes: https://github.com/docker/swarmkit/pull/2892

  2. Edited TestServiceWithDefaultAddressPoolInit to validate dynamic ingress network subnet

Signed-off-by: Arko Dasgupta arko.dasgupta@docker.com

<!-- Please make sure you've read and understood our contributing guidelines; https://github.com/moby/moby/blob/master/CONTRIBUTING.md

** Make sure all your commits include a signature generated with git commit -s **

For additional information on our contributing process, read our contributing guide https://docs.docker.com/opensource/code/

If this is a bug fix, make sure your description includes "fixes #xxxx", or "closes #xxxx"

Please provide the following information: -->

- What I did

- How I did it

- How to verify it

- Description for the changelog <!-- Write a short (one line) summary that describes the changes in this pull request for inclusion in the changelog: -->

- A picture of a cute animal (not mandatory but encouraged)

+9 -7

2 comments

3 changed files

arkodg

pr closed time in 2 months

pull request commentdocker/engine

[18.09] Bump SwarmKit to b0bc4017ad110cd20898d8c44be03c1e78e4e979

closing this as this has already been integrated with https://github.com/docker/engine/commit/e06f07ef337ab890f211397d6b408b75a2512dc5

arkodg

comment created time in 2 months

issue commentmoby/moby

Why docker overlay network is so poor?

The default overlay network created by docker has an MTU of 1500 which might limit BW if the host outgoing interface can support a higher MTU . Increasing the MTU of the overlay network is one knob that can be used to improve/tune network BW performance

I have a Swarm cluster with 2 nodes

Node1

Host primary interface has an MTU of 9001

ifconfig ens3
ens3      Link encap:Ethernet  HWaddr 0a:10:10:c4:94:5c  
          inet addr:172.31.10.181  Bcast:172.31.15.255  Mask:255.255.240.0
          inet6 addr: fe80::810:10ff:fec4:945c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:9001  Metric:1
          RX packets:1883430 errors:0 dropped:0 overruns:0 frame:0
          TX packets:439535 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:5959127850 (5.9 GB)  TX bytes:47602234 (47.6 MB)

Created 3 iperf servers

  1. Attached to the host network
docker run --name iperf_host -d -ti --net host mustafaakin/alpine-iperf iperf -s
  1. Attached to a overlay network with default MTU (1500)
docker network create -d overlay --attachable iperf_overlay_no_mtu
docker run --name iperf_overlay_no_mtu -d -ti --net iperf_overlay_no_mtu mustafaakin/alpine-iperf iperf -s
  1. Attached to a overlay network with MTU = 8000 (comparable to the MTU of host interface which is 9000)
docker network create -d overlay --opt com.docker.network.driver.mtu=8000 --attachable iperf_overlay
docker run --name iperf_overlay -d -ti --net iperf_overlay mustafaakin/alpine-iperf iperf -s

Node 2

Ran 3 iperf client containers for each type of network

  1. Host Network
ocker run --net host -ti mustafaakin/alpine-iperf iperf -c 172.31.10.181 -m
Unable to find image 'mustafaakin/alpine-iperf:latest' locally
latest: Pulling from mustafaakin/alpine-iperf
Image docker.io/mustafaakin/alpine-iperf:latest uses outdated schema1 manifest format. Please upgrade to a schema2 image for better future compatibility. More information at https://docs.docker.com/registry/spec/deprecated-schema-v1/
12b41071e6ce: Pull complete 
4d55717007e4: Pull complete 
Digest: sha256:5724f79034d0f0e1843efe0d477fac55a22ad2b73f6967da49a683f3595727c0
Status: Downloaded newer image for mustafaakin/alpine-iperf:latest
------------------------------------------------------------
Client connecting to 172.31.10.181, TCP port 5001
TCP window size:  325 KByte (default)
------------------------------------------------------------
[  3] local 172.31.11.137 port 36500 connected with 172.31.10.181 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec  1.78 GBytes  1.53 Gbits/sec
[  3] MSS size 8949 bytes (MTU 8989 bytes, unknown interface)
  1. Overlay Network with 1500 MTU
docker run --net iperf_overlay_no_mtu -ti mustafaakin/alpine-iperf iperf -c 10.0.2.2 -m
------------------------------------------------------------
Client connecting to 10.0.2.2, TCP port 5001
TCP window size: 45.0 KByte (default)
------------------------------------------------------------
[  3] local 10.0.2.4 port 34060 connected with 10.0.2.2 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec  1002 MBytes   840 Mbits/sec
[  3] MSS size 1398 bytes (MTU 1438 bytes, unknown interface)
  1. Overlay Network with 8000 MTU (results much better than 2 and comparable to 1)
docker run --net iperf_overlay -ti mustafaakin/alpine-iperf iperf -c 10.0.1.2 -m
------------------------------------------------------------
Client connecting to 10.0.1.2, TCP port 5001
TCP window size:  325 KByte (default)
------------------------------------------------------------
[  3] local 10.0.1.4 port 53094 connected with 10.0.1.2 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec  1.76 GBytes  1.51 Gbits/sec
[  3] MSS size 7898 bytes (MTU 7938 bytes, unknown interface)
kevinsuo

comment created time in 2 months

issue commentmoby/moby

Swarm services hang forever in "new" status when using custom subnet with overlay networks (17.12 ce)

@mbovo not sure if there were any issues in this area in the past but I do not see this issue with the latest version (19.03.5)

🐳 ~/go-workspace/src/github.com/docker/libnetwork$ docker version
Client: Docker Engine - Community
 Version:           19.03.5
 API version:       1.40
 Go version:        go1.12.12
 Git commit:        633a0ea
 Built:             Wed Nov 13 07:22:34 2019
 OS/Arch:           darwin/amd64
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          19.03.5
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.12.12
  Git commit:       633a0ea
  Built:            Wed Nov 13 07:29:19 2019
  OS/Arch:          linux/amd64
  Experimental:     true
 containerd:
  Version:          v1.2.10
  GitCommit:        b34a5c8af56e510852c35414db4c1f4fa6172339
 runc:
  Version:          1.0.0-rc8+dev
  GitCommit:        3e425f80a8c931f88e6d94a8c831b9d5aa481657
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

🐳 ~/go-workspace/src/github.com/docker/libnetwork$ docker network create -d overlay --ipam-driver default --subnet 172.29.21.0/29 test
yt18wyxbr2qytrlelobeb9l6m
🐳 ~/go-workspace/src/github.com/docker/libnetwork$ docker service create --name test --network test nginx
26zbrw7nrax1wnndhfwp5a9jq
overall progress: 1 out of 1 tasks 
1/1: running   [==================================================>] 
verify: Service converged

🐳 ~/go-workspace/src/github.com/docker/libnetwork$ docker service ps test
ID                  NAME                IMAGE               NODE                DESIRED STATE       CURRENT STATE                ERROR               PORTS
1eovkogu0xtm        test.1              nginx:latest        docker-desktop      Running             Running about a minute ago                       

mbovo

comment created time in 2 months

pull request commentdocker/libnetwork

Support for com.docker.network.host_ipv4 driver label

good catch @P4sca1

arkodg

comment created time in 2 months

pull request commentdocker/libnetwork

Support for com.docker.network.host_ipv4 driver label

@Mattzi @itouch5000 @P4sca1 any thoughts for a better label name ? TOL - does it make more sense to specify an interface in the label (com.docker.network.host_nat_iface=eth0)

arkodg

comment created time in 2 months

issue commentmoby/moby

IPv6 address pool subnet smaller than /80 causes dockerd to consume all available RAM

yes the issue is we are allocating too much space https://github.com/docker/libnetwork/blob/1680ce717394f8aa9ba6de26b851b7e02699d490/ipamutils/utils.go#L114 We should maybe limit n to 20 bits / 1M space

bluikko

comment created time in 2 months

pull request commentdocker/libnetwork

Support for com.docker.network.host_ipv4 driver label

ping @suwang48404 @euanh

arkodg

comment created time in 2 months

PR closed docker/libnetwork

[WIP] Fix subnet calc ipv6
+57 -7

0 comment

2 changed files

arkodg

pr closed time in 2 months

PR opened docker/libnetwork

[WIP] Fix subnet calc ipv6
+57 -7

0 comment

2 changed files

pr created time in 2 months

create barncharkodg/libnetwork

branch : fix-subnet-calc-ipv6

created branch time in 2 months

issue commentdocker/for-linux

Load balancing under Docker Swarm not working if worker nodes do not advertise their IP address

@dejanstamenov from the first comment it looks like you might have been behind a NAT so the primary iface IP was not reachable, which is why you needed to manually specify the --advertise-addr and from the last comment it looks like your master node does not have the ingress sbox (dockerd logs would help for this case and repro steps as well)

dejanstamenov

comment created time in 2 months

issue commentdocker/for-linux

Load balancing under Docker Swarm not working if worker nodes do not advertise their IP address

@dejanstamenov are you executing that command on the master node ?

dejanstamenov

comment created time in 2 months

issue commentdocker/for-linux

docker may left orphaned veth interface after container deletion

unable to reproduce this issue with Ubuntu 16.04.06 and the above script . @style95 issues in this area have been fixed since 2017 , curious if you are seeing it with the latest release

n0npax

comment created time in 2 months

issue commentdocker/for-linux

Load balancing under Docker Swarm not working if worker nodes do not advertise their IP address

@xperjon that would make sense if Node3 is behind a NAT

dejanstamenov

comment created time in 2 months

issue commentdocker/for-linux

Docker CE deletes IPv6 Default route

yes, my bad

i2blind

comment created time in 2 months

issue commentdocker/for-linux

Docker CE deletes IPv6 Default route

@i2blind looks like there is an expiry time on the route based on https://docs.docker.com/v17.09/engine/userguide/networking/default_network/ipv6/ and https://www.mattb.net.nz/blog/2011/05/12/linux-ignores-ipv6-router-advertisements-when-forwarding-is-enabled/, since docker enables forwarding on interfaces, RA's are ignored . Can you please try setting sysctl net.ipv6.conf.eth0.accept_ra=2 during boot up

i2blind

comment created time in 2 months

pull request commentdocker/libnetwork

Fix panic in drivers/overlay/encryption.go

@dani-docker thanks !

arkodg

comment created time in 2 months

pull request commentmoby/moby

Support host.docker.internal in dockerd on Linux

I'm not sure what the true difference betweengateway.docker.internal and host.docker.internal is ? @djs55 might now

Sidenote - We need a similar fix in docker-cli in opts/hosts.go once this PR is approved

arkodg

comment created time in 2 months

push eventarkodg/moby

Arko Dasgupta

commit sha 30103d32553ba041b482da4712c9dbf308249a95

Convert HostGatewayIP to net.IP Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>

view details

push time in 3 months

Pull request review commentmoby/moby

Support host.docker.internal in dockerd on Linux

 func (daemon *Daemon) buildSandboxOptions(container *container.Container) ([]lib 			return nil, err 		} 		parts := strings.SplitN(extraHost, ":", 2)+		// If the IP Address is a string called "host-gateway", replace this+		// value with the IP address stored in the daemon level HostGatewayIP+		// config variable+		if parts[1] == network.HostGatewayName {+			if gateway := daemon.configStore.HostGatewayIP; net.ParseIP(gateway) != nil {+				parts[1] = gateway+			} else {+				logrus.Warnf("HostGatewayIP value %s is invalid", gateway)

there can be a case where default bridge is disabled and the HostGatewayIP is not set, in that case might be best to bail out ?

arkodg

comment created time in 3 months

Pull request review commentmoby/moby

Support host.docker.internal in dockerd on Linux

 func installCommonConfigFlags(conf *config.Config, flags *pflag.FlagSet) error { 	flags.Var(opts.NewListOptsRef(&conf.DNS, opts.ValidateIPAddress), "dns", "DNS server to use") 	flags.Var(opts.NewNamedListOptsRef("dns-opts", &conf.DNSOptions, nil), "dns-opt", "DNS options to use") 	flags.Var(opts.NewListOptsRef(&conf.DNSSearch, opts.ValidateDNSSearch), "dns-search", "DNS search domains to use")+	flags.StringVar(&conf.HostGatewayIP, "host-gateway-ip", "", "dockerd will resolve the IP Address to this IP "+

ack

arkodg

comment created time in 3 months

push eventarkodg/moby

Arko Dasgupta

commit sha 1d52cb3c5e4b909a34027b120d8d906c3a8420c0

Support host.docker.internal in dockerd on Linux Docker Desktop (on MAC and Windows hosts) allows containers running inside a Linux VM to connect to the host using the host.docker.internal DNS name, which is implemented by VPNkit (DNS proxy on the host) This PR allows containers to connect to Linux hosts by appending a special string "host-gateway" to --add-host e.g. "--add-host=host.docker.internal:host-gateway" which adds host.docker.internal DNS entry in /etc/hosts and maps it to host-gateway-ip This PR also add a daemon flag call host-gateway-ip which defaults to the default bridge IP Docker Desktop will need to set this field to the Host Proxy IP so DNS requests for host.docker.internal can be routed to VPNkit Addresses: https://github.com/docker/for-linux/issues/264 Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>

view details

push time in 3 months

pull request commentdocker/docker.github.io

Add algorithm label

@traci-morrison AFAIK we are not releasing a new version of Interlock for Novemeber (@euanh please correct me if I'm wrong) so we don't need to merge this yet

traci-morrison

comment created time in 3 months

pull request commentmoby/moby

Support host.docker.internal in dockerd on Linux

@tiborvass PTAL

arkodg

comment created time in 3 months

push eventarkodg/moby

Arko Dasgupta

commit sha ad495a290871b0c40c511c2f7849871aebe67b34

Support host.docker.internal in dockerd on Linux Docker Desktop (on MAC and Windows hosts) allows containers running inside a Linux VM to connect to the host using the host.docker.internal DNS name, which is implemented by VPNkit (DNS proxy on the host) This PR allows containers to connect to Linux hosts by appending a special string "host-gateway" to --add-host e.g. "--add-host=host.docker.internal:host-gateway" which adds host.docker.internal DNS entry in /etc/hosts and maps it to host-gateway-ip This PR also add a daemon flag call host-gateway-ip which defaults to the default bridge IP Docker Desktop will need to set this field to the Host Proxy IP so DNS requests for host.docker.internal can be routed to VPNkit Addresses: https://github.com/docker/for-linux/issues/264 Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>

view details

push time in 3 months

issue commentmoby/moby

Service which is deployed as part of a stack has an illegal character in its DNS name

changing the format now will disrupt legacy systems A workaround is to add ALIASES for the service in the compose file that does not use _ and circumvents the library check https://docs.docker.com/compose/compose-file/ has some examples for aliases

raehalme

comment created time in 3 months

push eventarkodg/moby

Arko Dasgupta

commit sha b566735504d3bf25d5a26337435d2b37f6b1fc69

Support host.docker.internal in dockerd on Linux Docker Desktop (on MAC and Windows hosts) allows containers running inside a Linux VM to connect to the host using the host.docker.internal DNS name, which is implemented by VPNkit (DNS proxy on the host) This PR allows containers to connect to Linux hosts by appending a special string "host-gateway" to --add-host e.g. "--add-host=host.docker.internal:host-gateway" which adds host.docker.internal DNS entry in /etc/hosts and maps it to host-gateway-ip This PR also add a daemon flag call host-gateway-ip which defaults to the default bridge IP Docker Desktop will need to set this field to the Host Proxy IP so DNS requests for host.docker.internal can be routed to VPNkit Addresses: https://github.com/docker/for-linux/issues/264 Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>

view details

push time in 3 months

pull request commentmoby/moby

Support host.docker.internal in dockerd on Linux

updated the PR , would appreciate suggestions for a better name, picked host-gateway as a placeholder

docker run -it --add-host=host-gateway alpine cat /etc/hosts
127.0.0.1	localhost
::1	localhost ip6-localhost ip6-loopback
fe00::0	ip6-localnet
ff00::0	ip6-mcastprefix
ff02::1	ip6-allnodes
ff02::2	ip6-allrouters
172.18.0.1	host.docker.internal
172.18.0.1	gateway.docker.internal
172.18.0.2	e25baec2305e
arkodg

comment created time in 3 months

push eventarkodg/moby

Arko Dasgupta

commit sha dd6d54b18deadc5537942177324fe132b10a1ede

Support host.docker.internal in dockerd on Linux Docker Desktop (on MAC and Windows hosts) allows containers running inside a Linux VM to connect to the host using the host.docker.internal DNS name, which is implemented by VPNkit (DNS proxy on the host) This PR allows containers to connect to Linux hosts by appending a special string "host-gateway" to --add-host which adds host.docker.internal DNS entry in /etc/hosts and maps it to host-gateway-ip This PR also add a daemon flag call host-gateway-ip which defaults to the default bridge IP Docker Desktop will need to set this field to the Host Proxy IP so DNS requests for host.docker.internal can be routed to VPNkit Addresses: https://github.com/docker/for-linux/issues/264 Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>

view details

push time in 3 months

fork arkodg/cli

The Docker CLI

fork in 3 months

issue commentmoby/moby

Proxy Protocol support in Swarm ingress

Its a different use case @danielecr . The solution for this issue is to create a global service and publish in host mode or run a Layer 7 proxy like traefik in host mode and route L7 traffic to the appropriate backend service

sandys

comment created time in 3 months

pull request commentdocker/libnetwork

Fix panic in drivers/overlay/encryption.go

@dani-docker updateNodeKey is called which fails since it cannot find proper key indices . This triggers the new code to be executed and the driver receive this event https://github.com/docker/libnetwork/blob/4420ee92f5b3b951f98a36b2bc8144a19b560a22/drivers/overlay/overlay.go#L340 and calls setKeys which resets the spis https://github.com/docker/libnetwork/blob/1f28166bb386cf9223d2d00a28382b0e474be314/drivers/overlay/encryption.go#L440 and checkEncryption will rebuild the spis if there is a new service that lands on that node

arkodg

comment created time in 3 months

pull request commentdocker/libnetwork

Updating IPAM config with results from HNS create network call.

@subbunori can you please update to latest 19.03 version and this fix should be present here are the commits in the 19.03 branch - https://github.com/docker/libnetwork/commits/bump_19.03

pradipd

comment created time in 3 months

pull request commentdocker/libnetwork

Fix panic in drivers/overlay/encryption.go

PTAL @dani-docker @selansen @euanh

arkodg

comment created time in 3 months

pull request commentdocker/libnetwork

Fix panic in drivers/overlay/encryption.go

Debug Logs

DEBU[2019-10-31T18:19:19.488287400Z] Adding key 5a857                             
DEBU[2019-10-31T18:19:19.488378800Z] Primary Key f6140                            
DEBU[2019-10-31T18:19:19.488410400Z] Remove Key e0599                             
DEBU[2019-10-31T18:19:19.488448600Z] Updating Keys. New: (key: 780b0, tag: 0xaf42), Primary: (key: 42428, tag: 0xaf40), Pruned: (key: 20839, tag: 0xaf3c) 
DEBU[2019-10-31T18:19:19.488518200Z] Current: [(key: 41474, tag: 0xaf38) (key: 57349, tag: 0xaf36) (key: 42428, tag: 0xaf40)] 
WARN[2019-10-31T18:19:19.488691700Z] Failed to update datapath keys in driver overlay: cannot find proper key indices while processing key update:(newIdx,priIdx,delIdx):(3, 2, -1) 
WARN[2019-10-31T18:19:19.488766000Z] Reconfiguring datapath keys for  overlay     
DEBU[2019-10-31T18:19:19.488930100Z] Initial encryption keys: [(key: 42428, tag: 0xaf40) (key: 70624, tag: 0xaf3e) (key: 780b0, tag: 0xaf42)] 

Subsequent Logs

DEBU[2019-10-31T18:19:39.454300900Z] Adding key 61b2c                             
DEBU[2019-10-31T18:19:39.454371400Z] Primary Key 5a857                            
DEBU[2019-10-31T18:19:39.454716600Z] Remove Key c2839                             
DEBU[2019-10-31T18:19:39.454791000Z] Updating Keys. New: (key: 2aa25, tag: 0xaf44), Primary: (key: 780b0, tag: 0xaf42), Pruned: (key: 70624, tag: 0xaf3e) 
DEBU[2019-10-31T18:19:39.454874200Z] Current: [(key: 42428, tag: 0xaf40) (key: 70624, tag: 0xaf3e) (key: 780b0, tag: 0xaf42)] 
DEBU[2019-10-31T18:19:39.455003400Z] Updated: [(key: 780b0, tag: 0xaf42) (key: 42428, tag: 0xaf40) (key: 2aa25, tag: 0xaf44)] 
arkodg

comment created time in 3 months

more