-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Intermittent masquerading failure caused by floating docker bridge MAC #14908
Comments
@rade has determined that this bug affects 1.7.0 only:
|
@mavenugo thankyou - in the meantime we're going to work around the problem for our users by implementing weaveworks/weave#1229. Any resolution to #14738 must yield the following:
to avoid this issue recurring; the following blog post explains the root cause in detail. |
@thaJeztah Yep. this is resolved via #14908. Closing it. |
Environment
Problem
Whilst investigating weaveworks/weave#1171 I have uncovered a subtle problem involving the interplay between Linux bridge semantics,
docker -p
installed MASQUERADE rules and netfilter connection tracking. Refer to this comment for a detailed description, but essentially the failure to explicitly set thedocker0
MAC address can under certain circumstances cause abnormal deletion of conntrack flows from the host, ultimately resulting in connections to published services being reset intermittently.Symptoms
The following symptoms may be observed randomly on docker hosts at times when containers are being started:
Solution
Explicitly setting the docker bridge hardware address disables the floating MAC behaviour, presenting a stable default gateway MAC to application containers thus eliminating the circumstance which can cause the host kernel to prematurely drop conntrack flows.
The text was updated successfully, but these errors were encountered: