Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rename socket_proxy to zsocket_proxy #230

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

DennisGaida
Copy link
Contributor

docker-compose v2 had network priority, unfortunately docker-compose v3 does not have this functionality (yet?). See docker/cli#1372

Networks are assigned to containers using alphabetical order, in this case it means that "socket_proxy" is always ordered before "t2_proxy", this in turn means that the default gateway in containers is always the "socket_proxy" gateway and therefore the outgoing IP address to other containers. I believe this is wrong and the outgoing containers' IPs should always be the default networks gateway and respective IP as well as the traefik containers' IP - never the socket-proxy IP.

I recently ran into this problem due to Authelia refusing oauth requests from container-to-container since I didn't allow the socket-proxy network to communicate via Authelia (because why should it, it should always just be container <-> docker sock).

Taking the traefik container as an example:

Before the change

$  docker exec traefik route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.91.1    0.0.0.0         UG    0      0        0 eth0
192.168.90.0    *               255.255.255.0   U     0      0        0 eth1
192.168.91.0    *               255.255.255.0   U     0      0        0 eth0

After the change

(note the assignment of eth0/eth1)

$  docker exec traefik route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.90.1    0.0.0.0         UG    0      0        0 eth0
192.168.90.0    *               255.255.255.0   U     0      0        0 eth0
192.168.91.0    *               255.255.255.0   U     0      0        0 eth1

This could have been changed in docker-compose v2 with the priority attribute (assigning e.g. priority: 10 to the traefik proxy network), but this just doesn't work with docker-compose v3. 😐

docker-compose v2 had network priority, unfortunately docker-compose v3 does not have this functionality (yet?). See docker/cli#1372

Networks are assigned to containers using alphabetical order, in this case it means that "socket_proxy" is always ordered before "t2_proxy", this in turn means that the default gateway in containers is always the "socket_proxy" gateway and therefore the outgoing IP address to other containers. I believe this is wrong and the outgoing containers' IPs should always be the default networks gateway and respective IP as well as the traefik containers' IP - never the socket-proxy IP.

I recently ran into this problem due to Authelia refusing oauth requests from container-to-container since I didn't allow the socket-proxy network to communicate via Authelia (because why should it, it should always just be container <-> docker sock).

Taking the traefik container as an example:

### Before the change

```shell
$  docker exec traefik route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.91.1    0.0.0.0         UG    0      0        0 eth0
192.168.90.0   *               255.255.255.0   U     0      0        0 eth1
192.168.91.0   *               255.255.255.0   U     0      0        0 eth0
```

### After the change
(note the assignment of eth0/eth1)

```shell
$  docker exec traefik route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.90.1    0.0.0.0         UG    0      0        0 eth0
192.168.90.0   *               255.255.255.0   U     0      0        0 eth0
192.168.91.0   *               255.255.255.0   U     0      0        0 eth1
```

This could have been changed in docker-compose v2 with the `priority` attribute (assigning e.g. `priority: 10` to traefik), but this just doesn't work with docker-compose v3. 😐
@anandslab
Copy link
Owner

Sorry for the delay. The reason i havent' merged this yet is because i will have to modify a whole bunch of documentation to reflect this.

@bwsinger
Copy link

bwsinger commented Dec 8, 2024

Looks like this is finally going to be addressed.

This issue was brought up on the docker/compose github: docker/compose#12170
Which lead to an issue on Moby: moby/moby#48868
Which resulted in a fix adding the priority setting: moby/moby#48936

According to the Moby issue, the fix should be part of the Moby v28 release (currently v27 at time of posting). Hard to tell how long until Moby v28 is released and from that point how long until Docker Compose adopts it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants