21fc078476
This re-applies commit b39d02b with additional iptables rules to solve the issue with containers routing back into themselves. The previous issue with this attempt was that the DNAT rule would send traffic back into the container it came from. When this happens you have 2 issues. 1) reverse path filtering. The container is going to see the traffic coming in from the outside and it's going to have a source address of itself. So reverse path filtering will kick in and drop the packet. 2) direct return mismatch. Assuming you turned reverse path filtering off, when the packet comes back in, it's goign to have a source address of itself, thus when the reply traffic is sent, it's going to have a source address of itself. But the original packet was sent to the host IP address, so the traffic will be dropped because it's coming from an address which the original traffic was not sent to (and likely with an incorrect port as well). The solution to this is to masquerade the traffic when it gets routed back into the origin container. However for this to work you need to enable hairpin mode on the bridge port, otherwise the kernel will just drop the traffic. The hairpin mode set is part of libcontainer, while the MASQ change is part of docker. This reverts commit 63c303eecdbaf4dc7967fd51b82cd447c778cecc. Docker-DCO-1.1-Signed-off-by: Patrick Hemmer <patrick.hemmer@gmail.com> (github: phemmer) |
||
|---|---|---|
| archive | ||
| broadcastwriter | ||
| fileutils | ||
| graphdb | ||
| httputils | ||
| ioutils | ||
| iptables | ||
| jsonlog | ||
| listenbuffer | ||
| mflag | ||
| mount | ||
| namesgenerator | ||
| networkfs | ||
| parsers | ||
| pools | ||
| promise | ||
| proxy | ||
| reexec | ||
| signal | ||
| stdcopy | ||
| symlink | ||
| sysinfo | ||
| system | ||
| systemd | ||
| tailfile | ||
| tarsum | ||
| term | ||
| testutils | ||
| timeutils | ||
| truncindex | ||
| units | ||
| version | ||
| README.md | ||
pkg/ is a collection of utility packages used by the Docker project without being specific to its internals.
Utility packages are kept separate from the docker core codebase to keep it as small and concise as possible. If some utilities grow larger and their APIs stabilize, they may be moved to their own repository under the Docker organization, to facilitate re-use by other projects. However that is not the priority.
The directory pkg is named after the same directory in the camlistore project. Since Brad is a core
Go maintainer, we thought it made sense to copy his methods for organizing Go code :) Thanks Brad!
Because utility packages are small and neatly separated from the rest of the codebase, they are a good place to start for aspiring maintainers and contributors. Get in touch if you want to help maintain them!