Browse code
Make daemon to start with no userlandproxy by default
This PR makes a user visible behavior change with userland
proxy disabled by default and rely on hairpin NAT to be enabled
by default. This may not work in older (unsupported) kernels
where the user will be forced to enable userlandproxy if needed.
- Updated the Docs
- Changed the integration-cli to start with userlandproxy
desiabled by default.
Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
Jana Radhakrishnan authored on 2015/07/25 06:32:30Showing 7 changed files
- daemon/config_unix.go
- docs/articles/networking.md
- docs/reference/commandline/daemon.md
- hack/make/.integration-daemon-start
- integration-cli/docker_cli_daemon_test.go
- integration-cli/docker_utils.go
- man/docker.1.md
| ... | ... |
@@ -74,7 +74,7 @@ func (config *Config) InstallFlags(cmd *flag.FlagSet, usageFn func(string) strin |
| 74 | 74 |
cmd.Var(opts.NewIPOpt(&config.Bridge.DefaultGatewayIPv6, ""), []string{"-default-gateway-v6"}, usageFn("Container default gateway IPv6 address"))
|
| 75 | 75 |
cmd.BoolVar(&config.Bridge.InterContainerCommunication, []string{"#icc", "-icc"}, true, usageFn("Enable inter-container communication"))
|
| 76 | 76 |
cmd.Var(opts.NewIPOpt(&config.Bridge.DefaultIP, "0.0.0.0"), []string{"#ip", "-ip"}, usageFn("Default IP when binding container ports"))
|
| 77 |
- cmd.BoolVar(&config.Bridge.EnableUserlandProxy, []string{"-userland-proxy"}, true, usageFn("Use userland proxy for loopback traffic"))
|
|
| 77 |
+ cmd.BoolVar(&config.Bridge.EnableUserlandProxy, []string{"-userland-proxy"}, false, usageFn("Use userland proxy for loopback traffic"))
|
|
| 78 | 78 |
cmd.BoolVar(&config.EnableCors, []string{"#api-enable-cors", "#-api-enable-cors"}, false, usageFn("Enable CORS headers in the remote API, this is deprecated by --api-cors-header"))
|
| 79 | 79 |
cmd.StringVar(&config.CorsHeaders, []string{"-api-cors-header"}, "", usageFn("Set CORS headers in the remote API"))
|
| 80 | 80 |
|
| ... | ... |
@@ -471,7 +471,7 @@ editing this setting. |
| 471 | 471 |
> container. In such conflicting situation, Docker created iptables rules will |
| 472 | 472 |
> take precedence and route to the container. |
| 473 | 473 |
|
| 474 |
-The `--userland-proxy` parameter, true by default, provides a userland |
|
| 474 |
+The `--userland-proxy` parameter, false by default, provides a userland |
|
| 475 | 475 |
implementation for inter-container and outside-to-container communication. When |
| 476 | 476 |
disabled, Docker uses both an additional `MASQUERADE` iptable rule and the |
| 477 | 477 |
`net.ipv4.route_localnet` kernel parameter which allow the host machine to |
| ... | ... |
@@ -56,7 +56,7 @@ weight=1 |
| 56 | 56 |
--tlscert="~/.docker/cert.pem" Path to TLS certificate file |
| 57 | 57 |
--tlskey="~/.docker/key.pem" Path to TLS key file |
| 58 | 58 |
--tlsverify=false Use TLS and verify the remote |
| 59 |
- --userland-proxy=true Use userland proxy for loopback traffic |
|
| 59 |
+ --userland-proxy=false Use userland proxy for loopback traffic |
|
| 60 | 60 |
|
| 61 | 61 |
Options with [] may be specified multiple times. |
| 62 | 62 |
|
| ... | ... |
@@ -14,7 +14,7 @@ exec 41>&1 42>&2 |
| 14 | 14 |
|
| 15 | 15 |
export DOCKER_GRAPHDRIVER=${DOCKER_GRAPHDRIVER:-vfs}
|
| 16 | 16 |
export DOCKER_EXECDRIVER=${DOCKER_EXECDRIVER:-native}
|
| 17 |
-export DOCKER_USERLANDPROXY=${DOCKER_USERLANDPROXY:-true}
|
|
| 17 |
+export DOCKER_USERLANDPROXY=${DOCKER_USERLANDPROXY:-false}
|
|
| 18 | 18 |
|
| 19 | 19 |
# example usage: DOCKER_STORAGE_OPTS="dm.basesize=20G,dm.loopdatasize=200G" |
| 20 | 20 |
storage_params="" |
| ... | ... |
@@ -860,7 +860,6 @@ func (s *DockerDaemonSuite) TestDaemonIP(c *check.C) {
|
| 860 | 860 |
out, err := d.Cmd("run", "-d", "-p", "8000:8000", "busybox", "top")
|
| 861 | 861 |
c.Assert(err, check.NotNil, |
| 862 | 862 |
check.Commentf("Running a container must fail with an invalid --ip option"))
|
| 863 |
- c.Assert(strings.Contains(out, "Error starting userland proxy"), check.Equals, true) |
|
| 864 | 863 |
|
| 865 | 864 |
ifName := "dummy" |
| 866 | 865 |
out, err = createInterface(c, "dummy", ifName, ipStr) |
| ... | ... |
@@ -69,7 +69,7 @@ func NewDaemon(c *check.C) *Daemon {
|
| 69 | 69 |
c.Fatalf("Could not create %s/graph directory", daemonFolder)
|
| 70 | 70 |
} |
| 71 | 71 |
|
| 72 |
- userlandProxy := true |
|
| 72 |
+ userlandProxy := false |
|
| 73 | 73 |
if env := os.Getenv("DOCKER_USERLANDPROXY"); env != "" {
|
| 74 | 74 |
if val, err := strconv.ParseBool(env); err != nil {
|
| 75 | 75 |
userlandProxy = val |
| ... | ... |
@@ -161,7 +161,7 @@ unix://[/path/to/socket] to use. |
| 161 | 161 |
Default is false. |
| 162 | 162 |
|
| 163 | 163 |
**--userland-proxy**=*true*|*false* |
| 164 |
- Rely on a userland proxy implementation for inter-container and outside-to-container loopback communications. Default is true. |
|
| 164 |
+ Rely on a userland proxy implementation for inter-container and outside-to-container loopback communications. Default is false. |
|
| 165 | 165 |
|
| 166 | 166 |
**-v**, **--version**=*true*|*false* |
| 167 | 167 |
Print version information and quit. Default is false. |