Browse code
Windows [TP4] localhost mitigation
Signed-off-by: John Howard <jhoward@microsoft.com>
John Howard authored on 2015/11/07 06:52:59Showing 3 changed files
| ... | ... |
@@ -14,9 +14,6 @@ import ( |
| 14 | 14 |
var ( |
| 15 | 15 |
alphaRegexp = regexp.MustCompile(`[a-zA-Z]`) |
| 16 | 16 |
domainRegexp = regexp.MustCompile(`^(:?(:?[a-zA-Z0-9]|(:?[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9]))(:?\.(:?[a-zA-Z0-9]|(:?[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])))*)\.?\s*$`) |
| 17 |
- // DefaultHTTPHost Default HTTP Host used if only port is provided to -H flag e.g. docker daemon -H tcp://:8080 |
|
| 18 |
- DefaultHTTPHost = "localhost" |
|
| 19 |
- |
|
| 20 | 17 |
// DefaultHTTPPort Default HTTP Port used if only the protocol is provided to -H flag e.g. docker daemon -H tcp:// |
| 21 | 18 |
// TODO Windows. DefaultHTTPPort is only used on Windows if a -H parameter |
| 22 | 19 |
// is not supplied. A better longer term solution would be to use a named |
| 0 | 6 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,56 @@ |
| 0 |
+package opts |
|
| 1 |
+ |
|
| 2 |
+// TODO Windows. Identify bug in GOLang 1.5.1 and/or Windows Server 2016 TP4. |
|
| 3 |
+// @jhowardmsft, @swernli. |
|
| 4 |
+// |
|
| 5 |
+// On Windows, this mitigates a problem with the default options of running |
|
| 6 |
+// a docker client against a local docker daemon on TP4. |
|
| 7 |
+// |
|
| 8 |
+// What was found that if the default host is "localhost", even if the client |
|
| 9 |
+// (and daemon as this is local) is not physically on a network, and the DNS |
|
| 10 |
+// cache is flushed (ipconfig /flushdns), then the client will pause for |
|
| 11 |
+// exactly one second when connecting to the daemon for calls. For example |
|
| 12 |
+// using docker run windowsservercore cmd, the CLI will send a create followed |
|
| 13 |
+// by an attach. You see the delay between the attach finishing and the attach |
|
| 14 |
+// being seen by the daemon. |
|
| 15 |
+// |
|
| 16 |
+// Here's some daemon debug logs with additional debug spew put in. The |
|
| 17 |
+// AfterWriteJSON log is the very last thing the daemon does as part of the |
|
| 18 |
+// create call. The POST /attach is the second CLI call. Notice the second |
|
| 19 |
+// time gap. |
|
| 20 |
+// |
|
| 21 |
+// time="2015-11-06T13:38:37.259627400-08:00" level=debug msg="After createRootfs" |
|
| 22 |
+// time="2015-11-06T13:38:37.263626300-08:00" level=debug msg="After setHostConfig" |
|
| 23 |
+// time="2015-11-06T13:38:37.267631200-08:00" level=debug msg="before createContainerPl...." |
|
| 24 |
+// time="2015-11-06T13:38:37.271629500-08:00" level=debug msg=toDiskLocking.... |
|
| 25 |
+// time="2015-11-06T13:38:37.275643200-08:00" level=debug msg="loggin event...." |
|
| 26 |
+// time="2015-11-06T13:38:37.277627600-08:00" level=debug msg="logged event...." |
|
| 27 |
+// time="2015-11-06T13:38:37.279631800-08:00" level=debug msg="In defer func" |
|
| 28 |
+// time="2015-11-06T13:38:37.282628100-08:00" level=debug msg="After daemon.create" |
|
| 29 |
+// time="2015-11-06T13:38:37.286651700-08:00" level=debug msg="return 2" |
|
| 30 |
+// time="2015-11-06T13:38:37.289629500-08:00" level=debug msg="Returned from daemon.ContainerCreate" |
|
| 31 |
+// time="2015-11-06T13:38:37.311629100-08:00" level=debug msg="After WriteJSON" |
|
| 32 |
+// ... 1 second gap here.... |
|
| 33 |
+// time="2015-11-06T13:38:38.317866200-08:00" level=debug msg="Calling POST /v1.22/containers/984758282b842f779e805664b2c95d563adc9a979c8a3973e68c807843ee4757/attach" |
|
| 34 |
+// time="2015-11-06T13:38:38.326882500-08:00" level=info msg="POST /v1.22/containers/984758282b842f779e805664b2c95d563adc9a979c8a3973e68c807843ee4757/attach?stderr=1&stdin=1&stdout=1&stream=1" |
|
| 35 |
+// |
|
| 36 |
+// We suspect this is either a bug introduced in GOLang 1.5.1, or that a change |
|
| 37 |
+// in GOLang 1.5.1 (from 1.4.3) is exposing a bug in Windows TP4. In theory, |
|
| 38 |
+// the Windows networking stack is supposed to resolve "localhost" internally, |
|
| 39 |
+// without hitting DNS, or even reading the hosts file (which is why localhost |
|
| 40 |
+// is commented out in the hosts file on Windows). |
|
| 41 |
+// |
|
| 42 |
+// We have validated that working around this using the actual IPv4 localhost |
|
| 43 |
+// address does not cause the delay. |
|
| 44 |
+// |
|
| 45 |
+// This does not occur with the docker client built with 1.4.3 on the same |
|
| 46 |
+// Windows TP4 build, regardless of whether the daemon is built using 1.5.1 |
|
| 47 |
+// or 1.4.3. It does not occur on Linux. We also verified we see the same thing |
|
| 48 |
+// on a cross-compiled Windows binary (from Linux). |
|
| 49 |
+// |
|
| 50 |
+// Final note: This is a mitigation, not a 'real' fix. It is still susceptible |
|
| 51 |
+// to the delay in TP4 if a user were to do 'docker run -H=tcp://localhost:2375...' |
|
| 52 |
+// explicitly. |
|
| 53 |
+ |
|
| 54 |
+// DefaultHTTPHost Default HTTP Host used if only port is provided to -H flag e.g. docker daemon -H tcp://:8080 |
|
| 55 |
+const DefaultHTTPHost = "127.0.0.1" |