Menu
Is it possible to enable net.ipv4.ip_forward on a container's network namespace?
Manual
From the host, I can enable it with manually with
sudo nsenter -t \
$(docker inspect --format '{{.State.Pid}}' $CONTAINER_NAME) \
-n sysctl -w net.ipv4.ip_forward=1
and confirm that forwarding begins working within the container.
Is there a way to do this automatically whilst avoiding privileged containers?
252
ipv4. ip_forward. “IP forwarding in Linux refers to setting your Linux to accept incoming network packets and forwarding them to another network.
On a Linux system, IP forwarding is enabled when the file /proc/sys/net/ipv4/ip_forward contains a 1 and disabled when it contains a 0. The command echo writes the given argument, the string "1", to the standard output. Using the redirect operator (>) and a filename, the output of the command is written to a file.
Docker relies on the host being capable of performing certain functions to make Docker networking work. Namely, your Linux host must be configured to allow IP forwarding.
In case of some sysctl parameters yes; net.* is namespaced, so net.ipv4.ip_forward can be enabled per Pod (per container).
Follow the Using Sysctls in a Kubernetes Cluster guide for details and gotchas.
While net is namespaced, not all sysctl variables can be set in namespace. Some simply await for a "namespacify" patch, but others will possibly never get implemented. In the specific example of net.ipv4 one could browse include/net/netns/ipv4.h to see what is supported at the moment. Such support of course depends on the actual kernel version.
In case you wanted to "empirically" verify whether sysctl (the actual kernel facility, not the tool) supports a particular variable, you could do something like this (as root):
# cat /proc/sys/net/ipv4/ip_forward
1
# unshare --net sysctl -w net.ipv4.ip_forward=0
net.ipv4.ip_forward = 0
# cat /proc/sys/net/ipv4/ip_forward
1
As you can see sysctl (the tool) running in a new namespace could set net.ipv4.ip_forward=0; also that it did not affect the parent namespace.
An example of a variable that can't be set in a namespace (no support for it at the moment):
# cat /proc/sys/net/ipv4/icmp_msgs_burst
50
# unshare --net sysctl -w net.ipv4.icmp_msgs_burst=42
sysctl: cannot stat /proc/sys/net/ipv4/icmp_msgs_burst: No such file or directory
An example of a variable that is not namespaced would be vm.nr_hugepages. This variable exists in namespaces, but the vm subsystem itself is not namespaced (setting this variable will affect all processes):
# sysctl vm.nr_hugepages
vm.nr_hugepages = 0
# unshare sysctl vm.nr_hugepages=1
vm.nr_hugepages = 1
# sysctl vm.nr_hugepages
vm.nr_hugepages = 1
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
