search

docker / for-linux

Docker Engine for Linux
https://docs.docker.com/engine/installation/
757 stars 86 forks source link

Allow for graceful iptables recreation on demand without dockerd restart. #361

Open fff7d1bc opened 6 years ago

fff7d1bc commented 6 years ago

Expected behavior

dockerd have switch to re-create iptables rules without restarting docker deamon itself. Majority of firewall scripts does flush all rules prior to re-applaying themselves, meaning every time such script is updated and executed, Docker looses access to the network. It would be great it such scripts could poke dockerd with for example --only-iptables-restore to minimize the effect on Docker containers.

Actual behavior

in order to restore iptables rules, docker deamon has to be restarted

Steps to reproduce the behavior

Client:
 Version:      18.05.0-ce
 API version:  1.37
 Go version:   go1.10.3
 Git commit:   f150324
 Built:        Thu Jul 12 10:47:14 2018
 OS/Arch:      linux/amd64
 Experimental: false
 Orchestrator: swarm

Server:
 Engine:
  Version:      18.05.0-ce
  API version:  1.37 (minimum version 1.12)
  Go version:   go1.10.3
  Git commit:   f150324
  Built:        Thu Jul 12 10:46:31 2018
  OS/Arch:      linux/amd64
  Experimental: false

Output of docker info:

Containers: 0
 Running: 0
 Paused: 0
 Stopped: 0
Images: 3
Server Version: 18.05.0-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 4ac4fd0b6a268fe6f38b2b2e32e40daa7e424fac (expected: 773c489c9c1b21a6d78b5c538cd395416ec50f88)
runc version: 4fc53a81fb7c994640722ac585fa9ca548971871
init version: fec3683b971d9c3ef73f284f176672c44b448662 (expected: 949e6facb77383876aeff8a6944dde66b3089574)
Security Options:
 seccomp
  Profile: default
Kernel Version: 4.17.6
Operating System: Gentoo/Linux
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 15.5GiB
Name: arifal
ID: QVVQ:L2D2:V4EO:TLFK:L3V4:A7ED:LDBM:YFIT:ZV5A:CXOU:ARUG:BPB4
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

WARNING: No cpu cfs quota support
WARNING: No cpu cfs period support

Additional environment details (AWS, VirtualBox, physical, etc.)

fff7d1bc commented 6 years ago

Dump

fff7d1bc commented 6 years ago

Bump