search

mviereck / dockerfile-x11docker-deepin

3D desktop deepin from China
MIT License
33 stars 11 forks source link

Two strange problems: the ip address disappear on docker0 interface and missing gateway of bridge network. #18

Closed hongyi-zhao closed 3 years ago

hongyi-zhao commented 3 years ago

Run x11docker in desktop mode as below will trigger the problem:

$ x11docker --sudouser -c --desktop --init=systemd -- --cap-add=IPC_LOCK --security-opt seccomp=unconfined -- hongyi-zhao/deepin-wine startdde

The hongyi-zhao/deepin-wine image is created by the following command with this Dockerfile:

$ docker build --network host -f Dockerfiles/deepin-wine . -t hongyi-zhao/deepin-wine

See my detailed notes in the above Dockerfile for more info.

For this case, even I add the correct IP address to docker0 interface again as below, the proxy listening on 172.17.0.1 still can't be accessed from within docker container, but it can be accessed from the host:

# Re add the correct IP address on docker0 interface:
$ sudo ip addr add 172.17.0.1/16 dev docker0

werner@X10DAi:~$ curl -vIx socks5://172.17.0.1:18888 www.baidu.com
*   Trying 172.17.0.1:18888...
* TCP_NODELAY set
* SOCKS5 communication to www.baidu.com:80
* SOCKS5 connect to IPv4 220.181.38.149:80 (locally resolved)
* SOCKS5 request granted.
* Connected to 172.17.0.1 (172.17.0.1) port 18888 (#0)
> HEAD / HTTP/1.1
> Host: www.baidu.com
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
< Connection: keep-alive
Connection: keep-alive
< Content-Length: 277
Content-Length: 277
< Content-Type: text/html
Content-Type: text/html
< Date: Tue, 10 Nov 2020 08:01:30 GMT
Date: Tue, 10 Nov 2020 08:01:30 GMT
< Etag: "575e1f6f-115"
Etag: "575e1f6f-115"
< Last-Modified: Mon, 13 Jun 2016 02:50:23 GMT
Last-Modified: Mon, 13 Jun 2016 02:50:23 GMT
< Pragma: no-cache
Pragma: no-cache
< Server: bfe/1.0.8.18
Server: bfe/1.0.8.18

< 
* Connection #0 to host 172.17.0.1 left intact

werner@27baae044a25:~/Desktop$ curl -vIx socks5://172.17.0.1:18888 www.baidu.com
* Rebuilt URL to: www.baidu.com/
*   Trying 172.17.0.1...
* TCP_NODELAY set
* SOCKS5 communication to www.baidu.com:80
* Unable to receive initial SOCKS5 response.
* Closing connection 0
curl: (7) Unable to receive initial SOCKS5 response.

If running with --hostnet option, the proxy will be available both from host and container, i.e., like the following:

$ x11docker --sudouser -c --hostnet --desktop --init=systemd -- --cap-add=IPC_LOCK --security-opt seccomp=unconfined -- hongyi-zhao/deepin-wine startdde

In this case, all the following proxies are accessible from within container/host:

192.168.0.6:18888 # The host network ethernet card interface IP address.
127.0.0.1:18888     # In --hostnet mode, this is the lo interface of the host.
172.17.0.1:18888   # The IP address of the docker0 interface.

This maybe a bug of docker itself. Anyway, currently, the following method can be used as an expediency:

while :; do
  if ! ip a show docker0 | grep -qE '^[ ]*inet 172\.17\.0\.1/16'; then
    sudo ip addr add 172.17.0.1/16 dev docker0
    sleep 1
  fi
done

But this method can't solve the missing gateway problem of bridge network as shown below:

$ docker network inspect bridge | grep -A3 -i '"Config":'
            "Config": [
                {
                    "Subnet": "172.17.0.0/16"
                }

I want to know whether there are some methods for me to revise/add gateway to the bridge without restarting the docker service like the following:

$ sudo systemctl restart docker

Regards, HY

mviereck commented 3 years ago

I really can't help you with this.

hongyi-zhao commented 3 years ago

I got the reason for the proxy failure problem observed in bridge network mode. It's due that I only allowed the source network address of 172.17.0.1 instead of the whole 72.17.0.0/16 subnet in my haproxy's config file. Obviously, for the host network mode, the container will use the docker0 interface directly, while for bridge network mode, the container will use a virtual interface attached on the bridge assigned with an IP address belong to 72.17.0.0/16 subnet using 172.17.0.1 as the gateway.

For the missing gateway problem of bridge network, it appears upon the system's startup. So, I think this maybe a bug of docker. But anyway, it doesn't affect the normal use of the proxy in containers working with both host and bridge network modes.

mviereck commented 3 years ago

Just a thought: deepin desktop is started with --init=systemd and --security-opt seccomp=unconfined. Maybe systemd somehow revokes the IP adress on container shutdown. It should not be able to do so (I think), but maybe it does. --security-opt seccomp=unconfined might allow this.

You could compare with other desktop/systemd images if they break the IP adress, too. Try:

x11docker --desktop --init=systemd x11docker/lxde
x11docker --desktop --init=systemd -- --security-opt seccomp=unconfined -- x11docker/lxde
hongyi-zhao commented 3 years ago

I find the absent gateway problem of bridge network exists upon the system's startup and has nothing to do with x11doker on one of my Ubuntu box, while on another Ubuntu machine, this problem doesn't appear. So, it presumably is a problem caused by the confliction among the installed software packages.

mviereck commented 3 years ago

Closing here because it is not an x11docker or deepin issue.