docker容器中的tcp_keepalive_time [英] tcp_keepalive_time in docker container

问题描述

我有一个docker主机，它已将 net.ipv4.tcp_keepalive_time 内核参数设置为600。但是，当容器运行时，它将使用另一个值：

I have a docker host that has set a net.ipv4.tcp_keepalive_time kernel parameter to 600. But when a container runs, it uses a different value:

$ sysctl net.ipv4.tcp_keepalive_time
net.ipv4.tcp_keepalive_time = 600

$ docker run --rm ubuntu:latest sysctl net.ipv4.tcp_keepalive_time
net.ipv4.tcp_keepalive_time = 7200

这是为什么，如何更改此值而不必通过-sysctl 选项？

Why is this and how can I change this value without having to pass --sysctl option?

我无法通过-sysctl 的原因是此主机是docker swarm容器，而此选项是目前不受支持。

The reason I cannot pass --sysctl in my case is that this host is a docker swarm container and this option is currently unsupported in swarm.

但是容器不应该只是从主机获取这些内核参数吗？我已经重新启动了docker服务（及其容器）。

But shouldn't containers just take these kernel parameters from the host? I already restarted the docker service (and its containers).

编辑：一些主机信息：

$ uname -r
4.15.0-38-generic
$ docker --version
Docker version 18.06.1-ce, build e68fc7a

推荐答案

这就是网络名称空间（Docker使用的Linux工具）的工作方式。

That is how network namespaces (which are the Linux facility used by Docker) work.

但是容器不应该只是从主机获取这些内核参数吗？

But shouldn't containers just take these kernel params from the host?

否。创建网络名称空间时（在您的情况下-启动Docker容器时），它不会从初始（用您的术语主机表示）网络名称空间继承大多数网络内核参数，而是，这些参数为设置为默认值，它们是在编译时为内核定义的。

No. When the network namespace is created (in your case - when the Docker container is started), it does not inherit most of the network kernel parameters from the initial ("host" in your terms) network namespace, instead, these parameters are set to defaults which are defined for the kernel at the compile-time.

此外，更改特定网络名称空间（包括初始名称）中特定网络参数的值不会更改其他网络名称空间中的此参数，因此，更改主机的值 net.ipv4.tcp_keepalive_time 参数不影响任何容器（已经运行或随后启动）。

Also, changing the value of particular network parameter in particular network namespace (including the initial one) does not change this parameter in other network namespaces, so, changing the value of the "host's" net.ipv4.tcp_keepalive_time parameter does not affect any container (already running or subsequently launched).

我该如何更改值而不必通过--sysctl选项？

how can I change this value without having to pass --sysctl option?

考虑到上面的解释，这是为您更改此内核参数的唯一方法默认情况下，容器是从容器的网络名称空间中修改此参数 。这是Docker在容器启动过程中提供-sysctl 选项时所做的事情。

Taking into account the explanation above, the only way to change this kernel parameter for your container from kernel's default is to modify this parameter from the container's network namespace. This is what Docker does during the container startup when the --sysctl option is provided.

如果Swarm没有提供支持使用此选项启动容器，恐怕您唯一的方法是从容器的入口点修改此参数，除非您以-privileged 。显然，这是一个错误的决定，因为它本质上是一个安全漏洞，它允许容器以多种方式影响主机系统。

If Swarm does not support launching the container with this option, I afraid that the only way you have is to modify this parameter from the container's entrypoint, which is not possible unless you run your container as --privileged. This, obviously, is a bad decision, as it essentially is a security vulnerability, allowing the container to affect the host system in numerous ways.

这篇关于docker容器中的tcp_keepalive_time的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！