engine/security/rootless: update for Docker Engine v29.5#24645
engine/security/rootless: update for Docker Engine v29.5#24645AkihiroSuda wants to merge 1 commit intodocker:mainfrom
Conversation
✅ Deploy Preview for docsdocker ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
AkihiroSuda
force-pushed
the
rootless-29.5
branch
2 times, most recently
from
b0a1185 to
3bed16a
Compare
See: - docker/docker PR 47103 - docker/docker PR 52319 Signed-off-by: Akihiro Suda <[email protected]>
AkihiroSuda
force-pushed
the
rootless-29.5
branch
from
3bed16a to
10c6c02
Compare
| | Network driver | Port driver | Net throughput | Port throughput | Source IP propagation | No SUID | Note | | ||
| | -------------- | -------------------- | -------------- | --------------- | --------------------- | ------- | ---------------------------------------------------------------------------- | | ||
| | `gvisor-tap-vsock`| `builtin` | Slow | Fast ✅ | ✅ (*) | ✅ | Default when slirp4netns is not installed | |
There was a problem hiding this comment.
Micro-nit; can you align the header-width with the columns (or is it GitHub's rendering showing it wrong?)
There was a problem hiding this comment.
It seems aligned well, on macOS Terminal
There was a problem hiding this comment.
Ah, thx for checking; GitHub isn't great at rendering these 🤗
| {{< tab name="RootlessKit v3.0 or later" >}} | ||
| This is because Docker Engine's `userland-proxy` is incompatible with RootlessKit's source IP propagation. | ||
|
|
||
| To disable userland-proxy, add the following configuration to `~/.config/docker/daemon.json`: |
There was a problem hiding this comment.
@AkihiroSuda Is there still any situation where the userland-proxy could / should be used when running with rootlesskit? Wondering if we should also make the daemon ignore the option and disable it (print an info / warning possibly)
There was a problem hiding this comment.
Is there still any situation where the userland-proxy could / should be used when running with rootlesskit?
userland-proxy has to be used when br_netfilter is not loaded.
It shouldn't be a hard requirement unless enable_icc=false is used, but the current implementation still treats it as a hard requirement:
3 participants
Description
Updates for Rootless mode in Docker Engine v29.5.
--net=hostRelated issues or tickets
--net=hostand localhost registries moby/moby#47103Reviews