问题
I have a docker host that has set a net.ipv4.tcp_keepalive_time kernel parameter to 600. But when a container runs, it uses a different value:
$ sysctl net.ipv4.tcp_keepalive_time
net.ipv4.tcp_keepalive_time = 600
$ docker run --rm ubuntu:latest sysctl net.ipv4.tcp_keepalive_time
net.ipv4.tcp_keepalive_time = 7200
Why is this and how can I change this value without having to pass --sysctl option?
The reason I cannot pass --sysctl in my case is that this host is a docker swarm container and this option is currently unsupported in swarm.
But shouldn't containers just take these kernel parameters from the host? I already restarted the docker service (and its containers).
edit: some extra host info:
$ uname -r
4.15.0-38-generic
$ docker --version
Docker version 18.06.1-ce, build e68fc7a
回答1:
That is how network namespaces (which are the Linux facility used by Docker) work.
But shouldn't containers just take these kernel params from the host?
No. When the network namespace is created (in your case - when the Docker container is started), it does not inherit most of the network kernel parameters from the initial ("host" in your terms) network namespace, instead, these parameters are set to defaults which are defined for the kernel at the compile-time.
Also, changing the value of particular network parameter in particular network namespace (including the initial one) does not change this parameter in other network namespaces, so, changing the value of the "host's" net.ipv4.tcp_keepalive_time parameter does not affect any container (already running or subsequently launched).
how can I change this value without having to pass --sysctl option?
Taking into account the explanation above, the only way to change this kernel parameter for your container from kernel's default is to modify this parameter from the container's network namespace. This is what Docker does during the container startup when the --sysctl option is provided.
If Swarm does not support launching the container with this option, I afraid that the only way you have is to modify this parameter from the container's entrypoint, which is not possible unless you run your container as --privileged. This, obviously, is a bad decision, as it essentially is a security vulnerability, allowing the container to affect the host system in numerous ways.
来源:https://stackoverflow.com/questions/54552379/tcp-keepalive-time-in-docker-container