Bug 203483
Summary: | "ip vrf exec" does not work in docker environment | ||
---|---|---|---|
Product: | Networking | Reporter: | Ted (artisdom) |
Component: | Other | Assignee: | David Ahern (dsahern) |
Status: | ASSIGNED --- | ||
Severity: | normal | ||
Priority: | P1 | ||
Hardware: | All | ||
OS: | Linux | ||
Kernel Version: | Linux 5.0.0-13-generic #14-Ubuntu | Subsystem: | |
Regression: | No | Bisected commit-id: | |
Attachments: | 1. VRF test on Ubuntu, all good. 2. VRF test on docker, failed. |
Description
Ted
2019-05-03 00:31:10 UTC
I think we have found that this is because docker is mixing v1 and v2 cgroups, which is not supported by the kernel at the moment. "While userland may start using net_prio or net_cls at any time, once either is used, cgroup2 matching no longer works" https://github.com/torvalds/linux/blob/master/include/linux/cgroup-defs.h#L748 adding "cgroup_no_v1=net_prio,net_cls" to the kernel parameter to disable the v1 cgroup controller will make this issue go away. Thanks for the follow up. I suspected something related to cgroups or nested bpf. |