203483 – "ip vrf exec" does not work in docker environment

Bug 203483 - "ip vrf exec" does not work in docker environment

Summary: "ip vrf exec" does not work in docker environment

Status:	ASSIGNED

Alias:	None

Product:	Networking
Classification:	Unclassified
Component:	Other (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	David Ahern

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-05-03 00:31 UTC by Ted
Modified:	2019-05-08 15:51 UTC (History)
CC List:	0 users

See Also:
Kernel Version:	Linux 5.0.0-13-generic #14-Ubuntu
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
1. VRF test on Ubuntu, all good. 2. VRF test on docker, failed. (5.32 KB, text/plain) 2019-05-03 00:31 UTC, Ted	Details
Add an attachment (proposed patch, testcase, etc.)

Description Ted 2019-05-03 00:31:10 UTC

Created attachment 282595 [details]
1. VRF test on Ubuntu, all good.
2. VRF test on docker, failed.

"ip vrf exec" works on Ubuntu Linux 5.0.0-13-generic,
but does not work in docker environment.


In Ubuntu:

> ~$ sudo ip vrf exec Red ping 1.0.1.1
> PING 1.0.1.1 (1.0.1.1) 56(84) bytes of data.
> 64 bytes from 1.0.1.1: icmp_seq=1 ttl=64 time=0.032 ms
> 64 bytes from 1.0.1.1: icmp_seq=2 ttl=64 time=0.133 ms
> 64 bytes from 1.0.1.1: icmp_seq=3 ttl=64 time=0.039 ms
> 64 bytes from 1.0.1.1: icmp_seq=4 ttl=64 time=0.053 ms
> ^C
> --- 1.0.1.1 ping statistics ---
> 4 packets transmitted, 4 received, 0% packet loss, time 63ms
> rtt min/avg/max/mdev = 0.032/0.064/0.133/0.040 ms





In docker:

the same test failed.

> root@TUX1:~# docker run --privileged -it ubuntu bash
> root@236d33a84862:/# ip vrf exec Red ping 1.0.1.1
> PING 1.0.1.1 (1.0.1.1) 56(84) bytes of data.
> ^C
> --- 1.0.1.1 ping statistics ---
> 6 packets transmitted, 0 received, 100% packet loss, time 5118ms

Have to use "-I Red" to specifically bind to the interface to make it work.

> root@236d33a84862:/# ip vrf exec Red ping -I Red 1.0.1.1
> ping: Warning: source address might be selected on device other than Red.
> PING 1.0.1.1 (1.0.1.1) from 1.0.1.1 Red: 56(84) bytes of data.
> 64 bytes from 1.0.1.1: icmp_seq=1 ttl=64 time=0.058 ms
> 64 bytes from 1.0.1.1: icmp_seq=2 ttl=64 time=0.034 ms
> 64 bytes from 1.0.1.1: icmp_seq=3 ttl=64 time=0.067 ms
> 64 bytes from 1.0.1.1: icmp_seq=4 ttl=64 time=0.074 ms
> ^C
> --- 1.0.1.1 ping statistics ---
> 4 packets transmitted, 4 received, 0% packet loss, time 3059ms
> rtt min/avg/max/mdev = 0.034/0.058/0.074/0.016 ms


Full test logs are in attachment.

Comment 1 Ted 2019-05-07 05:41:15 UTC

I think we have found that this is because docker is mixing v1 and v2
cgroups, which is not supported by the kernel at the moment.


"While userland may start using net_prio or net_cls at any time, once either
is used, cgroup2 matching no longer works"

https://github.com/torvalds/linux/blob/master/include/linux/cgroup-defs.h#L748

adding "cgroup_no_v1=net_prio,net_cls" to the kernel parameter to disable the v1 cgroup controller will make this issue go away.

Comment 2 David Ahern 2019-05-08 15:51:36 UTC

Thanks for the follow up. I suspected something related to cgroups or nested bpf.

Note You need to log in before you can comment on or make changes to this bug.