Reputation: 119
Can't use tc in docker container
I am using tc to limit send rate in a docker container. Added below script into Dockerfile:
tc qdisc add dev eth0 root handle 1: htb default 2
tc class add dev eth0 parent 1:1 classid 1:2 htb rate 2mbit ceil 2mbit prio 2
tc qdisc add dev eth0 parent 1:2 handle 2: sfq perturb 10
tc filter add dev eth0 protocol ip parent 1:0 u32 match ip dst 192.168.1.124 flowid 1:2
Run docker under root account via this command:
docker run --cap-add=NET_ADMIN --name lqt_build -d -p 8443:8443 -p 443:443 -p 3478:3478 lqt_build
But it still show this error:
Step 25 : RUN cd /usr/share/ta/ && sudo ./tt rate
---> Running in fb6a4477ad6c
RTNETLINK answers: Operation not permitted
RTNETLINK answers: Operation not permitted
RTNETLINK answers: Operation not permitted
RTNETLINK answers: Operation not permitted
We have an error talking to the kernel
[8] System error: read parent: connection reset by peer
It seems the kernel prevents apps in the container from changing some kernel settings even though they're running as root. I guess the container doesn't have its own kernel but runs on the kernel shared with (potentially) many other containers so it can't be allowed to touch settings of the underlying kernel. Does anyone have experience with this issue?
Upvotes: 5
Views: 6625
Answers (1)
Reputation: 119
The root cause is the use of tc in Dokcerfile. NET_ADMIN capability does not take effect at that time. Tc command works fine after docker container is running. Thanks user2915097.
Upvotes: 3
Related Questions
- Copying files from Docker container to host
- How do I get into a Docker container's shell?
- How to copy files from host to Docker container?
- What is the difference between a Docker image and a container?
- How to copy Docker images from one host to another without using a repository
- How to force Docker for a clean build of an image
- How is Docker different from a virtual machine?
- How to get a Docker container's IP address from the host
- How to remove old Docker containers