Will docker inherit the host kernel parameters, such as tcp_tw_reuse/tcp_fin_timeout?

Question

I am confused with whether docker will inherit the host's kernel parameter.I have do some tests as below: The kernel version:

$ uname -r
3.10.0-957.el7.x86_64

1. I want to echo the ip_local_port_range parm and the command is :

$ sudo docker run --rm busybox cat /proc/sys/net/ipv4/ip_local_port_range

the output:

128

That is quite reasonable as ip_local_port_range is a namespaced parameter and I guess it inherits from the host.

2. Test tcp_tw_reuse parameter:

sudo docker run --rm busybox cat /proc/sys/net/ipv4/tcp_tw_reuse

the output:

cat: can't open '/proc/sys/net/ipv4/tcp_tw_reuse': No such file or directory

That is reasonable too, as far as I know, in kernel 3.10 the tcp_tw_reuse is not namespaced and the docker does not have that file. Now, I would like to know is, as the '/proc/sys/net/ipv4/tcp_tw_reuse' file is not present in the container, will the container inherit its value from the host. Any help will be appreciated.

Answer 1

The vanilla 3.10 kernel was released in 2013. Namespacing of tcp_fin_timeout happened much later, in early 2016, and namespacing of tcp_tw_reuse happened even later.

In fact, these are the networking sysctls which are namespaced in vanilla 3.10:

int sysctl_icmp_echo_ignore_all;
int sysctl_icmp_echo_ignore_broadcasts;
int sysctl_icmp_ignore_bogus_error_responses;
int sysctl_icmp_ratelimit;
int sysctl_icmp_ratemask;
int sysctl_icmp_errors_use_inbound_ifaddr;

int sysctl_tcp_ecn;

kgid_t sysctl_ping_group_range[2];
long sysctl_tcp_mem[3];

Not so much. Other sysctls are globals, used disregarding what the caller's network namespace is. This includes sysctls of your interest:

• tcp_fin_timeout - definition, use;
• tcp_tw_reuse - definition, use.

Note, that latest RHEL/CentOS versions of kernel 3.10 (which you seem to use) have some more sysctls namespaced - e.g. ip_local_port_range, mentioned by you, but this still does not include tcp_fin_timeout and tcp_tw_reuse.

So, finally answering your question: in kernel 3.10, these parameters are system-wide, and containerized processes use the same values of these sysctls as the host system.