What is the point of the docker-proxy process? Why is a userspace tcp proxy needed?

english
#1

I have noticed that there is docker-proxy process running for each published port. What is the purpose of this process? Why is a user space tcp proxy needed for this?

$ ps -Af | grep proxy
root      4776  1987  0 01:25 ?        00:00:00 docker-proxy -proto tcp -host-ip 127.0.0.1 -host-port 22222 -container-ip 172.17.0.2 -container-port 22
root      4829  1987  0 01:25 ?        00:00:00 docker-proxy -proto tcp -host-ip 127.0.0.1 -host-port 5555 -container-ip 172.17.0.3 -container-port 5555

and some related iptable rules created by docker:

$ sudo iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 1 packets, 263 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 1 packets, 263 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 1748 packets, 139K bytes)
 pkts bytes target     prot opt in     out     source               destination         
   32  7200 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 1719 packets, 132K bytes)
 pkts bytes target     prot opt in     out     source               destination         
   32  7200 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0           

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            127.0.0.1            tcp dpt:22222 to:172.17.0.2:22
    0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            127.0.0.1            tcp dpt:5555 to:172.17.0.3:5555
#2

Apparently there are some edge cases without a better workaround (for now):

  • localhost<->localhost routing
  • docker instance calling into itself via its published port
  • and possibly more

https://github.com/docker/docker/issues/8356

UPDATE: Since 1.7.0 (2015-06-16) the userland proxy can be disabled in favor of hairpin NAT using the daemon’s --userland-proxy=false flag.

#3

Disagree about closing this question. It is a valid architectural issue that is an offshoot of ssh - Restricting the network access of Docker container - Server Fault ; if we are down-voting what appears to be an undocumented (at least on the website) part of the service, then that begs the question, should we just go around blindly installing new and shiny services that we don’t understand the internal workings of?

#4

Also on so Why does Docker run so many processes to map ports though to my application? - Stack Overflow