vpnkit icon indicating copy to clipboard operation
vpnkit copied to clipboard
verified publisher icon moby

Idle port disconnection triggered for non-idle port

Open jessetan opened this issue 7 years ago • 1 comments

When running any container from https://github.com/jessfraz/dockerfiles (which uses X11 on the host system by sharing DISPLAY), vpnkit closes the connection after some idle timeout.

Example log message on macOS: com.docker.vpnkit[505]: TCP 192.168.65.3:39220 > 192.168.0.59:6000 closing flow due to idle port disconnection

However, this is not what is expected. In this specific example, the container sends TCP Keep Alive messages to the host (on port 6000 for X11 traffic). I would expect vpnkit to consider this a non-idle port and leave the connection intact.

Steps to reproduce (with Docker for Mac 18.06.1-ce-mac74 (26766)):

  1. Add "vpnKitPortMaxIdleTime" : 5 to ~/Library/Group\ Containers/group.com.docker/settings.json. This isn't strictly necessary but makes it faster to test
  2. Start XQuartz and enable "Allow connections from network clients" in its Preferences
  3. Run a Docker container that uses X11: docker run -it -e DISPLAY=$YOUR_IP_HERE:0 jess/atom:latest
  4. Run tcpdump, Wireshark or similar to observe TCP Keep Alives being sent to port 6000
  5. Observe the X11 is closed after ~5s. Docker/vpnkit log will show this was caused due to an idle port

Possibly related: https://github.com/docker/for-mac/issues/2406, https://github.com/mirage/mirage-tcpip/pull/338 (reverted by #389)

jessetan avatar Sep 07 '18 10:09 jessetan

I believe this is possibly related to: https://github.com/docker/for-mac/issues/3679

zbentzinger avatar Aug 02 '19 23:08 zbentzinger