Any container will lost TCP connection after while

[esler]

Expected behavior

Established TCP connection should hold indefinitely if idle.

Actual behavior

TCP/IP connection is lost after two minutes or so.

root@c48ec39e3f3d:/# time telnet 192.168.1.122 1234
Trying 192.168.1.122...
Connected to 192.168.1.122.
Escape character is '^]'.
Connection closed by foreign host.

real	0m52.356s
user	0m0.000s
sys	0m0.000s

root@c48ec39e3f3d:/# time telnet 192.168.1.122 1234
Trying 192.168.1.122...
Connected to 192.168.1.122.
Escape character is '^]'.
Connection closed by foreign host.

real	1m47.675s
user	0m0.000s
sys	0m0.000s

root@c48ec39e3f3d:/# time telnet 192.168.1.122 1234
Trying 192.168.1.122...
Connected to 192.168.1.122.
Escape character is '^]'.
Connection closed by foreign host.

real	1m39.917s
user	0m0.000s
sys	0m0.000s

Information

Docker for Mac: version: 17.12.0-ce-mac45 (a61e84b8bca06b1ae6ce058cdd7beab1520ad622)
macOS: version 10.13.2 (build: 17C88)
logs: /tmp/62A6C381-4D5A-4300-A5AA-5FE9EF03F634/20180111-165227.tar.gz
[OK]     db.git
[OK]     vmnetd
[OK]     dns
[OK]     driver.amd64-linux
[OK]     virtualization VT-X
[OK]     app
[OK]     moby
[OK]     system
[OK]     moby-syslog
[OK]     kubernetes
[OK]     env
[OK]     virtualization kern.hv_support
[OK]     slirp
[OK]     osxfs
[OK]     moby-console
[OK]     logs
[OK]     docker-cli
[OK]     menubar
[OK]     disk

Steps to reproduce the behavior

1. run netcat on host machine, eg. nc -l 0.0.0.0 1234
2. from inside a container connect to netcat, eg. telnet 192.168.1.1 1234
3. wait for connection loss

I tried this simple proof of issue on container debian:stable-slim with installed telnet. If I run same commands on host machine directly, connection will hold.

It's affecting any idle TCP connection.

Edit:
My colleague is having same issue on Docker for Windows

[esler]

#2384 - could be the same problem

[asher-pembroke]

This really hurts builds in my case

[djs55]

Thanks for the report. There is currently a 2 minute timeout on idle connections in the stateful firewall but there is also code which attempts to trigger TCP keep-alive packets every few seconds. I suspect the keep-alive code isn't working.

[smk]

#2421 - seems to be the same problem

[tmshn]

Does this problem only happens in docker for Mac? Or may affect any other platforms?

I’m facing this issue on my local machine and warring about any potential of failure when I deploy it to the production environment, which is Linux.

[djs55]

@tmshn this problem only affects Docker for Mac. Everything should work ok in production on Linux.

@esler I think the underlying problem with TCP keepalives was fixed in moby/vpnkit#359 and has been released to the edge channel. To test it I created a TCP connection from a container to the host via nc and confirmed it was still established after 8 minutes of idle time.

Thanks everyone for the report!

[docker-robott]

Closed issues are locked after 30 days of inactivity.
This helps our team focus on active issues.

If you have found a problem that seems similar to this, please open a new issue.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows.
/lifecycle locked