mirror/docker-docs
1
0
Fork 0
mirror of https://github.com/docker/docs.git synced 2026-06-19 07:35:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #25070 from AkihiroSuda/rootless-29.5-fix

Browse Source 
engine/security/rootless/troubleshoot: fix "Historical limitations"
This commit is contained in:
Paweł Gronowski
2026-06-16 14:28:40 +02:00
committed by GitHub
parent 3fe12de8c0 47b513708c
commit 6d759c7482
1 changed files with 8 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
content/manuals/engine/security/rootless/troubleshoot.md
+8 -5
View File
@@ -77,15 +77,18 @@ weight: 30
- Exposing SCTP ports
- To use the `ping` command, see [Routing ping packets](./tips.md#routing-ping-packets).
- To expose privileged TCP/UDP ports (< 1024), see [Exposing privileged ports](./tips.md#exposing-privileged-ports).
- `IPAddress` shown in `docker inspect` is namespaced inside RootlessKit's network namespace.
This means the IP address is not reachable from the host without `nsenter`-ing into the network namespace.
- Port forwarding with `docker run -p` does not propagate source IP addresses by default.
See [`docker run -p` does not propagate source IP addresses](#docker-run--p-does-not-propagate-source-ip-addresses) to enable source IP propagation.
- NFS mounts as the docker "data-root" is not supported. This limitation is not specific to rootless mode.
### Historical limitations
#### Until Docker Engine v29.5
- `IPAddress` shown in `docker inspect` is namespaced inside RootlessKit's network namespace.
This means the IP address is not reachable from the host without `nsenter`-ing into the network namespace.
- Host network (`docker run --net=host`) is also namespaced inside RootlessKit.
- Host network (`docker run --net=host`) was namespaced inside RootlessKit.
This meant that ports listened by containers with `--net=host` were not reachable from the real host network namespace.
## Troubleshooting
@@ -280,8 +283,8 @@ For details, see [Routing ping packets](./tips.md#routing-ping-packets).
#### `IPAddress` shown in `docker inspect` is unreachable
This was an expected behavior until Docker Engine v29.5, as the daemon was namespaced inside RootlessKit's
network namespace. Use `docker run -p` instead, or upgrade to Docker Engine v29.5 or later.
This is an expected behavior, as the daemon is namespaced inside RootlessKit's
network namespace. Use `docker run -p` instead.
#### `--net=host` doesn't listen ports on the host network namespace