dockerd-rootless.sh does not set proper MTU when manually specifying slirp4netns as NET

[jonasgeiler]

Description

I just noticed that the MTU that my docker service is using in rootless-mode is only at 1500, while I was sure that before it was at 65520. I investigated the issue and noticed that the rootless docker script, dockerd-rootless.sh, only set's MTU to 65520 if you DON'T specify DOCKERD_ROOTLESS_ROOTLESSKIT_NET.

The thing is, the Docker docs clearly say that I should add the following systemd drop-in file to get proper source IP addresses in my containers:

[Service]
Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_NET=slirp4netns"
Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=slirp4netns"

But when I add the file above, the DOCKERD_ROOTLESS_ROOTLESSKIT_NET environment variable is set, which in turn makes the dockerd-rootless.sh script SKIP the slirp4netns and --netns-type detection. This results in dockerd-rootless.sh using the default 1500 MTU. When I remove the Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_NET=slirp4netns" line, dockerd-rootless.sh set's a MTU of 65520.

Due to the docs saying that I can increase the MTU to "improve performance", I believe that the dockerd-rootless.sh should properly detect DOCKERD_ROOTLESS_ROOTLESSKIT_NET being slirp4netns and then setting the MTU to 65520 when unset.

I'm open to do a PR myself.

Reproduce

1. Set up docker in rootless mode
2. Check the current MTU value with systemctl --user status docker (should be at the top in the arguments of one of the processes of rootlesskit or slirp4netns)
3. As specified in the docs, create a file at ~/.config/systemd/user/docker.service.d/override.conf with the following contents:

   [Service]
   Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_NET=slirp4netns"
   Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=slirp4netns"
   

4. Run systemctl --user daemon-reload and systemctl --user restart docker
5. Check the new MTU value again with systemctl --user status docker

Expected behavior

slirp4netns should use an MTU of 65520, even when manually specifying DOCKERD_ROOTLESS_ROOTLESSKIT_NET=slirp4netns, but NOT when specifying DOCKERD_ROOTLESS_ROOTLESSKIT_MTU.

docker version

Client: Docker Engine - Community
 Version:           26.1.0
 API version:       1.45
 Go version:        go1.21.9
 Git commit:        9714adc
 Built:             Mon Apr 22 17:06:56 2024
 OS/Arch:           linux/amd64
 Context:           rootless

Server: Docker Engine - Community
 Engine:
  Version:          26.1.0
  API version:      1.45 (minimum version 1.24)
  Go version:       go1.21.9
  Git commit:       c8af8eb
  Built:            Mon Apr 22 17:06:56 2024
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.31
  GitCommit:        e377cd56a71523140ca6ae87e30244719194a521
 runc:
  Version:          1.1.12
  GitCommit:        v1.1.12-0-g51d5e94
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0
 rootlesskit:
  Version:          2.0.2
  ApiVersion:       1.1.1
  NetworkDriver:    slirp4netns
  PortDriver:       slirp4netns
  StateDir:         /run/user/1000/dockerd-rootless
 slirp4netns:
  Version:          1.2.0
  GitCommit:        656041d45cfca7a4176f6b7eed9e4fe6c11e8383

docker info

Client: Docker Engine - Community
 Version:    26.1.0
 Context:    rootless
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.14.0
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.26.1
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 3
 Server Version: 26.1.0
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: false
  userxattr: true
 Logging Driver: local
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: e377cd56a71523140ca6ae87e30244719194a521
 runc version: v1.1.12-0-g51d5e94
 init version: de40ad0
 Security Options:
  seccomp
   Profile: builtin
  rootless
  cgroupns
 Kernel Version: 6.1.0-20-amd64
 Operating System: Debian GNU/Linux 12 (bookworm)
 OSType: linux
 Architecture: x86_64
 CPUs: 8
 Total Memory: 15.62GiB
 Name: ordon
 ID: f47f6a19-5500-4b2d-8ba9-387146e37e04
 Docker Root Dir: /home/jonas/.local/share/docker
 Debug Mode: false
 Username: jonasgeiler
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false
 Default Address Pools:
   Base: 172.17.0.0/16, Size: 16
   Base: 172.18.0.0/16, Size: 16
   Base: 172.19.0.0/16, Size: 16
   Base: 172.20.0.0/14, Size: 16
   Base: 172.24.0.0/14, Size: 16
   Base: 172.28.0.0/14, Size: 16
   Base: 192.168.0.0/16, Size: 20
   Base: fd42:0000:03e8::/104, Size: 112

Additional Info

(I have no idea what "MTU" actually does.)

Permalink for the code that needs adjustment in my opinion:

moby/contrib/dockerd-rootless.sh

Lines 78 to 101 in faf84d7

	if [ -z "$net" ]; then
	if command -v slirp4netns > /dev/null 2>&1; then
	# If --netns-type is present in --help, slirp4netns is >= v0.4.0.
	if slirp4netns --help | grep -qw -- --netns-type; then
	net=slirp4netns
	if [ -z "$mtu" ]; then
	mtu=65520
	fi
	else
	echo "slirp4netns found but seems older than v0.4.0. Falling back to VPNKit."
	fi
	fi
	if [ -z "$net" ]; then
	if command -v vpnkit > /dev/null 2>&1; then
	net=vpnkit
	else
	echo "Either slirp4netns (>= v0.4.0) or vpnkit needs to be installed"
	exit 1
	fi
	fi
	fi
	if [ -z "$mtu" ]; then
	mtu=1500
	fi

The git blame says @AkihiroSuda was responsible for this part of the dockerd-rootless.sh script, so I'll mention him here.

[jonasgeiler]

One possible solution is to just remove the Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_NET=slirp4netns" line from the Docker docs, added by @dvdksn, but I think we should actually improve the dockerd-rootless.sh script instead.