https://github.com/moby/moby/issues/40374
https://github.com/moby/moby/issues/35082
We implemented a workaround that definitetely prevents the connection resets in our case:
For all docker network namespaces
-
set sysctl parameter: net.netfilter.nf_conntrack_tcp_be_liberal=1
-
add iptables rule: INPUT -m conntrack --ctstate INVALID -j DROP
-
set sysctl parameter: net.ipv4.tcp_fin_timeout = 30
-
sysctl -w net.ipv4.tcp_fin_timeout=30
-
- set sysctl parameter: net.ipv4.ip_local_port_range = 22768 60999
-
This basically means your system cannot consistently guarantee more than
(61000 - 32768) / 60 = 470sockets per second. -
sysctl -w net.ipv4.ip_local_port_range = 22768 60999
-
-
For testing cat use siegin
siege -c 100 -b -t20s http://php.ksi.kiev.ua:3000/
sysctl -a | grep -E "net.ipv4.tcp_fin_timeout|net.ipv4.ip_local_port_range"
before run service
docker run -d --rm --net bridge -m 0b -p 3000:80 --name test nginx