rootlesskit icon indicating copy to clipboard operation
rootlesskit copied to clipboard
verified publisher icon rootless-containers

[v1.0.1] Port forwarding fails under high concurrency load. (accept4: too many open files)

Open Javier-VL opened this issue 2 months ago • 6 comments

Port forwarding fails under high concurrency load. Using ApacheBench with high concurrency causes the container to stop accepting connections.

Steps to reproduce:

  • Start a rootless container with NGINX exposed on port 8081.
  • Run ApacheBench from a remote host: ab -n 10000 -c 900 http://:8081/
  • Observe that connections begin to fail: curl http://:8081/

curl: (7) Failed to connect to port 8081: Could not connect to server

Expected behavior: Port forwarding should remain stable and accept connections even under high concurrency. Actual behavior: Connections are refused. Docker debug logs show: port/builtin: accept: accept tcp4 0.0.0.0:8081: accept4: too many open files

... Comparison with slirp4netns port driver We tested the same setup using the slirp4netns port driver instead of builtin, by modifying the following line in dockerd-rootless.sh: : "${DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER:=builtin}"

Changed to: : "${DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER:=slirp4netns}"

 Environment:

  • slirp4netns version: 1.2.0-beta.0+dev Results:
  • ApacheBench with ab -n 10000 -c 900 completes ~9764 requests.
  • Occasionally hits: apr_socket_recv: Connection reset by peer (104)
  • But ports remain open and responsive afterward.
  • curl tests continue to work even after high load.

Conclusion: While the issue with port/builtin may not be identical, switching to slirp4netns for port forwarding avoids the port closure behavior under high concurrency. Delegating port forwarding to slirp4netns appears to mitigate the "too many open files" error.

Reported a similar behavior at:,https://github.com/moby/moby/issues/51248, while trying to hit a sporadic curl 56 error, im getting this errors instead

bash-5.1$ docker version Client: Version: 24.0.5 API version: 1.43 Go version: go1.20.7 Git commit: b74562d917 Built: Thu Oct 23 02:09:31 2025 OS/Arch: linux/amd64 Context: default Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running? bash-5.1$ export DOCKER_HOST=unix:///run/user/500/docker.sock bash-5.1$ docker version Client: Version: 24.0.5 API version: 1.43 Go version: go1.20.7 Git commit: b74562d917 Built: Thu Oct 23 02:09:31 2025 OS/Arch: linux/amd64 Context: default

Server: Engine: Version: 24.0.5 API version: 1.43 (minimum version 1.12) Go version: go1.20.7 Git commit: 00e46f85f6e46bb4b02c33da253f901c473794e9 Built: Thu Oct 23 02:08:02 2025 OS/Arch: linux/amd64 Experimental: true containerd: Version: v1.7.20.m GitCommit: 8fc6bcff51318944179630522a095cc9dbf9f353.m runc: Version: 1.1.7+dev GitCommit: v1.0.0-rc94-766-gb6109acd-dirty docker-init: Version: 0.19.0 GitCommit: b9f42a0-dirty rootlesskit: Version: 1.0.1 ApiVersion: 1.1.1 NetworkDriver: slirp4netns PortDriver: slirp4netns StateDir: /tmp/rootlesskit1616269797 slirp4netns: Version: 1.2.0-beta.0+dev GitCommit: unknown

Javier-VL avatar Oct 23 '25 18:10 Javier-VL