I’m doing a deep dive trying to understand docker-desktop networking in WSL2.
My understanding so far
- WSL2 is a single light Hyper-V VM, which is not visible in Hyper-V manager or with any powershell commands.
- All WSL2 distros actually run in that single Hyper-V VM in different namespaces (i.e. separate containers).
- With default (NAT) networking configured in .wslconfig, each distro has an eth0 that connects to the internal “WSL (Hyper-V firewall)” switch on the Windows host.
- Installing docker-desktop creates a distro called docker-desktop, that lives in that same Hyper-V VM (wsl --list). This distro is a bootstrapping distro that does 2 important things.
- Runs VPNKit which handles proxying and is responsible for a lot of the integration magic.
- For example proxies traffic to docker backend which performs nat, and acts as a virtual gateway 192.168.65.1)
- Creates yet another container (LinuxKit).
- The LinuxKit container is where docker engine runs and where you can see all the docker networking interfaces (bridges, veth pairs…) you’d expect to see.
- Runs VPNKit which handles proxying and is responsible for a lot of the integration magic.
I’m curious about the eth0 interface in the LinuxKit container:
- Is it one end of a veth pair?
- Does it connect to the (Hyper-V firewall) switch (I couldn’t find a command in PowerShell to list out connected interfaces)?
- or is it a dummy interface (created by something like “ip link add eth0 type dummy”)?
- I’m assuming VPNKit somehow intercepts all outgoing traffic from that interface but I’m wondering how that happens. Iptables doesn’t seem to be involved.
There’s also a “services” interface (192.168.65.6) that I don’t understand well.
I’m just curious about how that piece of the puzzle works.
Thanks.
