Use option userland-proxy=false to avoid having a separate docker-proxy process per mapped port from a container to host. Somehow this option survived with default true into Docker 18.09.
It even isn’t documented anymore: Docs for Docker 17.09 still had a section about option userland-proxy and a good explanation how it works. This page even mentions the advantage of running without userland proxies but with iptables rules instead:
this alternative is preferred for performance reasons
https://docs.docker.com/v17.09/engine/userguide/networking/default_network/binding/
It even contains a warning that with iptables rules port conflicts are harder to detect.
But documentation for Docker 18.09 doesn’t contain an explanation about it nor its performance penalty.
So having a userland process copying traffic from host port to container port from my point of view doesn’t make sense as the same can be accomplished by iptables rules in the kernel. As the necessary rules are completely managed by Docker this is a simple improvement.
Check logging
Check logging in /var/lib/docker/containers/*/*log
- check if you have verbose containers
- in my case biggest producer of logs was PHP-FPM. So i had to disable access logs in its config.
- setup log rotation in Docker
Example config
So my current config /etc/docker/daemon.json looks like this:
{
"log-driver": "json-file",
"log-opts": {
"max-size": "10m",
"max-file": "3"
},
"userland-proxy": false
}