From 6a47f67b0e3ed284693808fb15ebc530f271b2dc Mon Sep 17 00:00:00 2001 From: Albin Kerouanton Date: Fri, 15 Dec 2023 14:28:03 +0100 Subject: [PATCH] Switch over to xtables-legacy when nf_tables module isn't available PR 461 updated Alpine to 3.19 and made a change to load the nf_tables kernel module if needed. However, as demonstrated by 463 and 464 this might break when the host system doesn't have the nf_tables module available. In that case, we should still try to load the ip_tables module and symlink /sbin/iptables to xtables-legacy-multi. Signed-off-by: Albin Kerouanton --- 24/dind/Dockerfile | 25 +++++++++++++++++++++++++ 24/dind/dockerd-entrypoint.sh | 8 ++++++-- 25-rc/dind/Dockerfile | 25 +++++++++++++++++++++++++ 25-rc/dind/dockerd-entrypoint.sh | 8 ++++++-- Dockerfile-dind.template | 25 +++++++++++++++++++++++++ dockerd-entrypoint.sh | 8 ++++++-- 6 files changed, 93 insertions(+), 6 deletions(-) diff --git a/24/dind/Dockerfile b/24/dind/Dockerfile index 064a9a4bf..441c920ee 100644 --- a/24/dind/Dockerfile +++ b/24/dind/Dockerfile @@ -30,6 +30,31 @@ RUN set -eux; \ # TODO aufs-tools +# dind might be used on systems where the nf_tables kernel module isn't available. In that case, +# we need to switch over to xtables-legacy. See https://github.com/docker-library/docker/issues/463 +RUN set -eux; \ + apk add --no-cache iptables-legacy; \ +# set up a symlink farm we can use PATH to switch to legacy with + mkdir /usr/local/bin/.iptables-legacy; \ +# https://git.alpinelinux.org/aports/tree/main/iptables/APKBUILD?id=b215d54de159eacafecb13c68dfadce6eefd9ec9#n73 + for f in \ + iptables \ + iptables-save \ + iptables-restore \ + ip6tables \ + ip6tables-save \ + ip6tables-restore \ + ; do \ +# "iptables-save" -> "iptables-legacy-save", "ip6tables" -> "ip6tables-legacy", etc. +# https://pkgs.alpinelinux.org/contents?branch=v3.19&name=iptables-legacy&arch=x86_64 + b="/sbin/${f/tables/tables-legacy}"; \ + "$b" --version; \ + ln -svT "$b" "/usr/local/bin/.iptables-legacy/$f"; \ + done; \ +# verify it works (and gets us legacy) + export PATH="/usr/local/bin/.iptables-legacy:$PATH"; \ + iptables --version | grep legacy + # set up subuid/subgid so that "--userns-remap=default" works out-of-the-box RUN set -eux; \ addgroup -S dockremap; \ diff --git a/24/dind/dockerd-entrypoint.sh b/24/dind/dockerd-entrypoint.sh index 056ee2ae0..1a5cb4047 100755 --- a/24/dind/dockerd-entrypoint.sh +++ b/24/dind/dockerd-entrypoint.sh @@ -144,11 +144,15 @@ if [ "$1" = 'dockerd' ]; then set -- docker-init -- "$@" if ! iptables -nL > /dev/null 2>&1; then - # if iptables fails to run, chances are high the necessary kernel modules aren't loaded (perhaps the host is using nftables with the translating "iptables" wrappers, for example) + # if iptables fails to run, chances are high the necessary kernel modules aren't loaded (perhaps the host is using xtables, for example) # https://github.com/docker-library/docker/issues/350 # https://github.com/moby/moby/issues/26824 # https://github.com/docker-library/docker/pull/437#issuecomment-1854900620 - modprobe nf_tables || : + if ! modprobe nf_tables; then + modprobe ip_tables || : + # see https://github.com/docker-library/docker/issues/463 (and the dind Dockerfile where this directory is set up) + export PATH="/usr/local/bin/.iptables-legacy:$PATH" + fi fi uid="$(id -u)" diff --git a/25-rc/dind/Dockerfile b/25-rc/dind/Dockerfile index 6e1182008..3c7519488 100644 --- a/25-rc/dind/Dockerfile +++ b/25-rc/dind/Dockerfile @@ -30,6 +30,31 @@ RUN set -eux; \ # TODO aufs-tools +# dind might be used on systems where the nf_tables kernel module isn't available. In that case, +# we need to switch over to xtables-legacy. See https://github.com/docker-library/docker/issues/463 +RUN set -eux; \ + apk add --no-cache iptables-legacy; \ +# set up a symlink farm we can use PATH to switch to legacy with + mkdir /usr/local/bin/.iptables-legacy; \ +# https://git.alpinelinux.org/aports/tree/main/iptables/APKBUILD?id=b215d54de159eacafecb13c68dfadce6eefd9ec9#n73 + for f in \ + iptables \ + iptables-save \ + iptables-restore \ + ip6tables \ + ip6tables-save \ + ip6tables-restore \ + ; do \ +# "iptables-save" -> "iptables-legacy-save", "ip6tables" -> "ip6tables-legacy", etc. +# https://pkgs.alpinelinux.org/contents?branch=v3.19&name=iptables-legacy&arch=x86_64 + b="/sbin/${f/tables/tables-legacy}"; \ + "$b" --version; \ + ln -svT "$b" "/usr/local/bin/.iptables-legacy/$f"; \ + done; \ +# verify it works (and gets us legacy) + export PATH="/usr/local/bin/.iptables-legacy:$PATH"; \ + iptables --version | grep legacy + # set up subuid/subgid so that "--userns-remap=default" works out-of-the-box RUN set -eux; \ addgroup -S dockremap; \ diff --git a/25-rc/dind/dockerd-entrypoint.sh b/25-rc/dind/dockerd-entrypoint.sh index 056ee2ae0..1a5cb4047 100755 --- a/25-rc/dind/dockerd-entrypoint.sh +++ b/25-rc/dind/dockerd-entrypoint.sh @@ -144,11 +144,15 @@ if [ "$1" = 'dockerd' ]; then set -- docker-init -- "$@" if ! iptables -nL > /dev/null 2>&1; then - # if iptables fails to run, chances are high the necessary kernel modules aren't loaded (perhaps the host is using nftables with the translating "iptables" wrappers, for example) + # if iptables fails to run, chances are high the necessary kernel modules aren't loaded (perhaps the host is using xtables, for example) # https://github.com/docker-library/docker/issues/350 # https://github.com/moby/moby/issues/26824 # https://github.com/docker-library/docker/pull/437#issuecomment-1854900620 - modprobe nf_tables || : + if ! modprobe nf_tables; then + modprobe ip_tables || : + # see https://github.com/docker-library/docker/issues/463 (and the dind Dockerfile where this directory is set up) + export PATH="/usr/local/bin/.iptables-legacy:$PATH" + fi fi uid="$(id -u)" diff --git a/Dockerfile-dind.template b/Dockerfile-dind.template index f8b585328..57e1c0fea 100644 --- a/Dockerfile-dind.template +++ b/Dockerfile-dind.template @@ -25,6 +25,31 @@ RUN set -eux; \ # TODO aufs-tools +# dind might be used on systems where the nf_tables kernel module isn't available. In that case, +# we need to switch over to xtables-legacy. See https://github.com/docker-library/docker/issues/463 +RUN set -eux; \ + apk add --no-cache iptables-legacy; \ +# set up a symlink farm we can use PATH to switch to legacy with + mkdir /usr/local/bin/.iptables-legacy; \ +# https://git.alpinelinux.org/aports/tree/main/iptables/APKBUILD?id=b215d54de159eacafecb13c68dfadce6eefd9ec9#n73 + for f in \ + iptables \ + iptables-save \ + iptables-restore \ + ip6tables \ + ip6tables-save \ + ip6tables-restore \ + ; do \ +# "iptables-save" -> "iptables-legacy-save", "ip6tables" -> "ip6tables-legacy", etc. +# https://pkgs.alpinelinux.org/contents?branch=v3.19&name=iptables-legacy&arch=x86_64 + b="/sbin/${f/tables/tables-legacy}"; \ + "$b" --version; \ + ln -svT "$b" "/usr/local/bin/.iptables-legacy/$f"; \ + done; \ +# verify it works (and gets us legacy) + export PATH="/usr/local/bin/.iptables-legacy:$PATH"; \ + iptables --version | grep legacy + # set up subuid/subgid so that "--userns-remap=default" works out-of-the-box RUN set -eux; \ addgroup -S dockremap; \ diff --git a/dockerd-entrypoint.sh b/dockerd-entrypoint.sh index 056ee2ae0..1a5cb4047 100755 --- a/dockerd-entrypoint.sh +++ b/dockerd-entrypoint.sh @@ -144,11 +144,15 @@ if [ "$1" = 'dockerd' ]; then set -- docker-init -- "$@" if ! iptables -nL > /dev/null 2>&1; then - # if iptables fails to run, chances are high the necessary kernel modules aren't loaded (perhaps the host is using nftables with the translating "iptables" wrappers, for example) + # if iptables fails to run, chances are high the necessary kernel modules aren't loaded (perhaps the host is using xtables, for example) # https://github.com/docker-library/docker/issues/350 # https://github.com/moby/moby/issues/26824 # https://github.com/docker-library/docker/pull/437#issuecomment-1854900620 - modprobe nf_tables || : + if ! modprobe nf_tables; then + modprobe ip_tables || : + # see https://github.com/docker-library/docker/issues/463 (and the dind Dockerfile where this directory is set up) + export PATH="/usr/local/bin/.iptables-legacy:$PATH" + fi fi uid="$(id -u)"