Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Switch over to xtables-legacy when nf_tables module isn't available #465

Merged
merged 2 commits into from
Dec 15, 2023
Merged

Switch over to xtables-legacy when nf_tables module isn't available #465

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2f5b0e6
Switch over to xtables-legacy when nf_tables module isn't available
akerouanton Dec 15, 2023
cadf44c
Adjust iptables-legacy fallback implementation to use an image-provid…
tianon Dec 15, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions 24/dind/Dockerfile
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 6 additions & 2 deletions 24/dind/dockerd-entrypoint.sh
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

25 changes: 25 additions & 0 deletions 25-rc/dind/Dockerfile
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 6 additions & 2 deletions 25-rc/dind/dockerd-entrypoint.sh
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

25 changes: 25 additions & 0 deletions Dockerfile-dind.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,31 @@ RUN set -eux; \

# TODO aufs-tools

# dind might be used on systems where the nf_tables kernel module isn't available. In that case,
# we need to switch over to xtables-legacy. See https://github.com/docker-library/docker/issues/463
RUN set -eux; \
apk add --no-cache iptables-legacy; \
# set up a symlink farm we can use PATH to switch to legacy with
mkdir -p /usr/local/sbin/.iptables-legacy; \
# https://git.alpinelinux.org/aports/tree/main/iptables/APKBUILD?id=b215d54de159eacafecb13c68dfadce6eefd9ec9#n73
for f in \
iptables \
iptables-save \
iptables-restore \
ip6tables \
ip6tables-save \
ip6tables-restore \
; do \
# "iptables-save" -> "iptables-legacy-save", "ip6tables" -> "ip6tables-legacy", etc.
# https://pkgs.alpinelinux.org/contents?branch=v3.19&name=iptables-legacy&arch=x86_64
b="/sbin/${f/tables/tables-legacy}"; \
"$b" --version; \
ln -svT "$b" "/usr/local/sbin/.iptables-legacy/$f"; \
done; \
# verify it works (and gets us legacy)
export PATH="/usr/local/sbin/.iptables-legacy:$PATH"; \
iptables --version | grep legacy

# set up subuid/subgid so that "--userns-remap=default" works out-of-the-box
RUN set -eux; \
addgroup -S dockremap; \
Expand Down
8 changes: 6 additions & 2 deletions dockerd-entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -144,11 +144,15 @@ if [ "$1" = 'dockerd' ]; then
set -- docker-init -- "$@"

if ! iptables -nL > /dev/null 2>&1; then
# if iptables fails to run, chances are high the necessary kernel modules aren't loaded (perhaps the host is using nftables with the translating "iptables" wrappers, for example)
# if iptables fails to run, chances are high the necessary kernel modules aren't loaded (perhaps the host is using xtables, for example)
# https://github.com/docker-library/docker/issues/350
# https://github.com/moby/moby/issues/26824
# https://github.com/docker-library/docker/pull/437#issuecomment-1854900620
modprobe nf_tables || :
if ! modprobe nf_tables; then
modprobe ip_tables || :
# see https://github.com/docker-library/docker/issues/463 (and the dind Dockerfile where this directory is set up)
export PATH="/usr/local/sbin/.iptables-legacy:$PATH"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A nice side benefit of this method is that users having trouble with it misfiring (somehow) is that they can just hide this directory somehow like bind-mounting /dev/null on top of it, and the container will happily continue using the default Alpine-provided iptables symlink. 👍

fi
fi

uid="$(id -u)"
Expand Down