Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update docker #15921

Merged
merged 1 commit into from
Dec 15, 2023
Merged

Update docker #15921

merged 1 commit into from
Dec 15, 2023

Conversation

tianon
Copy link
Member

@tianon tianon commented Dec 15, 2023

Changes:

@docker-library-bot
Update docker
7226916 
Changes:

- docker-library/docker@7ac5702: Switch over to xtables-legacy when nf_tables module isn't available (docker-library/docker#465)
@github-actions GitHub Actions
Copy link

Diff for 7226916: 
diff --git a/_bashbrew-cat b/_bashbrew-cat
index 99ca117..92170a9 100644
--- a/_bashbrew-cat
+++ b/_bashbrew-cat
@@ -9,7 +9,7 @@ Directory: 24/cli
 
 Tags: 24.0.7-dind, 24.0-dind, 24-dind, dind, 24.0.7-dind-alpine3.19, 24.0.7, 24.0, 24, latest, 24.0.7-alpine3.19
 Architectures: amd64, arm32v6, arm32v7, arm64v8
-GitCommit: 4c2674df4f40c965cdb8ccc77b8ce9dbc247a6c9
+GitCommit: 7ac5702b51ae559c03bfe90404f4b8c63977c601
 Directory: 24/dind
 
 Tags: 24.0.7-dind-rootless, 24.0-dind-rootless, 24-dind-rootless, dind-rootless
@@ -45,7 +45,7 @@ Directory: 25-rc/cli
 
 Tags: 25.0.0-beta.2-dind, 25-rc-dind, rc-dind, 25.0.0-beta.2-dind-alpine3.19, 25.0.0-beta.2, 25-rc, rc, 25.0.0-beta.2-alpine3.19
 Architectures: amd64, arm32v6, arm32v7, arm64v8
-GitCommit: 4c2674df4f40c965cdb8ccc77b8ce9dbc247a6c9
+GitCommit: 7ac5702b51ae559c03bfe90404f4b8c63977c601
 Directory: 25-rc/dind
 
 Tags: 25.0.0-beta.2-dind-rootless, 25-rc-dind-rootless, rc-dind-rootless
diff --git a/docker_24.0.7-alpine3.19/Dockerfile b/docker_24.0.7-alpine3.19/Dockerfile
index 064a9a4..1cb7551 100644
--- a/docker_24.0.7-alpine3.19/Dockerfile
+++ b/docker_24.0.7-alpine3.19/Dockerfile
@@ -30,6 +30,31 @@ RUN set -eux; \
 
 # TODO aufs-tools
 
+# dind might be used on systems where the nf_tables kernel module isn't available. In that case,
+# we need to switch over to xtables-legacy. See https://github.com/docker-library/docker/issues/463
+RUN set -eux; \
+	apk add --no-cache iptables-legacy; \
+# set up a symlink farm we can use PATH to switch to legacy with
+	mkdir -p /usr/local/sbin/.iptables-legacy; \
+# https://git.alpinelinux.org/aports/tree/main/iptables/APKBUILD?id=b215d54de159eacafecb13c68dfadce6eefd9ec9#n73
+	for f in \
+		iptables \
+		iptables-save \
+		iptables-restore \
+		ip6tables \
+		ip6tables-save \
+		ip6tables-restore \
+	; do \
+# "iptables-save" -> "iptables-legacy-save", "ip6tables" -> "ip6tables-legacy", etc.
+# https://pkgs.alpinelinux.org/contents?branch=v3.19&name=iptables-legacy&arch=x86_64
+		b="/sbin/${f/tables/tables-legacy}"; \
+		"$b" --version; \
+		ln -svT "$b" "/usr/local/sbin/.iptables-legacy/$f"; \
+	done; \
+# verify it works (and gets us legacy)
+	export PATH="/usr/local/sbin/.iptables-legacy:$PATH"; \
+	iptables --version | grep legacy
+
 # set up subuid/subgid so that "--userns-remap=default" works out-of-the-box
 RUN set -eux; \
 	addgroup -S dockremap; \
diff --git a/docker_24.0.7-alpine3.19/dockerd-entrypoint.sh b/docker_24.0.7-alpine3.19/dockerd-entrypoint.sh
index 056ee2a..c15a624 100755
--- a/docker_24.0.7-alpine3.19/dockerd-entrypoint.sh
+++ b/docker_24.0.7-alpine3.19/dockerd-entrypoint.sh
@@ -144,11 +144,15 @@ if [ "$1" = 'dockerd' ]; then
 	set -- docker-init -- "$@"
 
 	if ! iptables -nL > /dev/null 2>&1; then
-		# if iptables fails to run, chances are high the necessary kernel modules aren't loaded (perhaps the host is using nftables with the translating "iptables" wrappers, for example)
+		# if iptables fails to run, chances are high the necessary kernel modules aren't loaded (perhaps the host is using xtables, for example)
 		# https://github.com/docker-library/docker/issues/350
 		# https://github.com/moby/moby/issues/26824
 		# https://github.com/docker-library/docker/pull/437#issuecomment-1854900620
-		modprobe nf_tables || :
+		if ! modprobe nf_tables; then
+			modprobe ip_tables || :
+			# see https://github.com/docker-library/docker/issues/463 (and the dind Dockerfile where this directory is set up)
+			export PATH="/usr/local/sbin/.iptables-legacy:$PATH"
+		fi
 	fi
 
 	uid="$(id -u)"
diff --git a/docker_25.0.0-beta.2-alpine3.19/Dockerfile b/docker_25.0.0-beta.2-alpine3.19/Dockerfile
index 6e11820..72f8279 100644
--- a/docker_25.0.0-beta.2-alpine3.19/Dockerfile
+++ b/docker_25.0.0-beta.2-alpine3.19/Dockerfile
@@ -30,6 +30,31 @@ RUN set -eux; \
 
 # TODO aufs-tools
 
+# dind might be used on systems where the nf_tables kernel module isn't available. In that case,
+# we need to switch over to xtables-legacy. See https://github.com/docker-library/docker/issues/463
+RUN set -eux; \
+	apk add --no-cache iptables-legacy; \
+# set up a symlink farm we can use PATH to switch to legacy with
+	mkdir -p /usr/local/sbin/.iptables-legacy; \
+# https://git.alpinelinux.org/aports/tree/main/iptables/APKBUILD?id=b215d54de159eacafecb13c68dfadce6eefd9ec9#n73
+	for f in \
+		iptables \
+		iptables-save \
+		iptables-restore \
+		ip6tables \
+		ip6tables-save \
+		ip6tables-restore \
+	; do \
+# "iptables-save" -> "iptables-legacy-save", "ip6tables" -> "ip6tables-legacy", etc.
+# https://pkgs.alpinelinux.org/contents?branch=v3.19&name=iptables-legacy&arch=x86_64
+		b="/sbin/${f/tables/tables-legacy}"; \
+		"$b" --version; \
+		ln -svT "$b" "/usr/local/sbin/.iptables-legacy/$f"; \
+	done; \
+# verify it works (and gets us legacy)
+	export PATH="/usr/local/sbin/.iptables-legacy:$PATH"; \
+	iptables --version | grep legacy
+
 # set up subuid/subgid so that "--userns-remap=default" works out-of-the-box
 RUN set -eux; \
 	addgroup -S dockremap; \
diff --git a/docker_25.0.0-beta.2-alpine3.19/dockerd-entrypoint.sh b/docker_25.0.0-beta.2-alpine3.19/dockerd-entrypoint.sh
index 056ee2a..c15a624 100755
--- a/docker_25.0.0-beta.2-alpine3.19/dockerd-entrypoint.sh
+++ b/docker_25.0.0-beta.2-alpine3.19/dockerd-entrypoint.sh
@@ -144,11 +144,15 @@ if [ "$1" = 'dockerd' ]; then
 	set -- docker-init -- "$@"
 
 	if ! iptables -nL > /dev/null 2>&1; then
-		# if iptables fails to run, chances are high the necessary kernel modules aren't loaded (perhaps the host is using nftables with the translating "iptables" wrappers, for example)
+		# if iptables fails to run, chances are high the necessary kernel modules aren't loaded (perhaps the host is using xtables, for example)
 		# https://github.com/docker-library/docker/issues/350
 		# https://github.com/moby/moby/issues/26824
 		# https://github.com/docker-library/docker/pull/437#issuecomment-1854900620
-		modprobe nf_tables || :
+		if ! modprobe nf_tables; then
+			modprobe ip_tables || :
+			# see https://github.com/docker-library/docker/issues/463 (and the dind Dockerfile where this directory is set up)
+			export PATH="/usr/local/sbin/.iptables-legacy:$PATH"
+		fi
 	fi
 
 	uid="$(id -u)"

Relevant Maintainers:

This was referenced Dec 15, 2023
Closed
Closed
@tianon tianon merged commit ade1309 into docker-library:master Dec 15, 2023
11 checks passed
@tianon tianon deleted the docker branch December 15, 2023 19:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
library/docker
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tianon @docker-library-bot