From 2f5b0e6b6464b87c18a680b2c729397395dce43e Mon Sep 17 00:00:00 2001 From: Albin Kerouanton Date: Fri, 15 Dec 2023 14:28:03 +0100 Subject: [PATCH] Switch over to xtables-legacy when nf_tables module isn't available PR #461 updated Alpine to 3.19 and made a change to load the nf_tables kernel module if needed. However, as demonstrated by #463 and #464 this might break when the host system doesn't have the nf_tables module available. In that case, we should still try to load the ip_tables module and symlink /sbin/iptables to xtables-legacy-multi. Signed-off-by: Albin Kerouanton --- 24/dind/Dockerfile | 3 +++ 24/dind/dockerd-entrypoint.sh | 12 +++++++++++- 25-rc/dind/Dockerfile | 3 +++ 25-rc/dind/dockerd-entrypoint.sh | 12 +++++++++++- Dockerfile-dind.template | 3 +++ dockerd-entrypoint.sh | 12 +++++++++++- 6 files changed, 42 insertions(+), 3 deletions(-) diff --git a/24/dind/Dockerfile b/24/dind/Dockerfile index 064a9a4bf..e6233694e 100644 --- a/24/dind/Dockerfile +++ b/24/dind/Dockerfile @@ -14,6 +14,9 @@ RUN set -eux; \ e2fsprogs-extra \ ip6tables \ iptables \ +# dind might be used on systems where the nf_tables kernel module isn't available. In that case, +# we need to switch over to xtables-legacy. See https://github.com/docker-library/docker/issues/463 + iptables-legacy \ openssl \ shadow-uidmap \ xfsprogs \ diff --git a/24/dind/dockerd-entrypoint.sh b/24/dind/dockerd-entrypoint.sh index 056ee2ae0..f1768c6e5 100755 --- a/24/dind/dockerd-entrypoint.sh +++ b/24/dind/dockerd-entrypoint.sh @@ -143,12 +143,22 @@ if [ "$1" = 'dockerd' ]; then # XXX inject "docker-init" (tini) as pid1 to workaround https://github.com/docker-library/docker/issues/318 (zombie container-shim processes) set -- docker-init -- "$@" + use_xtables_legacy=false if ! iptables -nL > /dev/null 2>&1; then # if iptables fails to run, chances are high the necessary kernel modules aren't loaded (perhaps the host is using nftables with the translating "iptables" wrappers, for example) # https://github.com/docker-library/docker/issues/350 # https://github.com/moby/moby/issues/26824 # https://github.com/docker-library/docker/pull/437#issuecomment-1854900620 - modprobe nf_tables || : + if ! modprobe nf_tables; then + modprobe ip_tables || : + use_xtables_legacy=true + fi + fi + if [ "$use_xtables_legacy" = "true" ]; then + ln -fs /sbin/iptables-legacy /sbin/iptables + # iptables-restore and iptables-save aren't used by dockerd currently, but let's not ship a half broken image. + ln -fs /sbin/iptables-legacy-restore /sbin/iptables-restore + ln -fs /sbin/iptables-legacy-save /sbin/iptables-save fi uid="$(id -u)" diff --git a/25-rc/dind/Dockerfile b/25-rc/dind/Dockerfile index 6e1182008..1304f5531 100644 --- a/25-rc/dind/Dockerfile +++ b/25-rc/dind/Dockerfile @@ -14,6 +14,9 @@ RUN set -eux; \ e2fsprogs-extra \ ip6tables \ iptables \ +# dind might be used on systems where the nf_tables kernel module isn't available. In that case, +# we need to switch over to xtables-legacy. See https://github.com/docker-library/docker/issues/463 + iptables-legacy \ openssl \ shadow-uidmap \ xfsprogs \ diff --git a/25-rc/dind/dockerd-entrypoint.sh b/25-rc/dind/dockerd-entrypoint.sh index 056ee2ae0..f1768c6e5 100755 --- a/25-rc/dind/dockerd-entrypoint.sh +++ b/25-rc/dind/dockerd-entrypoint.sh @@ -143,12 +143,22 @@ if [ "$1" = 'dockerd' ]; then # XXX inject "docker-init" (tini) as pid1 to workaround https://github.com/docker-library/docker/issues/318 (zombie container-shim processes) set -- docker-init -- "$@" + use_xtables_legacy=false if ! iptables -nL > /dev/null 2>&1; then # if iptables fails to run, chances are high the necessary kernel modules aren't loaded (perhaps the host is using nftables with the translating "iptables" wrappers, for example) # https://github.com/docker-library/docker/issues/350 # https://github.com/moby/moby/issues/26824 # https://github.com/docker-library/docker/pull/437#issuecomment-1854900620 - modprobe nf_tables || : + if ! modprobe nf_tables; then + modprobe ip_tables || : + use_xtables_legacy=true + fi + fi + if [ "$use_xtables_legacy" = "true" ]; then + ln -fs /sbin/iptables-legacy /sbin/iptables + # iptables-restore and iptables-save aren't used by dockerd currently, but let's not ship a half broken image. + ln -fs /sbin/iptables-legacy-restore /sbin/iptables-restore + ln -fs /sbin/iptables-legacy-save /sbin/iptables-save fi uid="$(id -u)" diff --git a/Dockerfile-dind.template b/Dockerfile-dind.template index f8b585328..564c30f71 100644 --- a/Dockerfile-dind.template +++ b/Dockerfile-dind.template @@ -9,6 +9,9 @@ RUN set -eux; \ e2fsprogs-extra \ ip6tables \ iptables \ +# dind might be used on systems where the nf_tables kernel module isn't available. In that case, +# we need to switch over to xtables-legacy. See https://github.com/docker-library/docker/issues/463 + iptables-legacy \ openssl \ shadow-uidmap \ xfsprogs \ diff --git a/dockerd-entrypoint.sh b/dockerd-entrypoint.sh index 056ee2ae0..f1768c6e5 100755 --- a/dockerd-entrypoint.sh +++ b/dockerd-entrypoint.sh @@ -143,12 +143,22 @@ if [ "$1" = 'dockerd' ]; then # XXX inject "docker-init" (tini) as pid1 to workaround https://github.com/docker-library/docker/issues/318 (zombie container-shim processes) set -- docker-init -- "$@" + use_xtables_legacy=false if ! iptables -nL > /dev/null 2>&1; then # if iptables fails to run, chances are high the necessary kernel modules aren't loaded (perhaps the host is using nftables with the translating "iptables" wrappers, for example) # https://github.com/docker-library/docker/issues/350 # https://github.com/moby/moby/issues/26824 # https://github.com/docker-library/docker/pull/437#issuecomment-1854900620 - modprobe nf_tables || : + if ! modprobe nf_tables; then + modprobe ip_tables || : + use_xtables_legacy=true + fi + fi + if [ "$use_xtables_legacy" = "true" ]; then + ln -fs /sbin/iptables-legacy /sbin/iptables + # iptables-restore and iptables-save aren't used by dockerd currently, but let's not ship a half broken image. + ln -fs /sbin/iptables-legacy-restore /sbin/iptables-restore + ln -fs /sbin/iptables-legacy-save /sbin/iptables-save fi uid="$(id -u)"