-
Notifications
You must be signed in to change notification settings - Fork 598
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Load nf_tables in preparation of Alpine 3.19 #437
Conversation
https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/47102 changes the default iptables backend to nf_tables. To prepare for the change (and to make sure it's not forgotten once DinD is updated), load nf_tables into the kernel.
This is unfortunately a bit more complicated because it's the host's opinion about iptables vs nftables that we need to respect here, and I think doing that correctly is going to require more coordination inside |
See canonical/docker-snap#68 for somewhere else this same problem has been discussed previously (but not officially with the upstream project AFAIK) 👀 |
thanks for the ping; let me add @akerouanton and @robmry here |
Ok, discussed with some other Moby maintainers inside Docker, and given that most users will be running this in a network namespace (and that's definitely recommended), the mismatch should be fine. That being said, I do think we should only load one or the other based on what our in-container userspace is going to actually use (which is knowable for us here), so I think we should both roll this into #461 and update it to swap cc @jnoordsij 👀 ❤️ (happy to take over from here and push this all the way through if you'd prefer 👍) I also wonder if we should, after loading the module, run something like the |
@tianon I've rebased #461 to include this change and updated it in they way I think you intended to. Please check though, I'm still very much not fully aware of all the complications involved; also feel free to alter it further and finish things up! |
Big thanks to all who've contributed to getting this through ❤️ |
Today, we faced an issue on GKE (not autopilot) from a Gitlab CI runner using DIND on Kubernetes. This was the issue:
And this was the configuration:
For now we have fixed reverting back to alpine 3.18. |
@tianon When would this change be available in docker:dind image ? On using the latest one we are getting this issue ip: can't find device 'nf_tables' |
This hit us this morning (GKE using action-runner-controller) using |
Ran into this today also, fixed it by replacing |
Fixed by #465 which will be updated by docker-library/official-images#15921 👍 |
https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/47102 changes the default iptables backend to nf_tables. To prepare for the change (and to make sure it's not forgotten once DinD is updated), load nf_tables into the kernel.