Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Switch over to xtables-legacy when nf_tables module isn't available #465

Merged
merged 2 commits into from
Dec 15, 2023
Merged

Switch over to xtables-legacy when nf_tables module isn't available #465

merged 2 commits into from
Dec 15, 2023

Conversation

akerouanton
Copy link
Contributor

PR #461 updated Alpine to 3.19 and made a change to load the nf_tables kernel module if needed. However, as demonstrated by #463 and #464 this might break when the host system doesn't have the nf_tables module available. In that case, we should still try to load the ip_tables module and symlink /sbin/iptables to xtables-legacy-multi.

@akerouanton
Switch over to xtables-legacy when nf_tables module isn't available
2f5b0e6 
PR docker-library#461 updated Alpine to 3.19 and made a change to load the nf_tables
kernel module if needed. However, as demonstrated by docker-library#463 and docker-library#464 this
might break when the host system doesn't have the nf_tables module
available. In that case, we should still try to load the ip_tables
module and symlink /sbin/iptables to xtables-legacy-multi.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
robmry
robmry reviewed Dec 15, 2023
View reviewed changes
dockerd-entrypoint.sh Outdated Show resolved Hide resolved
@tianon
Copy link
Member

tianon commented Dec 15, 2023

Nice, thanks for working on this! ❤️

Modifying /sbin/xxx at runtime is definitely making me really nervous (both overwriting files installed by a package and modifying /sbin/ in general), so I think I'd prefer if we create a directory of symlinks in the Dockerfile that the entrypoint can then use PATH tricks to activate instead. Given we're already at the end of your day (and the severity of the breaking change), I hope you don't mind me taking over instead of describing in more detail and requesting changes? 😇

@tianon tianon force-pushed the fix-nf_tables branch 2 times, most recently from 6a47f67 to e360b4d Compare December 15, 2023 18:18
tianon
tianon reviewed Dec 15, 2023
View reviewed changes
dockerd-entrypoint.sh
if ! modprobe nf_tables; then
modprobe ip_tables || :
# see https://github.com/docker-library/docker/issues/463 (and the dind Dockerfile where this directory is set up)
export PATH="/usr/local/sbin/.iptables-legacy:$PATH"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A nice side benefit of this method is that users having trouble with it misfiring (somehow) is that they can just hide this directory somehow like bind-mounting /dev/null on top of it, and the container will happily continue using the default Alpine-provided iptables symlink. 👍

@tianon
Copy link
Member

tianon commented Dec 15, 2023 

/ # ls /usr/local/
bin    lib    share

grumble grumble grumble

@tianon
Adjust iptables-legacy fallback implementation to use an image-provid…
cadf44c 
…ed symlink farm instead of symlinking over package-provided files in /sbin/ at runtime
@yosifkit yosifkit merged commit 7ac5702 into docker-library:master Dec 15, 2023
8 checks passed
docker-library-bot added a commit to docker-library-bot/official-images that referenced this pull request Dec 15, 2023
@docker-library-bot
Update docker
7226916 
Changes:

- docker-library/docker@7ac5702: Switch over to xtables-legacy when nf_tables module isn't available (docker-library/docker#465)
This was referenced Dec 15, 2023
Merged
Closed
Closed
@yaronshaniastrix yaronshaniastrix mentioned this pull request Dec 17, 2023
Open
7 tasks
@tianon
Copy link
Member

tianon commented Dec 18, 2023

Follow-up in #468 👀

@kautsig kautsig mentioned this pull request Dec 19, 2023
Closed
martin-g pushed a commit to martin-g/docker-official-images that referenced this pull request Apr 3, 2024
@docker-library-bot @martin-g
Update docker
ec3e935 
Changes:

- docker-library/docker@7ac5702: Switch over to xtables-legacy when nf_tables module isn't available (docker-library/docker#465)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tianon tianon tianon left review comments

@robmry robmry robmry left review comments

@yosifkit yosifkit yosifkit approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@akerouanton @tianon @yosifkit @robmry