Switch over to xtables-legacy when nf_tables module isn't available (#…

…465) * Switch over to xtables-legacy when nf_tables module isn't available PR 461 updated Alpine to 3.19 and made a change to load the nf_tables kernel module if needed. However, as demonstrated by 463 and 464 this might break when the host system doesn't have the nf_tables module available. In that case, we should still try to load the ip_tables module and symlink /sbin/iptables to xtables-legacy-multi. Signed-off-by: Albin Kerouanton <[email protected]> * Adjust iptables-legacy fallback implementation to use an image-provided symlink farm instead of symlinking over package-provided files in /sbin/ at runtime --------- Signed-off-by: Albin Kerouanton <[email protected]> Co-authored-by: Tianon Gravi <[email protected]>
docker-library · Dec 15, 2023 · 7ac5702 · 7ac5702
1 parent 0411c8f
commit 7ac5702
Show file tree

Hide file tree

Showing 6 changed files with 93 additions and 6 deletions.
diff --git a/24/dind/Dockerfile b/24/dind/Dockerfile
diff --git a/24/dind/dockerd-entrypoint.sh b/24/dind/dockerd-entrypoint.sh
diff --git a/25-rc/dind/Dockerfile b/25-rc/dind/Dockerfile
diff --git a/25-rc/dind/dockerd-entrypoint.sh b/25-rc/dind/dockerd-entrypoint.sh
diff --git a/Dockerfile-dind.template b/Dockerfile-dind.template
@@ -25,6 +25,31 @@ RUN set -eux; \
 
 # TODO aufs-tools
 
+# dind might be used on systems where the nf_tables kernel module isn't available. In that case,
+# we need to switch over to xtables-legacy. See https://github.com/docker-library/docker/issues/463
+RUN set -eux; \
+	apk add --no-cache iptables-legacy; \
+# set up a symlink farm we can use PATH to switch to legacy with
+	mkdir -p /usr/local/sbin/.iptables-legacy; \
+# https://git.alpinelinux.org/aports/tree/main/iptables/APKBUILD?id=b215d54de159eacafecb13c68dfadce6eefd9ec9#n73
+	for f in \
+		iptables \
+		iptables-save \
+		iptables-restore \
+		ip6tables \
+		ip6tables-save \
+		ip6tables-restore \
+	; do \
+# "iptables-save" -> "iptables-legacy-save", "ip6tables" -> "ip6tables-legacy", etc.
+# https://pkgs.alpinelinux.org/contents?branch=v3.19&name=iptables-legacy&arch=x86_64
+		b="/sbin/${f/tables/tables-legacy}"; \
+		"$b" --version; \
+		ln -svT "$b" "/usr/local/sbin/.iptables-legacy/$f"; \
+	done; \
+# verify it works (and gets us legacy)
+	export PATH="/usr/local/sbin/.iptables-legacy:$PATH"; \
+	iptables --version | grep legacy
+
 # set up subuid/subgid so that "--userns-remap=default" works out-of-the-box
 RUN set -eux; \
 	addgroup -S dockremap; \

diff --git a/dockerd-entrypoint.sh b/dockerd-entrypoint.sh
@@ -144,11 +144,15 @@ if [ "$1" = 'dockerd' ]; then
 	set -- docker-init -- "$@"
 
 	if ! iptables -nL > /dev/null 2>&1; then
-		# if iptables fails to run, chances are high the necessary kernel modules aren't loaded (perhaps the host is using nftables with the translating "iptables" wrappers, for example)
+		# if iptables fails to run, chances are high the necessary kernel modules aren't loaded (perhaps the host is using xtables, for example)
 		# https://github.com/docker-library/docker/issues/350
 		# https://github.com/moby/moby/issues/26824
 		# https://github.com/docker-library/docker/pull/437#issuecomment-1854900620
-		modprobe nf_tables || :
+		if ! modprobe nf_tables; then
+			modprobe ip_tables || :
+			# see https://github.com/docker-library/docker/issues/463 (and the dind Dockerfile where this directory is set up)
+			export PATH="/usr/local/sbin/.iptables-legacy:$PATH"
+		fi
 	fi
 
 	uid="$(id -u)"