Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update docker #16009

Merged
merged 1 commit into from
Jan 8, 2024
Merged

Update docker #16009

merged 1 commit into from
Jan 8, 2024

Conversation

tianon
Copy link
Member

@tianon tianon commented Jan 5, 2024

Changes:

@docker-library-bot
Update docker
f05c9a8 
Changes:

- docker-library/docker@bfe953e: Merge pull request docker-library/docker#468 from infosiftr/better-iptables
@tianon tianon requested a review from yosifkit as a code owner January 5, 2024 23:19
@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 5, 2024

Diff for f05c9a8: 
diff --git a/_bashbrew-cat b/_bashbrew-cat
index 083730a..0c09762 100644
--- a/_bashbrew-cat
+++ b/_bashbrew-cat
@@ -9,7 +9,7 @@ Directory: 24/cli
 
 Tags: 24.0.7-dind, 24.0-dind, 24-dind, dind, 24.0.7-dind-alpine3.19, 24.0.7, 24.0, 24, latest, 24.0.7-alpine3.19
 Architectures: amd64, arm32v6, arm32v7, arm64v8
-GitCommit: 7ac5702b51ae559c03bfe90404f4b8c63977c601
+GitCommit: eb4c40e45daf9218a21526d0ebd076b627d0b882
 Directory: 24/dind
 
 Tags: 24.0.7-dind-rootless, 24.0-dind-rootless, 24-dind-rootless, dind-rootless
@@ -45,7 +45,7 @@ Directory: 25-rc/cli
 
 Tags: 25.0.0-rc.1-dind, 25-rc-dind, rc-dind, 25.0.0-rc.1-dind-alpine3.19, 25.0.0-rc.1, 25-rc, rc, 25.0.0-rc.1-alpine3.19
 Architectures: amd64, arm32v6, arm32v7, arm64v8
-GitCommit: 458a535b2ce98b44ebf9f742061f29fdae08cea0
+GitCommit: bfe953e38b9610b085d1e0f139dbe2c39556216b
 Directory: 25-rc/dind
 
 Tags: 25.0.0-rc.1-dind-rootless, 25-rc-dind-rootless, rc-dind-rootless
diff --git a/docker_24.0.7-alpine3.19/dockerd-entrypoint.sh b/docker_24.0.7-alpine3.19/dockerd-entrypoint.sh
index c15a624..b11a1cf 100755
--- a/docker_24.0.7-alpine3.19/dockerd-entrypoint.sh
+++ b/docker_24.0.7-alpine3.19/dockerd-entrypoint.sh
@@ -143,17 +143,46 @@ if [ "$1" = 'dockerd' ]; then
 	# XXX inject "docker-init" (tini) as pid1 to workaround https://github.com/docker-library/docker/issues/318 (zombie container-shim processes)
 	set -- docker-init -- "$@"
 
-	if ! iptables -nL > /dev/null 2>&1; then
+	iptablesLegacy=
+	if [ -n "${DOCKER_IPTABLES_LEGACY+x}" ]; then
+		# let users choose explicitly to legacy or not to legacy
+		iptablesLegacy="$DOCKER_IPTABLES_LEGACY"
+		if [ -n "$iptablesLegacy" ]; then
+			modprobe ip_tables || :
+		else
+			modprobe nf_tables || :
+		fi
+	elif (
+		# https://git.netfilter.org/iptables/tree/iptables/nft-shared.c?id=f5cf76626d95d2c491a80288bccc160c53b44e88#n420
+		# https://github.com/docker-library/docker/pull/468#discussion_r1442131459
+		for f in /proc/net/ip_tables_names /proc/net/ip6_tables_names /proc/net/arp_tables_names; do
+			if b="$(cat "$f")" && [ -n "$b" ]; then
+				exit 0
+			fi
+		done
+		exit 1
+	); then
+		# if we already have any "legacy" iptables rules, we should always use legacy
+		iptablesLegacy=1
+	elif ! iptables -nL > /dev/null 2>&1; then
 		# if iptables fails to run, chances are high the necessary kernel modules aren't loaded (perhaps the host is using xtables, for example)
 		# https://github.com/docker-library/docker/issues/350
 		# https://github.com/moby/moby/issues/26824
 		# https://github.com/docker-library/docker/pull/437#issuecomment-1854900620
-		if ! modprobe nf_tables; then
+		modprobe nf_tables || :
+		if ! iptables -nL > /dev/null 2>&1; then
+			# might be host has no nf_tables, but Alpine is all-in now (so let's try a legacy fallback)
 			modprobe ip_tables || :
+			if /usr/local/sbin/.iptables-legacy/iptables -nL > /dev/null 2>&1; then
+				iptablesLegacy=1
+			fi
+		fi
+	fi
+	if [ -n "$iptablesLegacy" ]; then
 		# see https://github.com/docker-library/docker/issues/463 (and the dind Dockerfile where this directory is set up)
 		export PATH="/usr/local/sbin/.iptables-legacy:$PATH"
 	fi
-	fi
+	iptables --version # so users can see whether it's legacy or not
 
 	uid="$(id -u)"
 	if [ "$uid" != '0' ]; then
diff --git a/docker_25.0.0-rc.1-alpine3.19/dockerd-entrypoint.sh b/docker_25.0.0-rc.1-alpine3.19/dockerd-entrypoint.sh
index c15a624..b11a1cf 100755
--- a/docker_25.0.0-rc.1-alpine3.19/dockerd-entrypoint.sh
+++ b/docker_25.0.0-rc.1-alpine3.19/dockerd-entrypoint.sh
@@ -143,17 +143,46 @@ if [ "$1" = 'dockerd' ]; then
 	# XXX inject "docker-init" (tini) as pid1 to workaround https://github.com/docker-library/docker/issues/318 (zombie container-shim processes)
 	set -- docker-init -- "$@"
 
-	if ! iptables -nL > /dev/null 2>&1; then
+	iptablesLegacy=
+	if [ -n "${DOCKER_IPTABLES_LEGACY+x}" ]; then
+		# let users choose explicitly to legacy or not to legacy
+		iptablesLegacy="$DOCKER_IPTABLES_LEGACY"
+		if [ -n "$iptablesLegacy" ]; then
+			modprobe ip_tables || :
+		else
+			modprobe nf_tables || :
+		fi
+	elif (
+		# https://git.netfilter.org/iptables/tree/iptables/nft-shared.c?id=f5cf76626d95d2c491a80288bccc160c53b44e88#n420
+		# https://github.com/docker-library/docker/pull/468#discussion_r1442131459
+		for f in /proc/net/ip_tables_names /proc/net/ip6_tables_names /proc/net/arp_tables_names; do
+			if b="$(cat "$f")" && [ -n "$b" ]; then
+				exit 0
+			fi
+		done
+		exit 1
+	); then
+		# if we already have any "legacy" iptables rules, we should always use legacy
+		iptablesLegacy=1
+	elif ! iptables -nL > /dev/null 2>&1; then
 		# if iptables fails to run, chances are high the necessary kernel modules aren't loaded (perhaps the host is using xtables, for example)
 		# https://github.com/docker-library/docker/issues/350
 		# https://github.com/moby/moby/issues/26824
 		# https://github.com/docker-library/docker/pull/437#issuecomment-1854900620
-		if ! modprobe nf_tables; then
+		modprobe nf_tables || :
+		if ! iptables -nL > /dev/null 2>&1; then
+			# might be host has no nf_tables, but Alpine is all-in now (so let's try a legacy fallback)
 			modprobe ip_tables || :
+			if /usr/local/sbin/.iptables-legacy/iptables -nL > /dev/null 2>&1; then
+				iptablesLegacy=1
+			fi
+		fi
+	fi
+	if [ -n "$iptablesLegacy" ]; then
 		# see https://github.com/docker-library/docker/issues/463 (and the dind Dockerfile where this directory is set up)
 		export PATH="/usr/local/sbin/.iptables-legacy:$PATH"
 	fi
-	fi
+	iptables --version # so users can see whether it's legacy or not
 
 	uid="$(id -u)"
 	if [ "$uid" != '0' ]; then

Relevant Maintainers:

@tianon tianon mentioned this pull request Jan 8, 2024
Closed
@yosifkit yosifkit merged commit a100929 into docker-library:master Jan 8, 2024
11 checks passed
@yosifkit yosifkit deleted the docker branch January 8, 2024 22:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yosifkit yosifkit yosifkit approved these changes

Assignees
No one assigned
Labels
library/docker
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tianon @yosifkit @docker-library-bot