Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings
/mobyPublic

Rootless setup: check for module nf_tables#49727

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
thaJeztah merged 1 commit intomoby:masterfromrobmry:rootlesskit_iptables_check
Apr 3, 2025

Conversation

robmry
Copy link
Contributor

@robmryrobmry commentedApr 1, 2025
edited by vvoland
Loading

- What I did

CentOS 10 usesiptables-nft by default, and doesn't have kernel module ip_tables - sodockerd-rootless-setuptool.sh reports that the module is missing. It suggests installing it (which isn't needed), or using--skip-iptables (which disables iptables in daemon config).

- How I did it

Unless theiptables --version command reportslegacy, check for kernel modulenf_tables instead ofip_tables.

- How to verify it

Ran the install script on a CentOS Stream 10 VM, it worked normally with these changes.

(Not tested on RHEL10 as I don't have a license.)

On a Debian host, where I could switch betweeniptables-nft andiptables-legacy - with kernel moduleip_tables unloaded ("rlk_setup.sh" was my modified version of the script) ...

robm@debian:~$ /usr/sbin/iptables --versioniptables v1.8.9 (legacy)robm@debian:~$ ./rlk_setup.sh install[ERROR] Missing system requirements. Run the following commands to[ERROR] install the requirements and run this tool again.[ERROR] Alternatively iptables checks can be disabled with --skip-iptables .########## BEGIN ##########sudo sh -eux <<EOF# Load ip_tables modulemodprobe ip_tablesEOF########## END ##########

Switched to iptables-nft, withip_tables still not loaded, then ...

robm@debian:~$ /usr/sbin/iptables --versioniptables v1.8.9 (nf_tables)robm@debian:~$ ./rlk_setup.sh install[INFO] Creating /home/robm/.config/systemd/user/docker.service[INFO] starting systemd service docker.service...

- Human readable description for the release notes

- Fix an issue preventing rootless Docker setup on a host with no`ip_tables` kernel module.

@robmryrobmry added this to the28.1.0 milestoneApr 1, 2025
@robmryrobmry self-assigned thisApr 1, 2025
@robmryrobmry changed the titleRootlesskit: check for module nf_tablesRootless setup: check for module nf_tablesApr 1, 2025
@robmryrobmryforce-pushed therootlesskit_iptables_check branch 2 times, most recently from08e52ac to153c124CompareApril 2, 2025 09:02
@robmryrobmry marked this pull request as ready for reviewApril 2, 2025 10:01
Comment on lines 187 to 190
iptables_module="nf_tables"
if [ -n "$(echo $iptables_version | grep "legacy" 2> /dev/null)" ]; then
iptables_module="ip_tables"
fi
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Probably don't need to grep here if we use a switch;

Suggested change
iptables_module="nf_tables"
if [-n"$(echo$iptables_version| grep"legacy"2> /dev/null)" ];then
iptables_module="ip_tables"
fi
case$iptables_versionin
*legacy*) iptables_module="ip_tables";;
*)iptables_module="nf_tables";;
esac

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Done - thank you.

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Un-done - now it's option 2!

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Thanks! Yes, I wrote one, then wrote the other comment, it was possibly a bit confusing; we got there in the end ❤️

Comment on lines 146 to 151
iptables_command=$(PATH=$PATH:/sbin:/usr/sbin command -v iptables 2> /dev/null) || :
iptables_version=""
if [ -n "$iptables_command" ]; then
iptables_version=$($iptables_command --version 2> /dev/null) || :
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Actually; soiptables_version is only used to setiptables_module, correct? In that case, we could just put all here? Or won't that work?

Suggested change
iptables_command=$(PATH=$PATH:/sbin:/usr/sbincommand -v iptables2> /dev/null)||:
iptables_version=""
if [-n"$iptables_command" ];then
iptables_version=$($iptables_command --version2> /dev/null)||:
# Many OSs now use iptables-nft by default so, check for module nf_tables by default. But,
# if "iptables --version" worked and reported "legacy", check for module ip_tables instead.
iptables_module="nf_tables"
iptables_command=$(PATH=$PATH:/sbin:/usr/sbincommand -v iptables2> /dev/null)||:
if [-n"$iptables_command" ];then
iptables_version=$($iptables_command --version2> /dev/null)||:
case$iptables_versionin
*legacy*) iptables_module="ip_tables";;
esac

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

The first block (instruction: iptables dependency check) is working out whether there's aniptables command, and the second block (instruction: ip_tables module dependency check) works out whether the kernel module is loaded.

So, I thought it was best for the second block to use the command the first block found - rather than finding the command again, but maybe a bit differently.

If that makes sense (?) ... I'll swap the grep for case, as you suggest above.

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I've taken option 1 ... can update again if needed!

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Sorry - misread, this is the first block ... done now.

@robmryrobmryforce-pushed therootlesskit_iptables_check branch from153c124 toad177b4CompareApril 3, 2025 18:27
@robmryrobmry requested a review fromthaJeztahApril 3, 2025 18:28
CentOS 10 uses iptables-nft by default, and doesn't havekernel module ip_tables - so dockerd-rootless-setuptool.shreports that the module is missing. It suggests installingit (which isn't needed), or using --skip-iptables (whichdisables iptables in daemon config).So, unless "iptables --version" command reports "legacy",check for kernel module "nf_tables" instead of "ip_tables".Signed-off-by: Rob Murray <rob.murray@docker.com>
@robmryrobmryforce-pushed therootlesskit_iptables_check branch fromad177b4 tof80febaCompareApril 3, 2025 19:25
Copy link
Member

@tianontianon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Seems fine to me 👍

Copy link
Member

@thaJeztahthaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

LGTM, thanks!

@thaJeztahthaJeztah merged commit4ad6854 intomoby:masterApr 3, 2025
154 checks passed
Comment on lines +148 to 155
iptables_module="nf_tables"
iptables_command=$(PATH=$PATH:/sbin:/usr/sbin command -v iptables 2> /dev/null) || :
if [ -n "$iptables_command" ]; then
iptables_version=$($iptables_command --version 2> /dev/null) || :
case $iptables_version in
*legacy*) iptables_module="ip_tables" ;;
esac
faced_iptables_error=1
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

This setsfaced_iptables_error=1 even when iptables are available

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

$ iptables --versioniptables v1.8.10 (nf_tables)
$ curl https://get.docker.com/rootless | sh -[ERROR] Missing system requirements. Run the following commands to[ERROR] install the requirements and run this tool again.[ERROR] Alternatively iptables checks can be disabled with --skip-iptables .

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Reviewers

@thaJeztahthaJeztahthaJeztah approved these changes

@vvolandvvolandvvoland left review comments

@tianontianontianon approved these changes

@AkihiroSudaAkihiroSudaAkihiroSuda approved these changes

Assignees

@robmryrobmry

Projects
None yet
Milestone
28.1.0
Development

Successfully merging this pull request may close these issues.

RHEL/CentOS Stream 10 does not include the iptables kernel module
5 participants
@robmry@tianon@thaJeztah@vvoland@AkihiroSuda
[8]ページ先頭
©2009-2025 Movatter.jp