controller: Check if IPTables is enabled for arrangeUserFilterRule#2339
controller: Check if IPTables is enabled for arrangeUserFilterRule#2339euanh merged 2 commits intomoby:masterfrom
Conversation
|
Hey upstream, that would be great to have some feedback on that if you have a chance. I'd like to import this patch in Debian to solve https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903635. This bug is a blocker for buster release, because basically docker breaks the firewall of its users when they use iptables, and that's a serious problem. |
|
@elboulangero this should not break Debian anymore |
@arkodg Thanks for the pointer, I was not aware of that! The Debian bug related to the fix you mention is #921600, and I will close it then. However there's also #903635, which is really about |
This allows the `--iptables=false` argument to the `dockerd` to actually work. Signed-off-by: David O'Rourke <[email protected]>
|
Please sign your commits following these rules: $ git clone -b "iptables-check" [email protected]:phyber/libnetwork.git somewhere
$ cd somewhere
$ git rebase -i HEAD~842354571648
editor opens
change each 'pick' to 'edit'
save the file and quit
$ git commit --amend -s --no-edit
$ git rebase --continue # and repeat the amend for each commit
$ git push -fAmending updates the existing PR. You DO NOT need to open a new one. |
Signed-off-by: David O'Rourke <[email protected]>
|
I've moved the option check and if statement into the more appropriate I also don't know how to deal with the case where |
|
Service_linux.go below functions uses IPTables APIs that might create/update IPChain. with the PR, I don't think we are covering these code path. we might end up leaving the daemon iptable configuration in faulty state. |
|
I am really concerned with half fix. This will lead us into unexpected behavior when user start creating service/etc. just my 2 cents. |
|
@selansen can you pls explain your point more ? |
|
my point is there is few other places where we invoke iptable chain commands ( I mentioned files info in the previous comment) that are not covered as part of this fix. |
full diffs: - moby/libnetwork@fc5a7d9...62a13ae - vishvananda/netlink@b2de5d1...v1.0.0 - vishvananda/netns@604eaf1...13995c7 notable changes in libnetwork: - moby/libnetwork#2366 Bump vishvananda/netlink to 1.0.0 - moby/libnetwork#2339 controller: Check if IPTables is enabled for arrangeUserFilterRule - addresses moby/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER - addresses moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules - addresses docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway - moby/libnetwork#2394 Make DNS records and queries case-insensitive - addresses moby#28689 Embedded DNS is case-sensitive - addresses moby#21169 hostnames with new networking are case-sensitive Signed-off-by: Sebastiaan van Stijn <[email protected]>
full diffs: - moby/libnetwork@fc5a7d9...62a13ae - vishvananda/netlink@b2de5d1...v1.0.0 - vishvananda/netns@604eaf1...13995c7 notable changes in libnetwork: - moby/libnetwork#2366 Bump vishvananda/netlink to 1.0.0 - moby/libnetwork#2339 controller: Check if IPTables is enabled for arrangeUserFilterRule - addresses moby/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER - addresses moby/moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules - addresses docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway - moby/libnetwork#2394 Make DNS records and queries case-insensitive - addresses moby/moby#28689 Embedded DNS is case-sensitive - addresses moby/moby#21169 hostnames with new networking are case-sensitive Signed-off-by: Sebastiaan van Stijn <[email protected]> Upstream-commit: 344b093258fcb2195fa393081e5224a6c766c798 Component: engine
full diffs: - moby/libnetwork@fc5a7d9...62a13ae - vishvananda/netlink@b2de5d1...v1.0.0 - vishvananda/netns@604eaf1...13995c7 notable changes in libnetwork: - moby/libnetwork#2366 Bump vishvananda/netlink to 1.0.0 - moby/libnetwork#2339 controller: Check if IPTables is enabled for arrangeUserFilterRule - addresses moby/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER - addresses moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules - addresses docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway - moby/libnetwork#2394 Make DNS records and queries case-insensitive - addresses moby#28689 Embedded DNS is case-sensitive - addresses moby#21169 hostnames with new networking are case-sensitive Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit 344b093) Signed-off-by: Sebastiaan van Stijn <[email protected]>
full diffs: - moby/libnetwork@fc5a7d9...62a13ae - vishvananda/netlink@b2de5d1...v1.0.0 - vishvananda/netns@604eaf1...13995c7 notable changes in libnetwork: - moby/libnetwork#2366 Bump vishvananda/netlink to 1.0.0 - moby/libnetwork#2339 controller: Check if IPTables is enabled for arrangeUserFilterRule - addresses moby/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER - addresses moby/moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules - addresses docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway - moby/libnetwork#2394 Make DNS records and queries case-insensitive - addresses moby/moby#28689 Embedded DNS is case-sensitive - addresses moby/moby#21169 hostnames with new networking are case-sensitive Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit 344b093258fcb2195fa393081e5224a6c766c798) Signed-off-by: Sebastiaan van Stijn <[email protected]> Upstream-commit: f3e1aff81df959e9178433b77e7f3364c22aee59 Component: engine
This PR fixes the regression introduced by moby#2339 to correctly insert the DOCKER-USER chain if iptables=true is set in the Daemon config Signed-off-by: Arko Dasgupta <[email protected]>
This PR fixes the regression introduced by moby#2339 to correctly insert the DOCKER-USER chain if iptables=true is set in the Daemon config Addresses : docker/for-linux#810 Signed-off-by: Arko Dasgupta <[email protected]>
This PR fixes the regression introduced by moby#2339 to correctly insert the DOCKER-USER chain if iptables=true is set in the Daemon config Addresses : docker/for-linux#810 Signed-off-by: Arko Dasgupta <[email protected]>
This reverts commit 820deef, reversing changes made to 19e372a. Signed-off-by: Arko Dasgupta <[email protected]>
Revert "Merge pull request #2339 from phyber/iptables-check"
Revert "Merge pull request moby#2339 from phyber/iptables-check" (cherry picked from commit 90afbb0) Signed-off-by: Arko Dasgupta <[email protected]>
full diffs: - moby/libnetwork@fc5a7d9...62a13ae - vishvananda/netlink@b2de5d1...v1.0.0 - vishvananda/netns@604eaf1...13995c7 notable changes in libnetwork: - moby/libnetwork#2366 Bump vishvananda/netlink to 1.0.0 - moby/libnetwork#2339 controller: Check if IPTables is enabled for arrangeUserFilterRule - addresses moby/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER - addresses moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules - addresses docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway - moby/libnetwork#2394 Make DNS records and queries case-insensitive - addresses moby#28689 Embedded DNS is case-sensitive - addresses moby#21169 hostnames with new networking are case-sensitive Signed-off-by: Sebastiaan van Stijn <[email protected]> Signed-off-by: zach <[email protected]>
7 participants
This allows the
--iptables=falseargument to thedockerdto work correctlyby checking if IPTables is enabled before creating the user filter rules
in the controller.
This probably fixes:
and possibly more. I didn't dig too deep.