Skip to content

Fix br_netfilter module loading logic#48960

Merged
thaJeztah merged 1 commit intomoby:masterfrom
sshedi:br_net-fix
Nov 27, 2024
Merged

Fix br_netfilter module loading logic#48960
thaJeztah merged 1 commit intomoby:masterfrom
sshedi:br_net-fix

Conversation

@sshedi
Copy link
Contributor

@sshedi sshedi commented Nov 26, 2024
edited by vvoland
Loading

Checking for /proc/sys/net/bridge directory alone is not enough to decide if bridge, br_netfilter module to be loaded. Check for specific file for each bridge & br_netfilter module and then do modprobe if the file is not found in /proc/sys/net/bridge

Fixes: #48948

Please provide the following information:
-->

- What I did
Fix loading of bridge and br_netfilter kernel modules

- How I did it
By check for presence of specific files for each module in procfs

- How to verify it

systemctl restart docker
lsmod | grep br_netfilter

- Description for the changelog

Fix loading of `bridge` and `br_netfilter` kernel modules.

- A picture of a cute animal (not mandatory but encouraged)

@sshedi
Copy link
Contributor Author

sshedi commented Nov 26, 2024

cc: @robmry

robmry
robmry requested changes Nov 26, 2024
View reviewed changes
Copy link
Contributor

@robmry robmry left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for working on this, much appreciated!

I've made some suggestions ... if they look good to you, please squash commits before pushing updates. Linking to the issue from the PR is good, but it'd be best to remove it from the commit message (so that GitHub doesn't keep adding links everywhere).

@robmry robmry added this to the 28.0.0 milestone Nov 26, 2024
@robmry
Copy link
Contributor

robmry commented Nov 26, 2024

Tests are failing with ...

setup_ip_tables_linux_test.go:394: cannot restrict inter-container communication: modprobe bridge failed: exec: "modprobe": executable file not found in $PATH

I guess that's because the directory exists, so modprobe wasn't needed before - and now arp_probe doesn't exist, so it is called.

I'm wondering if it'd be best to use a sync.Once to call loadBridgeModules to try the modprobe (without making any checks for files existing), and log the result without returning an error... if br_netfilter is already loaded, it's a cheap call so no real loss. If the sysctl files don't exist after that, getKernelBoolParam will fail and generate an error (the original error you found in the logs). I think that'd just be a bit less to go wrong, and maintain if we ever modify which sysctls we're setting?

@sshedi
Copy link
Contributor Author

sshedi commented Nov 27, 2024

Tests are failing with ...

setup_ip_tables_linux_test.go:394: cannot restrict inter-container communication: modprobe bridge failed: exec: "modprobe": executable file not found in $PATH

I guess that's because the directory exists, so modprobe wasn't needed before - and now arp_probe doesn't exist, so it is called.

I'm wondering if it'd be best to use a sync.Once to call loadBridgeModules to try the modprobe (without making any checks for files existing), and log the result without returning an error... if br_netfilter is already loaded, it's a cheap call so no real loss. If the sysctl files don't exist after that, getKernelBoolParam will fail and generate an error (the original error you found in the logs). I think that'd just be a bit less to go wrong, and maintain if we ever modify which sysctls we're setting?

We can but checking for directory existence is a lot cheaper than invoking a binary. I can make this change if you insist.

@robmry
Copy link
Contributor

robmry commented Nov 27, 2024
edited
Loading

We can but checking for directory existence is a lot cheaper than invoking a binary. I can make this change if you insist.

Thanks @sshedi - it's looking good. No need to make that change, it was just a thought.

I don't know what's going on with the tests yet, it doesn't look like anything to do with this PR though ...

Edit: it's a buildx regression, people who know-stuff are on the case!

@crazy-max
Copy link
Member

crazy-max commented Nov 27, 2024

Reverted the bump to latest Buildx stable for our actions in docker/actions-toolkit#508.

I triggered a re-run of failed jobs, should work now.

@robmry robmry requested a review from akerouanton November 27, 2024 11:29
thaJeztah
thaJeztah reviewed Nov 27, 2024
View reviewed changes
@sshedi
Fix br_netfilter module loading logic
264c15b 
Checking for `/proc/sys/net/bridge` directory alone is not enough to
decide if bridge, br_netfilter module to be loaded.
Check for specific file for br_netfilter module and then
do modprobe if the file is not found under `/proc/sys/net/bridge`

Loading br_netfilter implicitly loads bridge module.

fixes: moby#48948

Signed-off-by: Shreenidhi Shedi <[email protected]>
@sshedi sshedi requested a review from thaJeztah November 27, 2024 13:10
thaJeztah
thaJeztah approved these changes Nov 27, 2024
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@thaJeztah thaJeztah merged commit d58e56e into moby:master Nov 27, 2024
@thaJeztah thaJeztah mentioned this pull request Nov 27, 2024
Merged
@sshedi sshedi deleted the br_net-fix branch November 27, 2024 15:06
This was referenced Nov 29, 2024
Closed
Closed
This was referenced Nov 29, 2024
Merged
Merged
@thaJeztah thaJeztah mentioned this pull request Dec 13, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thaJeztah thaJeztah thaJeztah approved these changes

@robmry robmry robmry approved these changes

@akerouanton akerouanton Awaiting requested review from akerouanton

Assignees

@sshedi sshedi

Labels

area/networking/d/bridge Networking area/networking/firewalling Networking area/networking Networking impact/changelog kind/bugfix PR's that fix bugs process/cherry-picked version/27.3

Projects

None yet

Milestone

28.0.0

Development

Successfully merging this pull request may close these issues.

br_netfilter module is not loaded by docker

4 participants

@sshedi @robmry @crazy-max @thaJeztah