Skip to content

[27.x] Revert "Fix br_netfilter module loading logic"#48991

Closed
thaJeztah wants to merge 2 commits intomoby:27.xfrom
thaJeztah:27.x_revert_backport_br_net-fix
Closed

[27.x] Revert "Fix br_netfilter module loading logic"#48991
thaJeztah wants to merge 2 commits intomoby:27.xfrom
thaJeztah:27.x_revert_backport_br_net-fix

Conversation

@thaJeztah
Copy link
Copy Markdown
Member

@thaJeztah thaJeztah commented Nov 29, 2024
edited
Loading

This reverts commit 052f7d6.

- What I did

- How I did it

- How to verify it

- Description for the changelog



- A picture of a cute animal (not mandatory but encouraged)

    

  
  



      


          

          
  
  

    
  
    
    

  

  

  



                    

          
        





  





    



      

  
        

  

      

  
  

  
          

  

    

      


  

      
        @thaJeztah
  




      

        
          Revert "Fix br_netfilter module loading logic"
        

          
                        
      


      

        

    
    
    

  

    


      


      

        

          

    
    
    

  

  

    
  



        

      


      

        
          b6fe4c9
        
      

    

  

    

      
This reverts commit 052f7d6.

Signed-off-by: Sebastiaan van Stijn <[email protected]>

    







  








      

  
            

    

      
    

    


      


          @thaJeztah
thaJeztah




          added this to the 
  27.4.0 milestone


      Nov 29, 2024

    

  








      

  
      



  

  @thaJeztah






  



    

      

  

    

      

          
    
    

  


        
            
  
      
              Copy link

  

              
  
      
                Copy Markdown

  

        
      

    


    

        

  
  Member


        

  Author


    

  


  

    

      
          
      

      
            thaJeztah
  

      

      

      commented


        Nov 29, 2024


      
    


  





      


        



  
    

      
          
OK, reverting makes no difference;


[2024-11-29T19:30:15.383Z] === Failed
[2024-11-29T19:30:15.383Z] === FAIL: libnetwork/drivers/bridge TestCreateFullOptions (0.04s)
[2024-11-29T19:30:15.383Z] time="2024-11-29T19:27:30Z" level=error msg="Running modprobe bridge br_netfilter failed with message: " error="exec: \"modprobe\": executable file not found in $PATH"
[2024-11-29T19:30:15.383Z]     bridge_linux_test.go:280: Failed to create bridge: cannot restrict inter-container communication: modprobe br_netfilter failed: exec: "modprobe": executable file not found in $PATH
[2024-11-29T19:30:15.383Z] 
[2024-11-29T19:30:15.383Z] === FAIL: libnetwork/drivers/bridge TestCreateMultipleNetworks (0.04s)
[2024-11-29T19:30:15.383Z] time="2024-11-29T19:27:30Z" level=error msg="Running modprobe bridge br_netfilter failed with message: " error="exec: \"modprobe\": executable file not found in $PATH"
[2024-11-29T19:30:15.383Z]     bridge_linux_test.go:477: Failed to create bridge: cannot restrict inter-container communication: modprobe br_netfilter failed: exec: "modprobe": executable file not found in $PATH
[2024-11-29T19:30:15.383Z] 
[2024-11-29T19:30:15.383Z] === FAIL: libnetwork/drivers/bridge TestQueryEndpointInfo (0.09s)
[2024-11-29T19:30:15.383Z] time="2024-11-29T19:27:30Z" level=error msg="Running modprobe bridge br_netfilter failed with message: " error="exec: \"modprobe\": executable file not found in $PATH"
[2024-11-29T19:30:15.383Z]     bridge_linux_test.go:697: Failed to create bridge: cannot restrict inter-container communication: modprobe br_netfilter failed: exec: "modprobe": executable file not found in $PATH
[2024-11-29T19:30:15.383Z] 
[2024-11-29T19:30:15.383Z] === FAIL: libnetwork/drivers/bridge TestQueryEndpointInfoHairpin (0.04s)
[2024-11-29T19:30:15.383Z] time="2024-11-29T19:27:30Z" level=error msg="Running modprobe bridge br_netfilter failed with message: " error="exec: \"modprobe\": executable file not found in $PATH"
[2024-11-29T19:30:15.383Z]     bridge_linux_test.go:697: Failed to create bridge: cannot restrict inter-container communication: modprobe br_netfilter failed: exec: "modprobe": executable file not found in $PATH
[2024-11-29T19:30:15.383Z] 
[2024-11-29T19:30:15.383Z] === FAIL: libnetwork/drivers/bridge TestLinkContainers (0.04s)
[2024-11-29T19:30:15.383Z] time="2024-11-29T19:27:30Z" level=error msg="Running modprobe bridge br_netfilter failed with message: " error="exec: \"modprobe\": executable file not found in $PATH"
[2024-11-29T19:30:15.383Z]     bridge_linux_test.go:799: Failed to create bridge: cannot restrict inter-container communication: modprobe br_netfilter failed: exec: "modprobe": executable file not found in $PATH
[2024-11-29T19:30:15.383Z] 
[2024-11-29T19:30:15.383Z] === FAIL: libnetwork/drivers/bridge TestPortMappingConfig (0.04s)
[2024-11-29T19:30:15.383Z] time="2024-11-29T19:27:30Z" level=error msg="Running modprobe bridge br_netfilter failed with message: " error="exec: \"modprobe\": executable file not found in $PATH"
[2024-11-29T19:30:15.383Z]     port_mapping_linux_test.go:52: Failed to create bridge: cannot restrict inter-container communication: modprobe br_netfilter failed: exec: "modprobe": executable file not found in $PATH
[2024-11-29T19:30:15.383Z] 
[2024-11-29T19:30:15.383Z] === FAIL: libnetwork/drivers/bridge TestPortMappingV6Config (0.08s)
[2024-11-29T19:30:15.383Z] time="2024-11-29T19:27:30Z" level=error msg="Running modprobe bridge br_netfilter failed with message: " error="exec: \"modprobe\": executable file not found in $PATH"
[2024-11-29T19:30:15.383Z]     port_mapping_linux_test.go:137: Failed to create bridge: cannot restrict inter-container communication: modprobe br_netfilter failed: exec: "modprobe": executable file not found in $PATH
[2024-11-29T19:30:15.383Z] 
[2024-11-29T19:30:15.383Z] === FAIL: libnetwork/drivers/bridge TestOutgoingNATRules/masquerade_disabled,_no_host_IP (0.08s)
[2024-11-29T19:30:15.383Z] time="2024-11-29T19:27:33Z" level=error msg="Running modprobe bridge br_netfilter failed with message: " error="exec: \"modprobe\": executable file not found in $PATH"
[2024-11-29T19:30:15.383Z]     setup_ip_tables_linux_test.go:346: cannot restrict inter-container communication: modprobe br_netfilter failed: exec: "modprobe": executable file not found in $PATH
[2024-11-29T19:30:15.383Z] 
[2024-11-29T19:30:15.383Z] === FAIL: libnetwork/drivers/bridge TestOutgoingNATRules/masquerade_disabled,_with_host_IP (0.08s)
[2024-11-29T19:30:15.383Z] time="2024-11-29T19:27:33Z" level=error msg="Running modprobe bridge br_netfilter failed with message: " error="exec: \"modprobe\": executable file not found in $PATH"
[2024-11-29T19:30:15.383Z]     setup_ip_tables_linux_test.go:346: cannot restrict inter-container communication: modprobe br_netfilter failed: exec: "modprobe": executable file not found in $PATH
[2024-11-29T19:30:15.383Z] 
[2024-11-29T19:30:15.383Z] === FAIL: libnetwork/drivers/bridge TestOutgoingNATRules/IPv4_masquerade,_IPv6_disabled (0.10s)
[2024-11-29T19:30:15.383Z] time="2024-11-29T19:27:33Z" level=error msg="Running modprobe bridge br_netfilter failed with message: " error="exec: \"modprobe\": executable file not found in $PATH"
[2024-11-29T19:30:15.383Z]     setup_ip_tables_linux_test.go:346: cannot restrict inter-container communication: modprobe br_netfilter failed: exec: "modprobe": executable file not found in $PATH
[2024-11-29T19:30:15.383Z] 
[2024-11-29T19:30:15.383Z] === FAIL: libnetwork/drivers/bridge TestOutgoingNATRules/IPv4_SNAT,_IPv6_disabled (0.05s)
[2024-11-29T19:30:15.383Z] time="2024-11-29T19:27:33Z" level=error msg="Running modprobe bridge br_netfilter failed with message: " error="exec: \"modprobe\": executable file not found in $PATH"
[2024-11-29T19:30:15.383Z]     setup_ip_tables_linux_test.go:346: cannot restrict inter-container communication: modprobe br_netfilter failed: exec: "modprobe": executable file not found in $PATH
[2024-11-29T19:30:15.383Z] 
[2024-11-29T19:30:15.383Z] === FAIL: libnetwork/drivers/bridge TestOutgoingNATRules/IPv4_masquerade,_IPv6_masquerade (0.09s)
[2024-11-29T19:30:15.383Z] time="2024-11-29T19:27:33Z" level=error msg="Running modprobe bridge br_netfilter failed with message: " error="exec: \"modprobe\": executable file not found in $PATH"
[2024-11-29T19:30:15.383Z]     setup_ip_tables_linux_test.go:346: cannot restrict inter-container communication: modprobe br_netfilter failed: exec: "modprobe": executable file not found in $PATH
[2024-11-29T19:30:15.383Z] 
[2024-11-29T19:30:15.383Z] === FAIL: libnetwork/drivers/bridge TestOutgoingNATRules/IPv4_masquerade,_IPv6_SNAT (0.09s)
[2024-11-29T19:30:15.383Z] time="2024-11-29T19:27:33Z" level=error msg="Running modprobe bridge br_netfilter failed with message: " error="exec: \"modprobe\": executable file not found in $PATH"
[2024-11-29T19:30:15.383Z]     setup_ip_tables_linux_test.go:346: cannot restrict inter-container communication: modprobe br_netfilter failed: exec: "modprobe": executable file not found in $PATH
[2024-11-29T19:30:15.383Z] 
[2024-11-29T19:30:15.383Z] === FAIL: libnetwork/drivers/bridge TestOutgoingNATRules/IPv4_SNAT,_IPv6_masquerade (0.09s)
[2024-11-29T19:30:15.383Z] time="2024-11-29T19:27:33Z" level=error msg="Running modprobe bridge br_netfilter failed with message: " error="exec: \"modprobe\": executable file not found in $PATH"
[2024-11-29T19:30:15.383Z]     setup_ip_tables_linux_test.go:346: cannot restrict inter-container communication: modprobe br_netfilter failed: exec: "modprobe": executable file not found in $PATH
[2024-11-29T19:30:15.383Z] 
[2024-11-29T19:30:15.383Z] === FAIL: libnetwork/drivers/bridge TestOutgoingNATRules/IPv4_SNAT,_IPv6_SNAT (0.09s)
[2024-11-29T19:30:15.383Z] time="2024-11-29T19:27:33Z" level=error msg="Running modprobe bridge br_netfilter failed with message: " error="exec: \"modprobe\": executable file not found in $PATH"
[2024-11-29T19:30:15.383Z]     setup_ip_tables_linux_test.go:346: cannot restrict inter-container communication: modprobe br_netfilter failed: exec: "modprobe": executable file not found in $PATH
[2024-11-29T19:30:15.383Z] 
[2024-11-29T19:30:15.383Z] === FAIL: libnetwork/drivers/bridge TestOutgoingNATRules (1.00s)
[2024-11-29T19:30:15.383Z] 
[2024-11-29T19:30:15.383Z] DONE 524 tests, 2 skipped, 16 failures in 227.190s



      		
    

  





        


            

            
            

              
            

        

      


      

            
  
  

    
  
    
    

  

  

  


    












      

  
        

  

      

  
  

  
          

  

    

      


  

      
        @thaJeztah
  




      

        
          Revert "Only enable bridge netfiltering when needed"
        

          
                        
      


      

        

    
    
    

  

    


      


      

        

          

    
    
    

  

  

    
  



        

      


      

        
          acaae24
        
      

    

  

    

      
This reverts commit 5c499fc.

Signed-off-by: Sebastiaan van Stijn <[email protected]>

    







  








      

  
      



  

  @thaJeztah






  



    

      

  

    

      

          
    
    

  


        
            
  
      
              Copy link

  

              
  
      
                Copy Markdown

  

        
      

    


    

        

  
  Member


        

  Author


    

  


  

    

      
          
      

      
            thaJeztah
  

      

      

      commented


        Nov 29, 2024


      
    


  





      


        



  
    

      
          
Let me try also reverting #48511 (although there still was a modprobe  before that


      		
    

  





        


            

            
            

              
            

        

      


      

            
  
  

    
  
    
    

  

  

  


    












      

  
      



  

  @thaJeztah






  



    

      

  

    

      

          
    
    

  


        
            
  
      
              Copy link

  

              
  
      
                Copy Markdown

  

        
      

    


    

        

  
  Member


        

  Author


    

  


  

    

      
          
      

      
            thaJeztah
  

      

      

      commented


        Nov 29, 2024


      
    


  





      


        



  
    

      
          
Code before that was added in 52da8bd, so I doubt that reverting that last one helps


      		
    

  





        


            

            
            

              
            

        

      


      

            
  
  

    
  
    
    

  

  

  


    












      

  
      



  

  @thaJeztah






  



    

      

  

    

      

          
    
    

  


        
            
  
      
              Copy link

  

              
  
      
                Copy Markdown

  

        
      

    


    

        

  
  Member


        

  Author


    

  


  

    

      
          
      

      
            thaJeztah
  

      

      

      commented


        Nov 29, 2024


      
  

  

    
      

        
          edited
          
        
        
      

    
    
      
  
        
      Loading


  
    
  



    


  





      


        



  
    

      
          
Here's the info from CI in this branch;


+ docker version
Client: Docker Engine - Community
 Version:           27.3.1
 API version:       1.47
 Go version:        go1.22.7
 Git commit:        ce12230
 Built:             Fri Sep 20 11:41:00 2024
 OS/Arch:           linux/arm64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          27.3.1
  API version:      1.47 (minimum version 1.24)
  Go version:       go1.22.7
  Git commit:       41ca978
  Built:            Fri Sep 20 11:41:00 2024
  OS/Arch:          linux/arm64
  Experimental:     true
 containerd:
  Version:          1.7.24
  GitCommit:        88bf19b2105c8b17560993bee28a01ddc2f97182
 runc:
  Version:          1.2.2
  GitCommit:        v1.2.2-0-g7cb3632
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0



 + docker info
Client: Docker Engine - Community
 Version:    27.3.1
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.19.1
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.31.0
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 5
 Server Version: 27.3.1
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 88bf19b2105c8b17560993bee28a01ddc2f97182
 runc version: v1.2.2-0-g7cb3632
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
 Kernel Version: 5.15.0-1072-aws
 Operating System: Ubuntu 20.04.6 LTS
 OSType: linux
 Architecture: aarch64
 CPUs: 8
 Total Memory: 30.64GiB
 Name: ip-10-100-41-226
 ID: 05ff8962-93e4-4810-8cf7-886d12bfc88e
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: true
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: true

WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled



+ echo check-config.sh version: 33a3680e08d1007e72c3b3f1454f823d8e9948ee
check-config.sh version: 33a3680e08d1007e72c3b3f1454f823d8e9948ee
+ curl -fsSL -o /home/ubuntu/workspace/moby_PR-48991/check-config.sh https://raw.githubusercontent.com/moby/moby/33a3680e08d1007e72c3b3f1454f823d8e9948ee/contrib/check-config.sh
+ bash /home/ubuntu/workspace/moby_PR-48991/check-config.sh
warning: /proc/config.gz does not exist, searching other paths for kernel config ...
info: reading kernel config from /boot/config-5.15.0-1072-aws ...

Generally Necessary:
- cgroup hierarchy: properly mounted [/sys/fs/cgroup]
- apparmor: enabled and tools installed
- CONFIG_NAMESPACES: enabled
- CONFIG_NET_NS: enabled
- CONFIG_PID_NS: enabled
- CONFIG_IPC_NS: enabled
- CONFIG_UTS_NS: enabled
- CONFIG_CGROUPS: enabled
- CONFIG_CGROUP_CPUACCT: enabled
- CONFIG_CGROUP_DEVICE: enabled
- CONFIG_CGROUP_FREEZER: enabled
- CONFIG_CGROUP_SCHED: enabled
- CONFIG_CPUSETS: enabled
- CONFIG_MEMCG: enabled
- CONFIG_KEYS: enabled
- CONFIG_VETH: enabled (as module)
- CONFIG_BRIDGE: enabled (as module)
- CONFIG_BRIDGE_NETFILTER: enabled (as module)
- CONFIG_IP_NF_FILTER: enabled (as module)
- CONFIG_IP_NF_TARGET_MASQUERADE: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_CONNTRACK: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_IPVS: enabled (as module)
- CONFIG_NETFILTER_XT_MARK: enabled (as module)
- CONFIG_IP_NF_NAT: enabled (as module)
- CONFIG_NF_NAT: enabled (as module)
- CONFIG_POSIX_MQUEUE: enabled
- CONFIG_CGROUP_BPF: enabled

Optional Features:
- CONFIG_USER_NS: enabled
- CONFIG_SECCOMP: enabled
- CONFIG_SECCOMP_FILTER: enabled
- CONFIG_CGROUP_PIDS: enabled
- CONFIG_MEMCG_SWAP: enabled
    (cgroup swap accounting is currently enabled)
- CONFIG_BLK_CGROUP: enabled
- CONFIG_BLK_DEV_THROTTLING: enabled
- CONFIG_CGROUP_PERF: enabled
- CONFIG_CGROUP_HUGETLB: enabled
- CONFIG_NET_CLS_CGROUP: enabled (as module)
- CONFIG_CGROUP_NET_PRIO: enabled
- CONFIG_CFS_BANDWIDTH: enabled
- CONFIG_FAIR_GROUP_SCHED: enabled
- CONFIG_RT_GROUP_SCHED: missing
- CONFIG_IP_NF_TARGET_REDIRECT: enabled (as module)
- CONFIG_IP_VS: enabled (as module)
- CONFIG_IP_VS_NFCT: enabled
- CONFIG_IP_VS_PROTO_TCP: enabled
- CONFIG_IP_VS_PROTO_UDP: enabled
- CONFIG_IP_VS_RR: enabled (as module)
- CONFIG_SECURITY_SELINUX: enabled
- CONFIG_SECURITY_APPARMOR: enabled
- CONFIG_EXT4_FS: enabled
- CONFIG_EXT4_FS_POSIX_ACL: enabled
- CONFIG_EXT4_FS_SECURITY: enabled
- Network Drivers:
  - "overlay":
    - CONFIG_VXLAN: enabled (as module)
    - CONFIG_BRIDGE_VLAN_FILTERING: enabled
      Optional (for encrypted networks):
      - CONFIG_CRYPTO: enabled
      - CONFIG_CRYPTO_AEAD: enabled
      - CONFIG_CRYPTO_GCM: enabled
      - CONFIG_CRYPTO_SEQIV: enabled
      - CONFIG_CRYPTO_GHASH: enabled
      - CONFIG_XFRM: enabled
      - CONFIG_XFRM_USER: enabled (as module)
      - CONFIG_XFRM_ALGO: enabled (as module)
      - CONFIG_INET_ESP: enabled (as module)
  - "ipvlan":
    - CONFIG_IPVLAN: enabled (as module)
  - "macvlan":
    - CONFIG_MACVLAN: enabled (as module)
    - CONFIG_DUMMY: enabled (as module)
  - "ftp,tftp client in container":
    - CONFIG_NF_NAT_FTP: enabled (as module)
    - CONFIG_NF_CONNTRACK_FTP: enabled (as module)
    - CONFIG_NF_NAT_TFTP: enabled (as module)
    - CONFIG_NF_CONNTRACK_TFTP: enabled (as module)
- Storage Drivers:
  - "aufs":
    - CONFIG_AUFS_FS: enabled (as module)
  - "btrfs":
    - CONFIG_BTRFS_FS: enabled (as module)
    - CONFIG_BTRFS_FS_POSIX_ACL: enabled
  - "devicemapper":
    - CONFIG_BLK_DEV_DM: enabled
    - CONFIG_DM_THIN_PROVISIONING: enabled (as module)
  - "overlay":
    - CONFIG_OVERLAY_FS: enabled (as module)
  - "zfs":
    - /dev/zfs: present
    - zfs command: missing
    - zpool command: missing

Limits:
- /proc/sys/kernel/keys/root_maxkeys: 1000000

+ true



      		
    

  





        


            

            
            

              
            

        

      


      

            
  
  

    
  
    
    

  

  

  


    












      

  
      



  

  @thaJeztah






  



    

      

  

    

      

          
    
    

  


        
            
  
      
              Copy link

  

              
  
      
                Copy Markdown

  

        
      

    


    

        

  
  Member


        

  Author


    

  


  

    

      
          
      

      
            thaJeztah
  

      

      

      commented


        Nov 29, 2024


      
    


  





      


        



  
    

      
          
reverting #48511 DOES make CI pass with 2 failures remaining, BUT that PR was already part of Docker v27.3.0.


	if config.EnableIPTables || config.EnableIP6Tables {
		if _, err := os.Stat("/proc/sys/net/bridge"); err != nil {
			if out, err := exec.Command("modprobe", "-va", "bridge", "br_netfilter").CombinedOutput(); err != nil {
				log.G(context.TODO()).Warnf("Running modprobe bridge br_netfilter failed with message: %s, error: %v", out, err)
			}
		}
	}


=== RUN   TestAccessPublishedPortFromCtr
--- FAIL: TestAccessPublishedPortFromCtr (8.22s)

=== RUN   TestAccessPublishedPortFromCtr/no-proxy
    port_mapping_linux_test.go:103: assertion failed: string "Connecting to 172.17.0.2:32768 (172.17.0.2:32768)\n" does not contain "404 Not Found"
    --- FAIL: TestAccessPublishedPortFromCtr/no-proxy (6.48s)



☝️ reverting that PR may just be masking the issue, because before that PR we did not error, only log failures, and downloading logs from CI confirms that;


grep -r 'Running modprobe bridge br_netfilter failed with message' | wc -l
     207



./TestDockerNetworkMacvlanPersistence/de7d0afe59756/docker.log:time="2024-11-29T20:07:32.928167012Z" level=warning msg="Running modprobe bridge br_netfilter failed with message: , error: exec: \"modprobe\": executable file not found in $PATH"
./TestDockerNetworkMacvlanPersistence/de7d0afe59756/docker.log:time="2024-11-29T20:07:33.530959302Z" level=warning msg="Running modprobe bridge br_netfilter failed with message: , error: exec: \"modprobe\": executable file not found in $PATH"
./TestRunContainerWithBridgeNone/dbdebc7c38b11/docker.log:time="2024-11-29T20:06:05.202373246Z" level=warning msg="Running modprobe bridge br_netfilter failed with message: , error: exec: \"modprobe\": executable file not found in $PATH"
./TestBridgeINC/d3f6ba8ed106d/docker.log:time="2024-11-29T20:08:21.950966892Z" level=warning msg="Running modprobe bridge br_netfilter failed with message: , error: exec: \"modprobe\": executable file not found in $PATH"
./TestAuthZPluginErrorResponse/d6fd695af1ab4/docker.log:time="2024-11-29T20:09:54.860860147Z" level=warning msg="Running modprobe bridge br_netfilter failed with message: , error: exec: \"modprobe\": executable file not found in $PATH"
./TestNetworkStateCleanupOnDaemonStart/db0de0b1f6e0c/docker.log:time="2024-11-29T20:04:47.147217929Z" level=warning msg="Running modprobe bridge br_netfilter failed with message: , error: exec: \"modprobe\": executable file not found in $PATH"
./TestNetworkStateCleanupOnDaemonStart/db0de0b1f6e0c/docker.log:time="2024-11-29T20:04:58.538404376Z" level=warning msg="Running modprobe bridge br_netfilter failed with message: , error: exec: \"modprobe\": executable file not found in $PATH"
./TestPortMappedHairpin/d82dd37c321f4/docker.log:time="2024-11-29T20:09:00.034959622Z" level=warning msg="Running modprobe bridge br_netfilter failed with message: , error: exec: \"modprobe\": executable file not found in $PATH"



So, the dev-shell on my local machine;


"old" check (before #48960);


ls -la /proc/sys/net/bridge
total 0
dr-xr-xr-x 1 root root 0 Nov 29 20:17 .
dr-xr-xr-x 1 root root 0 Nov 29 20:14 ..
-rw-r--r-- 1 root root 0 Nov 29 20:17 bridge-nf-call-arptables
-rw-r--r-- 1 root root 0 Nov 29 20:17 bridge-nf-call-ip6tables
-rw-r--r-- 1 root root 0 Nov 29 20:17 bridge-nf-call-iptables
-rw-r--r-- 1 root root 0 Nov 29 20:17 bridge-nf-filter-pppoe-tagged
-rw-r--r-- 1 root root 0 Nov 29 20:17 bridge-nf-filter-vlan-tagged
-rw-r--r-- 1 root root 0 Nov 29 20:17 bridge-nf-pass-vlan-input-dev


"new" check (after #48960);


cat /proc/sys/net/bridge/bridge-nf-call-iptables
1


However, modprobe is not installed in the dev-container, so CI wouldn't be able to use it;


command -v modprobe


To get modprobe, I need to install the kmod package;


apt-get install kmod
...
...
Preparing to unpack .../kmod_30+20221128-1_arm64.deb ...
Unpacking kmod (30+20221128-1) ...
Setting up kmod (30+20221128-1) ...

command -v modprobe
/usr/sbin/modprobe


      		
    

  





        


            

            
            

              
            

        

      


      

            
  
  

    
  
    
    

  

  

  


    












      

  
      



  

  @thaJeztah






  



    

      

  

    

      

          
    
    

  


        
            
  
      
              Copy link

  

              
  
      
                Copy Markdown

  

        
      

    


    

        

  
  Member


        

  Author


    

  


  

    

      
          
      

      
            thaJeztah
  

      

      

      commented


        Nov 29, 2024


      
    


  





      


        



  
    

      
          
Here's CI information from an older PR which ran on the nodes before updating; note that the docker info does NOT show the "WARNING: bridge-nf-call-iptables is disabled" and "WARNING: bridge-nf-call-ip6tables is disabled" warnings;


+ docker version
Client: Docker Engine - Community
 Version:           27.1.1
 API version:       1.46
 Go version:        go1.21.12
 Git commit:        6312585
 Built:             Tue Jul 23 19:59:27 2024
 OS/Arch:           linux/arm64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          27.1.1
  API version:      1.46 (minimum version 1.24)
  Go version:       go1.21.12
  Git commit:       cc13f95
  Built:            Tue Jul 23 19:59:27 2024
  OS/Arch:          linux/arm64
  Experimental:     true
 containerd:
  Version:          1.7.20
  GitCommit:        8fc6bcff51318944179630522a095cc9dbf9f353
 runc:
  Version:          1.1.13
  GitCommit:        v1.1.13-0-g58aa920
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0



 + docker info
 Client: Docker Engine - Community
  Version:    27.1.1
  Context:    default
  Debug Mode: false
  Plugins:
   buildx: Docker Buildx (Docker Inc.)
     Version:  v0.16.2
     Path:     /usr/libexec/docker/cli-plugins/docker-buildx
   compose: Docker Compose (Docker Inc.)
     Version:  v2.29.1
     Path:     /usr/libexec/docker/cli-plugins/docker-compose
 
 Server:
  Containers: 0
   Running: 0
   Paused: 0
   Stopped: 0
  Images: 1
  Server Version: 27.1.1
  Storage Driver: overlay2
   Backing Filesystem: extfs
   Supports d_type: true
   Using metacopy: false
   Native Overlay Diff: true
   userxattr: false
  Logging Driver: json-file
  Cgroup Driver: cgroupfs
  Cgroup Version: 1
  Plugins:
   Volume: local
   Network: bridge host ipvlan macvlan null overlay
   Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
  Swarm: inactive
  Runtimes: io.containerd.runc.v2 runc
  Default Runtime: runc
  Init Binary: docker-init
  containerd version: 8fc6bcff51318944179630522a095cc9dbf9f353
  runc version: v1.1.13-0-g58aa920
  init version: de40ad0
  Security Options:
   apparmor
   seccomp
    Profile: builtin
  Kernel Version: 5.15.0-1067-aws
  Operating System: Ubuntu 20.04.6 LTS
  OSType: linux
  Architecture: aarch64
  CPUs: 8
  Total Memory: 30.64GiB
  Name: ip-10-100-68-220
  ID: af91febd-6fe4-445f-93ad-3985858ef489
  Docker Root Dir: /var/lib/docker
  Debug Mode: false
  Experimental: true
  Insecure Registries:
   127.0.0.0/8
  Live Restore Enabled: true




+ echo check-config.sh version: 33a3680e08d1007e72c3b3f1454f823d8e9948ee
check-config.sh version: 33a3680e08d1007e72c3b3f1454f823d8e9948ee
+ curl -fsSL -o /home/ubuntu/workspace/moby_PR-48950/check-config.sh https://raw.githubusercontent.com/moby/moby/33a3680e08d1007e72c3b3f1454f823d8e9948ee/contrib/check-config.sh
+ bash /home/ubuntu/workspace/moby_PR-48950/check-config.sh
warning: /proc/config.gz does not exist, searching other paths for kernel config ...
info: reading kernel config from /boot/config-5.15.0-1067-aws ...

Generally Necessary:
- cgroup hierarchy: properly mounted [/sys/fs/cgroup]
- apparmor: enabled and tools installed
- CONFIG_NAMESPACES: enabled
- CONFIG_NET_NS: enabled
- CONFIG_PID_NS: enabled
- CONFIG_IPC_NS: enabled
- CONFIG_UTS_NS: enabled
- CONFIG_CGROUPS: enabled
- CONFIG_CGROUP_CPUACCT: enabled
- CONFIG_CGROUP_DEVICE: enabled
- CONFIG_CGROUP_FREEZER: enabled
- CONFIG_CGROUP_SCHED: enabled
- CONFIG_CPUSETS: enabled
- CONFIG_MEMCG: enabled
- CONFIG_KEYS: enabled
- CONFIG_VETH: enabled (as module)
- CONFIG_BRIDGE: enabled (as module)
- CONFIG_BRIDGE_NETFILTER: enabled (as module)
- CONFIG_IP_NF_FILTER: enabled (as module)
- CONFIG_IP_NF_TARGET_MASQUERADE: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_CONNTRACK: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_IPVS: enabled (as module)
- CONFIG_NETFILTER_XT_MARK: enabled (as module)
- CONFIG_IP_NF_NAT: enabled (as module)
- CONFIG_NF_NAT: enabled (as module)
- CONFIG_POSIX_MQUEUE: enabled
- CONFIG_CGROUP_BPF: enabled

Optional Features:
- CONFIG_USER_NS: enabled
- CONFIG_SECCOMP: enabled
- CONFIG_SECCOMP_FILTER: enabled
- CONFIG_CGROUP_PIDS: enabled
- CONFIG_MEMCG_SWAP: enabled
    (cgroup swap accounting is currently enabled)
- CONFIG_BLK_CGROUP: enabled
- CONFIG_BLK_DEV_THROTTLING: enabled
- CONFIG_CGROUP_PERF: enabled
- CONFIG_CGROUP_HUGETLB: enabled
- CONFIG_NET_CLS_CGROUP: enabled (as module)
- CONFIG_CGROUP_NET_PRIO: enabled
- CONFIG_CFS_BANDWIDTH: enabled
- CONFIG_FAIR_GROUP_SCHED: enabled
- CONFIG_RT_GROUP_SCHED: missing
- CONFIG_IP_NF_TARGET_REDIRECT: enabled (as module)
- CONFIG_IP_VS: enabled (as module)
- CONFIG_IP_VS_NFCT: enabled
- CONFIG_IP_VS_PROTO_TCP: enabled
- CONFIG_IP_VS_PROTO_UDP: enabled
- CONFIG_IP_VS_RR: enabled (as module)
- CONFIG_SECURITY_SELINUX: enabled
- CONFIG_SECURITY_APPARMOR: enabled
- CONFIG_EXT4_FS: enabled
- CONFIG_EXT4_FS_POSIX_ACL: enabled
- CONFIG_EXT4_FS_SECURITY: enabled
- Network Drivers:
  - "overlay":
    - CONFIG_VXLAN: enabled (as module)
    - CONFIG_BRIDGE_VLAN_FILTERING: enabled
      Optional (for encrypted networks):
      - CONFIG_CRYPTO: enabled
      - CONFIG_CRYPTO_AEAD: enabled
      - CONFIG_CRYPTO_GCM: enabled
      - CONFIG_CRYPTO_SEQIV: enabled
      - CONFIG_CRYPTO_GHASH: enabled
      - CONFIG_XFRM: enabled
      - CONFIG_XFRM_USER: enabled (as module)
      - CONFIG_XFRM_ALGO: enabled (as module)
      - CONFIG_INET_ESP: enabled (as module)
  - "ipvlan":
    - CONFIG_IPVLAN: enabled (as module)
  - "macvlan":
    - CONFIG_MACVLAN: enabled (as module)
    - CONFIG_DUMMY: enabled (as module)
  - "ftp,tftp client in container":
    - CONFIG_NF_NAT_FTP: enabled (as module)
    - CONFIG_NF_CONNTRACK_FTP: enabled (as module)
    - CONFIG_NF_NAT_TFTP: enabled (as module)
    - CONFIG_NF_CONNTRACK_TFTP: enabled (as module)
- Storage Drivers:
  - "aufs":
    - CONFIG_AUFS_FS: enabled (as module)
  - "btrfs":
    - CONFIG_BTRFS_FS: enabled (as module)
    - CONFIG_BTRFS_FS_POSIX_ACL: enabled
  - "devicemapper":
    - CONFIG_BLK_DEV_DM: enabled
    - CONFIG_DM_THIN_PROVISIONING: enabled (as module)
  - "overlay":
    - CONFIG_OVERLAY_FS: enabled (as module)
  - "zfs":
    - /dev/zfs: present
    - zfs command: missing
    - zpool command: missing

Limits:
- /proc/sys/kernel/keys/root_maxkeys: 1000000

+ true



      		
    

  





        


            

            
            

              
            

        

      


      

            
  
  

    
  
    
    

  

  

  


    












      

  
      



  

  @thaJeztah






  



    

      

  

    

      

          
    
    

  


        
            
  
      
              Copy link

  

              
  
      
                Copy Markdown

  

        
      

    


    

        

  
  Member


        

  Author


    

  


  

    

      
          
      

      
            thaJeztah
  

      

      

      commented


        Nov 29, 2024


      
    


  





      


        



  
    

      
          
It's odd though, because the check-config script shows;


- CONFIG_BRIDGE: enabled (as module)
- CONFIG_BRIDGE_NETFILTER: enabled (as module)



Trying too load the module in jenkins shows;


modprobe -va br_netfilter
insmod /lib/modules/5.15.0-1072-aws/kernel/net/bridge/br_netfilter.ko 


But /proc/sys/net/bridge does not exist. There is a netfilter though;


ls -la /proc/sys/net/
total 0
dr-xr-xr-x 1 root root 0 Nov 29 18:57 .
dr-xr-xr-x 1 root root 0 Nov 29 18:57 ..
dr-xr-xr-x 1 root root 0 Nov 29 18:57 core
dr-xr-xr-x 1 root root 0 Nov 29 19:52 fan
dr-xr-xr-x 1 root root 0 Nov 29 18:57 ipv4
dr-xr-xr-x 1 root root 0 Nov 29 18:57 ipv6
dr-xr-xr-x 1 root root 0 Nov 29 19:52 mptcp
dr-xr-xr-x 1 root root 0 Nov 29 18:57 netfilter
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_max
dr-xr-xr-x 1 root root 0 Nov 29 19:52 sctp
dr-xr-xr-x 1 root root 0 Nov 29 18:57 unix

ls -la /proc/sys/net/netfilter
total 0
dr-xr-xr-x 1 root root 0 Nov 29 18:57 .
dr-xr-xr-x 1 root root 0 Nov 29 18:57 ..
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_acct
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_buckets
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_checksum
-r--r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_count
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_dccp_loose
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_dccp_timeout_closereq
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_dccp_timeout_closing
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_dccp_timeout_open
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_dccp_timeout_partopen
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_dccp_timeout_request
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_dccp_timeout_respond
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_dccp_timeout_timewait
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_events
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_expect_max
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_frag6_high_thresh
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_frag6_low_thresh
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_frag6_timeout
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_generic_timeout
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_gre_timeout
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_gre_timeout_stream
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_helper
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_icmp_timeout
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_icmpv6_timeout
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_log_invalid
-rw-r--r-- 1 root root 0 Nov 29 18:57 nf_conntrack_max
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_sctp_timeout_closed
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_sctp_timeout_cookie_echoed
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_sctp_timeout_cookie_wait
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_sctp_timeout_established
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_sctp_timeout_heartbeat_sent
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_sctp_timeout_shutdown_ack_sent
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_sctp_timeout_shutdown_recd
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_sctp_timeout_shutdown_sent
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_tcp_be_liberal
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_tcp_ignore_invalid_rst
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_tcp_loose
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_tcp_max_retrans
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_tcp_timeout_close
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_tcp_timeout_close_wait
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_tcp_timeout_established
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_tcp_timeout_fin_wait
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_tcp_timeout_last_ack
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_tcp_timeout_max_retrans
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_tcp_timeout_syn_recv
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_tcp_timeout_syn_sent
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_tcp_timeout_time_wait
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_tcp_timeout_unacknowledged
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_timestamp
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_udp_timeout
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_conntrack_udp_timeout_stream
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_flowtable_tcp_timeout
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_flowtable_udp_timeout
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_hooks_lwtunnel
dr-xr-xr-x 1 root root 0 Nov 29 19:52 nf_log
-rw-r--r-- 1 root root 0 Nov 29 19:52 nf_log_all_netns





      		
    

  





        


            

            
            

              
            

        

      


      

            
  
  

    
  
    
    

  

  

  


    












      

  
          

  

    
  


  

      


    @thaJeztah
thaJeztah



    mentioned this pull request
    
      Nov 29, 2024
    





  


  

      
   Merged

  







  




    

    

      
    

    


      


          @thaJeztah
thaJeztah




          closed this


      Nov 30, 2024

    

  


    


  

  
  

  
      @thaJeztah
  thaJeztah


    
    deleted the
    
      
        27.x_revert_backport_br_net-fix
    
    branch

    November 30, 2024 11:01    
    













  
  

    

      

  










  








  
      

  
    Sign up for free
    to join this conversation on GitHub.
    Already have an account?
    Sign in to comment


  










      

  

    
    

    

  

    Reviewers
  


    

    No reviews






    
    
    

    

  


      
  

    Assignees
  



        


    No one assigned







      


  


  

    Labels
  



    

    None yet







      

  

    

        

    Projects
  


        




    None yet




  



      


  

    
  

    Milestone
  


      
    
  
    27.4.0
  





    
      
          


  

    

      
        

          
  

    Development
  



            


Successfully merging this pull request may close these issues.





  
  



      
    

  




      

    

  
        

  

    

      1 participant
    

    

        
          @thaJeztah