• backport Try to load kernel modules, without modprobe #49038

- What I did

When running in a container (docker-in-docker), the host may not have required kernel modules loaded.

Try to trigger the module load using an ioctl() call, then modprobe if that doesn't work.

This should make IPv6 networks work in GitHub Codespaces / devcontainers:

• Load module ip6_tables to make docker --ipv6 networks work devcontainers/features#1206

This is based on the DinD official image's method of loading modules using ip link show, which was inspired by https://twitter.com/lucabruno/status/902934379835662336

- How I did it

• Replaced existing modprobe calls with the new method, supplying check functions to determine whether the load is necessary, or has been successful.
• Add a modprobe for ip6_tables.
• Remove modprobe calls from the moby dev-container's run script, and the Jenkinsfile - added as workarounds in:
  • Dev container: try to load kernel module ip6_tables #47960
  • Jenkinsfile: modprobe br_netfilter #48993

- How to verify it

On a Debian 12.5 host, running dockerd 27.3.1, with systemd ...

• With ip6_tables not loaded on the host (the host doesn't need it, because the daemon'sip6tables commands use a (deprecated) dbus interface to send raw firewall commands.
• Started a dev container with the updated code, the ip6_tables module wasn't loaded.
• Built the new dockerd and ran it, with ip6tables enabled by-default.
• The module was loaded on the host, and inner-docker logs showed module was loaded using the ioctl method:
  • DEBU[2024-12-05T11:30:36.095500049Z] Modules loaded loadErrors="<nil>" loader=ioctl modules=ip6_tables
• Restarted the inner docker, no load was attempted:
  • DEBU[2024-12-05T11:31:59.533424067Z] Modules already loaded modules=ip6_tables
• Ditto (both times) for the conntrack modules:
  • DEBU[2024-12-05T11:31:59.590301221Z] Modules already loaded modules="nf_conntrack,nf_conntrack_netlink"

To check error logging, and fallback to modprobe:

if err := modprobe.LoadModules(context.TODO(), func() error {
        return fmt.Errorf("no fruit")
}, "bananas", "apples", "oranges"); err != nil {
        log.G(context.Background()).WithError(err).Debug("Loading breakfast")
}

Resulted in:

DEBU[2024-12-05T11:55:32.007075924Z] Modules not loaded                            checkResult="no fruit" loadErrors="<nil>" loader=ioctl modules="bananas,apples,oranges"
DEBU[2024-12-05T11:55:32.007147257Z] Modules not loaded                            checkResult="no fruit" loadErrors="modprobe bananas failed with message: \"\", error: exec: \"modprobe\": executable file not found in $PATH\nmodprobe apples failed with message: \"\", error: exec: \"modprobe\": executable file not found in $PATH\nmodprobe oranges failed with message: \"\", error: exec: \"modprobe\": executable file not found in $PATH" loader=modprobe modules="bananas,apples,oranges"
DEBU[2024-12-05T11:55:32.007172382Z] Loading breakfast                             error="no fruit"

- Description for the changelog

- Attempt to load kernel modules, including `ip6_tables` and `br_netfilter` when required, using a
  method that is likely to succeed inside a docker-in-docker container.