Skip to content

daemon: info: remove bridge-nf-call-iptables / ip6tables warnings#49089

Merged
thaJeztah merged 1 commit intomoby:masterfrom
thaJeztah:no_netfilter_warnings
Dec 13, 2024
Merged

daemon: info: remove bridge-nf-call-iptables / ip6tables warnings#49089
thaJeztah merged 1 commit intomoby:masterfrom
thaJeztah:no_netfilter_warnings

Conversation

@thaJeztah
Copy link
Member

@thaJeztah thaJeztah commented Dec 13, 2024
edited
Loading

relates to:

daemon: info: remove bridge-nf-call-iptables / ip6tables warnings

Historically, the bridge network-driver would detect whether netfiltering was enabled in the kernel or, if disabled, try to do a modprobe when initializing the driver. This approach became problematic, as loading the module was not always performed at startup depending on daemon configuration, or the daemon may have failed to load the module. The /info response would include a warning to inform the user that some functionality may not be available;

WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

Starting with db25b0d, detecting whether netfiltering is enabled now happens when needed, which was further improved on to not depend on modprobe in 264c15b and 4740820.

Because of the above, the /info output would now return warnings in any situation where netfiltering was not enabled on the host before the daemon started, which may be either incorrect (i.e., the module may have been loaded afterwards), or irrelevant, because netfiltering is not needed in all situations.

This patch removes the warnings from the /info response,

- Description for the changelog

* `docker info` and the corresponding `GET /info` API endpoint no longer include
  warnings when `bridge-nf-call-iptables` or `bridge-nf-call-ip6tables` are
  disabled at the daemon is started. The `br_netfilter` kernel module is now
  attempted to be loaded when needed, which made those warnings inaccurate.

- A picture of a cute animal (not mandatory but encouraged)

@thaJeztah
daemon: info: remove bridge-nf-call-iptables / ip6tables warnings
5c35874 
Historically, the `bridge` network-driver would detect whether netfiltering
was enabled in the kernel or, if disabled, try to do a `modprobe` when
initializing the driver. This approach became problematic, as loading the
module was not always performed  at startup depending on daemon configuration,
or the daemon may have failed to load the module. The `/info` response
would include a warning  to inform the user that some functionality may not
be available;

    WARNING: bridge-nf-call-iptables is disabled
    WARNING: bridge-nf-call-ip6tables is disabled

Starting with db25b0d, detecting whether
netfiltering  is enabled now [happens when needed][1], which was further improved
on to not depend  on `modprobe` in 264c15b and
4740820.

Because of the above, the `/info` output would now return warnings in any
situation where netfiltering was not enabled on the host before the daemon
started, which may be either _incorrect_ (i.e., the module may have been
loaded afterwards), or irrelevant, because netfiltering is not needed in
all situations.

This patch removes the warnings from the `/info` response,

[1]: https://github.com/moby/moby/blob/944e40350259f040950d871d402d848ff2a799bc/libnetwork/drivers/bridge/setup_bridgenetfiltering.go#L16-L77

Signed-off-by: Sebastiaan van Stijn <[email protected]>
@thaJeztah thaJeztah added area/api API status/2-code-review kind/enhancement Enhancements are not bugs or new features but can improve usability or performance. area/networking Networking impact/api impact/changelog process/cherry-pick/27.x labels Dec 13, 2024
@thaJeztah thaJeztah added this to the 28.0.0 milestone Dec 13, 2024
@thaJeztah thaJeztah self-assigned this Dec 13, 2024
@thaJeztah thaJeztah mentioned this pull request Dec 13, 2024
Merged
@thaJeztah thaJeztah mentioned this pull request Dec 13, 2024
Merged
@thaJeztah
Copy link
Member Author

thaJeztah commented Dec 13, 2024

I have some follow-ups for v28.0 to deprecate these fields, but will work on those later

@thaJeztah thaJeztah merged commit 1e033e2 into moby:master Dec 13, 2024
@thaJeztah thaJeztah deleted the no_netfilter_warnings branch December 13, 2024 11:09
This was referenced Dec 14, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@akerouanton akerouanton akerouanton approved these changes

@vvoland vvoland vvoland approved these changes

Assignees

@thaJeztah thaJeztah

Labels

area/api API area/networking Networking impact/api impact/changelog kind/enhancement Enhancements are not bugs or new features but can improve usability or performance. process/cherry-picked status/2-code-review

Projects

None yet

Milestone

28.0.0

Development

Successfully merging this pull request may close these issues.

3 participants

@thaJeztah @akerouanton @vvoland