Skip to content

[27.x backport] Allow users to ignore missing br_netfilter#49306

Merged
thaJeztah merged 1 commit intomoby:27.xfrom
thaJeztah:27.x_backport_49240_ignore_br_netfilter_error
Jan 20, 2025
Merged

[27.x backport] Allow users to ignore missing br_netfilter#49306
thaJeztah merged 1 commit intomoby:27.xfrom
thaJeztah:27.x_backport_49240_ignore_br_netfilter_error

Conversation

@thaJeztah
Copy link
Copy Markdown
Member

@thaJeztah thaJeztah commented Jan 20, 2025

Add a workaround for users wanting to run with br_netfilter unloaded when it's needed.

Since commit 0f8fc31, the bridge driver will try to load kernel module br_netfilter if the userland proxy is disabled. If it fails, we're in unknown territory, so it's treated as an error. At the very least, containers will not be able to access host ports mapped to other containers in the same network.

Before that, and before commit 5c499fc delayed the module load until it was needed - it was loaded unconditionally, but errors were only logged.

So, on systems where the module is not available, or could not be loaded/configured, no error was reported and things "worked" (as long as you didn't try to use something that didn't work).

- How I did it

That behaviour has been useful to some. So, make it possible to ignore the problem by setting env var: DOCKER_IGNORE_BR_NETFILTER_ERROR=1.

- How to verify it

  • unloaded br_netfilter and moved aside br_netfilter.ko so that it couldn't be reloaded
  • set "userland-proxy": false
  • checked the daemon wouldn't start
DEBU[2025-01-18T11:57:21.866523729Z] Modules not loaded                            checkResult="stat /proc/sys/net/bridge/bridge-nf-call-iptables: no such file or directory" loadErrors="<nil>" loader=ioctl modules="[br_netfilter]"
DEBU[2025-01-18T11:57:21.868739448Z] Modules not loaded                            checkResult="stat /proc/sys/net/bridge/bridge-nf-call-iptables: no such file or directory" loadErrors="modprobe br_netfilter failed with message: \"modprobe: ERROR: could not insert 'br_netfilter': Unknown symbol in module, or unknown parameter (see dmesg)\\ninsmod /lib/modules/6.1.0-18-amd64/kernel/net/bridge/br_netfilter.ko\", error: exit status 1" loader=modprobe modules="[br_netfilter]"
DEBU[2025-01-18T11:57:21.868849544Z] releasing IPv4 pools from network bridge (4cd4e4e505a4f9876c4340ceb0c04e8e62e7e56abeff445b82908e115c0de2d1)
DEBU[2025-01-18T11:57:21.868862489Z] ReleaseAddress(LocalDefault/172.17.0.0/16, 172.17.0.1)
DEBU[2025-01-18T11:57:21.868883158Z] Released address Address:172.17.0.1 Sequence:Bits: 65536, Unselected: 65534, Sequence: (0x80000000, 1)->(0x0, 2046)->(0x1, 1)->end Curr:0
DEBU[2025-01-18T11:57:21.868888024Z] ReleasePool(LocalDefault/172.17.0.0/16)
DEBU[2025-01-18T11:57:21.868929270Z] daemon configured with a 15 seconds minimum shutdown timeout
DEBU[2025-01-18T11:57:21.868937099Z] start clean shutdown of all containers with a 15 seconds timeout...
DEBU[2025-01-18T11:57:21.870338585Z] Unix socket /var/run/docker/libnetwork/fb21ef685198.sock was closed. The external key listener will stop.
DEBU[2025-01-18T11:57:21.870511438Z] Cleaning up old mountid : start.
DEBU[2025-01-18T11:57:21.870733127Z] Cleaning up old mountid : done.
failed to start daemon: Error initializing network controller: error creating default "bridge" network: cannot restrict inter-container communication or run without the userland proxy: stat /proc/sys/net/bridge/bridge-nf-call-iptables: no such file or directory: set environment variable DOCKER_IGNORE_BR_NETFILTER_ERROR=1 to ignore
  • export DOCKER_IGNORE_BR_NETFILTER_ERROR=1
  • the daemon started with logs ...
DEBU[2025-01-18T11:58:03.724166300Z] Modules not loaded                            checkResult="stat /proc/sys/net/bridge/bridge-nf-call-iptables: no such file or directory" loadErrors="<nil>" loader=ioctl modules="[br_netfilter]"
DEBU[2025-01-18T11:58:03.726415506Z] Modules not loaded                            checkResult="stat /proc/sys/net/bridge/bridge-nf-call-iptables: no such file or directory" loadErrors="modprobe br_netfilter failed with message: \"modprobe: ERROR: could not insert 'br_netfilter': Unknown symbol in module, or unknown parameter (see dmesg)\\ninsmod /lib/modules/6.1.0-18-amd64/kernel/net/bridge/br_netfilter.ko\", error: exit status 1" loader=modprobe modules="[br_netfilter]"
WARN[2025-01-18T11:58:03.726479764Z] Continuing without enabling br_netfilter      error="cannot restrict inter-container communication or run without the userland proxy: stat /proc/sys/net/bridge/bridge-nf-call-iptables: no such file or directory"

- Description for the changelog

- On a host that cannot load the `br_netfilter` module when it's needed, set environment variable
  `DOCKER_IGNORE_BR_NETFILTER_ERROR=1` to ignore the problem.
  - Some things won't work! Including disabling inter-container communication in a bridge network
    and, with the userland proxy disabled, it won't be possible to access one container's published
    ports from another container on the same network.

@robmry @thaJeztah
Allow users to ignore missing br_netfilter
ad04c7b 
Since commit 0f8fc31, the bridge driver will try to load kernel
module br_netfilter if the userland proxy is disabled. If it fails,
we're in unknown territory, so it's treated as an error. At the
very least, containers will not be able to access host ports
mapped to other containers in the same network.

Before that, and before commit 5c499fc delayed the module load
until it was needed - it was loaded unconditionally, but errors
were only logged.

So, on systems where the module is not available, or could not be
loaded/configured, no error was reported and things "worked" (as
long as you didn't try to use something that didn't work).

That behaviour has been useful to some. So, make it possible to
ignore the problem by setting env var:
  DOCKER_IGNORE_BR_NETFILTER_ERROR=1

Signed-off-by: Rob Murray <[email protected]>
(cherry picked from commit e7bd60e)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
@thaJeztah thaJeztah added this to the 27.5.1 milestone Jan 20, 2025
@thaJeztah thaJeztah requested a review from robmry January 20, 2025 09:25
@thaJeztah thaJeztah self-assigned this Jan 20, 2025
@thaJeztah thaJeztah added the kind/bugfix PR's that fix bugs label Jan 20, 2025
robmry
robmry approved these changes Jan 20, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@robmry robmry left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, thank you for doing this! LGTM.

@thaJeztah thaJeztah merged commit 0d4f27d into moby:27.x Jan 20, 2025
@thaJeztah thaJeztah deleted the 27.x_backport_49240_ignore_br_netfilter_error branch January 20, 2025 11:37
@renovate-rancher renovate-rancher bot mentioned this pull request Mar 26, 2025
Open
1 task
This was referenced Mar 29, 2025
Open
Open
Open
@MahdiSahebZamani MahdiSahebZamani mentioned this pull request Aug 5, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@robmry robmry robmry approved these changes

Assignees

@thaJeztah thaJeztah

Labels

area/networking/d/bridge Networking area/networking Networking impact/changelog kind/bugfix PR's that fix bugs status/2-code-review

Projects

None yet

Milestone

27.5.1

Development

Successfully merging this pull request may close these issues.

2 participants

@thaJeztah @robmry