Rootless setup: check for module nf_tables#49727
Conversation
robmry
added
area/contrib
area/rootless
robmry
changed the title
robmry
force-pushed
the
rootlesskit_iptables_check
branch
2 times, most recently
from
08e52ac to
153c124
Compare
| iptables_module="nf_tables" | ||
| if [ -n "$(echo $iptables_version | grep "legacy" 2> /dev/null)" ]; then | ||
| iptables_module="ip_tables" | ||
| fi |
There was a problem hiding this comment.
Probably don't need to grep here if we use a switch;
| iptables_module="nf_tables" | |
| if [ -n "$(echo $iptables_version | grep "legacy" 2> /dev/null)" ]; then | |
| iptables_module="ip_tables" | |
| fi | |
| case $iptables_version in | |
| *legacy*) iptables_module="ip_tables" ;; | |
| *) iptables_module="nf_tables" ;; | |
| esac |
There was a problem hiding this comment.
Un-done - now it's option 2!
There was a problem hiding this comment.
Thanks! Yes, I wrote one, then wrote the other comment, it was possibly a bit confusing; we got there in the end ❤️
| iptables_command=$(PATH=$PATH:/sbin:/usr/sbin command -v iptables 2> /dev/null) || : | ||
| iptables_version="" | ||
| if [ -n "$iptables_command" ]; then | ||
| iptables_version=$($iptables_command --version 2> /dev/null) || : |
There was a problem hiding this comment.
Actually; so iptables_version is only used to set iptables_module, correct? In that case, we could just put all here? Or won't that work?
| iptables_command=$(PATH=$PATH:/sbin:/usr/sbin command -v iptables 2> /dev/null) || : | |
| iptables_version="" | |
| if [ -n "$iptables_command" ]; then | |
| iptables_version=$($iptables_command --version 2> /dev/null) || : | |
| # Many OSs now use iptables-nft by default so, check for module nf_tables by default. But, | |
| # if "iptables --version" worked and reported "legacy", check for module ip_tables instead. | |
| iptables_module="nf_tables" | |
| iptables_command=$(PATH=$PATH:/sbin:/usr/sbin command -v iptables 2> /dev/null) || : | |
| if [ -n "$iptables_command" ]; then | |
| iptables_version=$($iptables_command --version 2> /dev/null) || : | |
| case $iptables_version in | |
| *legacy*) iptables_module="ip_tables" ;; | |
| esac |
There was a problem hiding this comment.
The first block (instruction: iptables dependency check) is working out whether there's an iptables command, and the second block (instruction: ip_tables module dependency check) works out whether the kernel module is loaded.
So, I thought it was best for the second block to use the command the first block found - rather than finding the command again, but maybe a bit differently.
If that makes sense (?) ... I'll swap the grep for case, as you suggest above.
There was a problem hiding this comment.
I've taken option 1 ... can update again if needed!
There was a problem hiding this comment.
Sorry - misread, this is the first block ... done now.
robmry
force-pushed
the
rootlesskit_iptables_check
branch
from
153c124 to
ad177b4
Compare
CentOS 10 uses iptables-nft by default, and doesn't have kernel module ip_tables - so dockerd-rootless-setuptool.sh reports that the module is missing. It suggests installing it (which isn't needed), or using --skip-iptables (which disables iptables in daemon config). So, unless "iptables --version" command reports "legacy", check for kernel module "nf_tables" instead of "ip_tables". Signed-off-by: Rob Murray <[email protected]>
robmry
force-pushed
the
rootlesskit_iptables_check
branch
from
ad177b4 to
f80feba
Compare
| iptables_module="nf_tables" | ||
| iptables_command=$(PATH=$PATH:/sbin:/usr/sbin command -v iptables 2> /dev/null) || : | ||
| if [ -n "$iptables_command" ]; then | ||
| iptables_version=$($iptables_command --version 2> /dev/null) || : | ||
| case $iptables_version in | ||
| *legacy*) iptables_module="ip_tables" ;; | ||
| esac | ||
| faced_iptables_error=1 |
There was a problem hiding this comment.
This sets faced_iptables_error=1 even when iptables are available
There was a problem hiding this comment.
$ iptables --version
iptables v1.8.10 (nf_tables)
$ curl https://get.docker.com/rootless | sh -
[ERROR] Missing system requirements. Run the following commands to
[ERROR] install the requirements and run this tool again.
[ERROR] Alternatively iptables checks can be disabled with --skip-iptables .
5 participants
- What I did
CentOS 10 uses
iptables-nftby default, and doesn't have kernel module ip_tables - sodockerd-rootless-setuptool.shreports that the module is missing. It suggests installing it (which isn't needed), or using--skip-iptables(which disables iptables in daemon config).- How I did it
Unless the
iptables --versioncommand reportslegacy, check for kernel modulenf_tablesinstead ofip_tables.- How to verify it
Ran the install script on a CentOS Stream 10 VM, it worked normally with these changes.
(Not tested on RHEL10 as I don't have a license.)
On a Debian host, where I could switch between
iptables-nftandiptables-legacy- with kernel moduleip_tablesunloaded ("rlk_setup.sh" was my modified version of the script) ...Switched to iptables-nft, with
ip_tablesstill not loaded, then ...- Human readable description for the release notes