-
Notifications
You must be signed in to change notification settings - Fork 880
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
controller: Check if IPTables is enabled for arrangeUserFilterRule #2339
Conversation
Hey upstream, that would be great to have some feedback on that if you have a chance. I'd like to import this patch in Debian to solve https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903635. This bug is a blocker for buster release, because basically docker breaks the firewall of its users when they use iptables, and that's a serious problem. |
@elboulangero this should not break Debian anymore |
@arkodg Thanks for the pointer, I was not aware of that! The Debian bug related to the fix you mention is #921600, and I will close it then. However there's also #903635, which is really about |
This allows the `--iptables=false` argument to the `dockerd` to actually work. Signed-off-by: David O'Rourke <[email protected]>
Please sign your commits following these rules: $ git clone -b "iptables-check" [email protected]:phyber/libnetwork.git somewhere
$ cd somewhere
$ git rebase -i HEAD~842354571648
editor opens
change each 'pick' to 'edit'
save the file and quit
$ git commit --amend -s --no-edit
$ git rebase --continue # and repeat the amend for each commit
$ git push -f Amending updates the existing PR. You DO NOT need to open a new one. |
Signed-off-by: David O'Rourke <[email protected]>
I've moved the option check and if statement into the more appropriate I also don't know how to deal with the case where |
Service_linux.go below functions uses IPTables APIs that might create/update IPChain. with the PR, I don't think we are covering these code path. we might end up leaving the daemon iptable configuration in faulty state. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am really concerned with half fix. This will lead us into unexpected behavior when user start creating service/etc. just my 2 cents. |
@selansen can you pls explain your point more ? |
my point is there is few other places where we invoke iptable chain commands ( I mentioned files info in the previous comment) that are not covered as part of this fix. |
full diffs: - moby/libnetwork@fc5a7d9...62a13ae - vishvananda/netlink@b2de5d1...v1.0.0 - vishvananda/netns@604eaf1...13995c7 notable changes in libnetwork: - moby/libnetwork#2366 Bump vishvananda/netlink to 1.0.0 - moby/libnetwork#2339 controller: Check if IPTables is enabled for arrangeUserFilterRule - addresses moby/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER - addresses moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules - addresses docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway - moby/libnetwork#2394 Make DNS records and queries case-insensitive - addresses moby#28689 Embedded DNS is case-sensitive - addresses moby#21169 hostnames with new networking are case-sensitive Signed-off-by: Sebastiaan van Stijn <[email protected]>
full diffs: - moby/libnetwork@fc5a7d9...62a13ae - vishvananda/netlink@b2de5d1...v1.0.0 - vishvananda/netns@604eaf1...13995c7 notable changes in libnetwork: - moby/libnetwork#2366 Bump vishvananda/netlink to 1.0.0 - moby/libnetwork#2339 controller: Check if IPTables is enabled for arrangeUserFilterRule - addresses moby/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER - addresses moby/moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules - addresses docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway - moby/libnetwork#2394 Make DNS records and queries case-insensitive - addresses moby/moby#28689 Embedded DNS is case-sensitive - addresses moby/moby#21169 hostnames with new networking are case-sensitive Signed-off-by: Sebastiaan van Stijn <[email protected]> Upstream-commit: 344b093258fcb2195fa393081e5224a6c766c798 Component: engine
full diffs: - moby/libnetwork@fc5a7d9...62a13ae - vishvananda/netlink@b2de5d1...v1.0.0 - vishvananda/netns@604eaf1...13995c7 notable changes in libnetwork: - moby/libnetwork#2366 Bump vishvananda/netlink to 1.0.0 - moby/libnetwork#2339 controller: Check if IPTables is enabled for arrangeUserFilterRule - addresses moby/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER - addresses moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules - addresses docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway - moby/libnetwork#2394 Make DNS records and queries case-insensitive - addresses moby#28689 Embedded DNS is case-sensitive - addresses moby#21169 hostnames with new networking are case-sensitive Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit 344b093) Signed-off-by: Sebastiaan van Stijn <[email protected]>
full diffs: - moby/libnetwork@fc5a7d9...62a13ae - vishvananda/netlink@b2de5d1...v1.0.0 - vishvananda/netns@604eaf1...13995c7 notable changes in libnetwork: - moby/libnetwork#2366 Bump vishvananda/netlink to 1.0.0 - moby/libnetwork#2339 controller: Check if IPTables is enabled for arrangeUserFilterRule - addresses moby/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER - addresses moby/moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules - addresses docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway - moby/libnetwork#2394 Make DNS records and queries case-insensitive - addresses moby/moby#28689 Embedded DNS is case-sensitive - addresses moby/moby#21169 hostnames with new networking are case-sensitive Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit 344b093258fcb2195fa393081e5224a6c766c798) Signed-off-by: Sebastiaan van Stijn <[email protected]> Upstream-commit: f3e1aff81df959e9178433b77e7f3364c22aee59 Component: engine
This PR fixes the regression introduced by moby#2339 to correctly insert the DOCKER-USER chain if iptables=true is set in the Daemon config Signed-off-by: Arko Dasgupta <[email protected]>
This PR fixes the regression introduced by moby#2339 to correctly insert the DOCKER-USER chain if iptables=true is set in the Daemon config Addresses : docker/for-linux#810 Signed-off-by: Arko Dasgupta <[email protected]>
This PR fixes the regression introduced by moby#2339 to correctly insert the DOCKER-USER chain if iptables=true is set in the Daemon config Addresses : docker/for-linux#810 Signed-off-by: Arko Dasgupta <[email protected]>
This reverts commit 820deef, reversing changes made to 19e372a. Signed-off-by: Arko Dasgupta <[email protected]>
Revert "Merge pull request #2339 from phyber/iptables-check"
Revert "Merge pull request moby#2339 from phyber/iptables-check" (cherry picked from commit 90afbb0) Signed-off-by: Arko Dasgupta <[email protected]>
full diffs: - moby/libnetwork@fc5a7d9...62a13ae - vishvananda/netlink@b2de5d1...v1.0.0 - vishvananda/netns@604eaf1...13995c7 notable changes in libnetwork: - moby/libnetwork#2366 Bump vishvananda/netlink to 1.0.0 - moby/libnetwork#2339 controller: Check if IPTables is enabled for arrangeUserFilterRule - addresses moby/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER - addresses moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules - addresses docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway - moby/libnetwork#2394 Make DNS records and queries case-insensitive - addresses moby#28689 Embedded DNS is case-sensitive - addresses moby#21169 hostnames with new networking are case-sensitive Signed-off-by: Sebastiaan van Stijn <[email protected]> Signed-off-by: zach <[email protected]>
This allows the
--iptables=false
argument to thedockerd
to work correctlyby checking if IPTables is enabled before creating the user filter rules
in the controller.
This probably fixes:
and possibly more. I didn't dig too deep.