Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

controller: Check if IPTables is enabled for arrangeUserFilterRule #2339

Merged
merged 2 commits into from
Jun 21, 2019

Conversation

phyber
Copy link
Contributor

@phyber phyber commented Feb 20, 2019

This allows the --iptables=false argument to the dockerd to work correctly
by checking if IPTables is enabled before creating the user filter rules
in the controller.

This probably fixes:

and possibly more. I didn't dig too deep.

@elboulangero
Copy link

Hey upstream, that would be great to have some feedback on that if you have a chance.

I'd like to import this patch in Debian to solve https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903635. This bug is a blocker for buster release, because basically docker breaks the firewall of its users when they use iptables, and that's a serious problem.

controller.go Outdated Show resolved Hide resolved
@arkodg
Copy link
Contributor

arkodg commented Apr 26, 2019

@elboulangero this should not break Debian anymore
5ce033c fixed the issue and it recently got vendored in via moby/moby@bcaa613

@elboulangero
Copy link

elboulangero commented Apr 29, 2019

5ce033c fixed the issue and it recently got vendored in via moby/moby@bcaa613

@arkodg Thanks for the pointer, I was not aware of that! The Debian bug related to the fix you mention is #921600, and I will close it then.

However there's also #903635, which is really about --iptables=false, and is what is discussed here.

This allows the `--iptables=false` argument to the `dockerd` to actually
work.

Signed-off-by: David O'Rourke <[email protected]>
@GordonTheTurtle
Copy link

Please sign your commits following these rules:
https://github.com/moby/moby/blob/master/CONTRIBUTING.md#sign-your-work
The easiest way to do this is to amend the last commit:

$ git clone -b "iptables-check" [email protected]:phyber/libnetwork.git somewhere
$ cd somewhere
$ git rebase -i HEAD~842354571648
editor opens
change each 'pick' to 'edit'
save the file and quit
$ git commit --amend -s --no-edit
$ git rebase --continue # and repeat the amend for each commit
$ git push -f

Amending updates the existing PR. You DO NOT need to open a new one.

@phyber
Copy link
Contributor Author

phyber commented Apr 29, 2019

I've moved the option check and if statement into the more appropriate firewall_linux.go.
However, I'm unable to add any tests because I simply cannot work out how this would even be tested.

I also don't know how to deal with the case where arrangeUserFilterRule is called as a function (rather than via the method on the controller), so there is a very real chance that dockerd will at some point still interfere with firewall rules.

@selansen
Copy link
Collaborator

selansen commented Apr 29, 2019

Service_linux.go below functions uses IPTables APIs that might create/update IPChain.
fwMarker()
redirector()
programIngress()

with the PR, I don't think we are covering these code path. we might end up leaving the daemon iptable configuration in faulty state.

Copy link
Contributor

@arkodg arkodg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
@mavenugo this should fix the issue for docker run, I've raised #2375 to add the extra fixes needed for docker service

@selansen
Copy link
Collaborator

I am really concerned with half fix. This will lead us into unexpected behavior when user start creating service/etc. just my 2 cents.

@mavenugo
Copy link
Contributor

mavenugo commented Jun 4, 2019

@selansen can you pls explain your point more ?
Setting --iptables=false on a specific node will certainly break many features especially those in swarm mode where the task placement will NOT consider the --iptables settings...
When the user sets this flag, I would assume that they know what they are doing and infact that is the case today.
Hence am trying to understand what you mean by "half fix" here .

@selansen
Copy link
Collaborator

selansen commented Jun 4, 2019

my point is there is few other places where we invoke iptable chain commands ( I mentioned files info in the previous comment) that are not covered as part of this fix.
If that code path gets executed , we will still have few ipchain insert on behalf of libnetwork which is not desirable. That made me to believe this is partial fix but not complete one.

@euanh euanh merged commit 820deef into moby:master Jun 21, 2019
thaJeztah added a commit to thaJeztah/docker that referenced this pull request Jun 25, 2019
full diffs:

- moby/libnetwork@fc5a7d9...62a13ae
- vishvananda/netlink@b2de5d1...v1.0.0
- vishvananda/netns@604eaf1...13995c7

notable changes in libnetwork:

- moby/libnetwork#2366 Bump vishvananda/netlink to 1.0.0
- moby/libnetwork#2339 controller: Check if IPTables is enabled for arrangeUserFilterRule
  - addresses moby/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER
  - addresses moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules
  - addresses docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway
- moby/libnetwork#2394 Make DNS records and queries case-insensitive
  - addresses moby#28689 Embedded DNS is case-sensitive
  - addresses moby#21169 hostnames with new networking are case-sensitive

Signed-off-by: Sebastiaan van Stijn <[email protected]>
docker-jenkins pushed a commit to docker-archive/docker-ce that referenced this pull request Jun 27, 2019
full diffs:

- moby/libnetwork@fc5a7d9...62a13ae
- vishvananda/netlink@b2de5d1...v1.0.0
- vishvananda/netns@604eaf1...13995c7

notable changes in libnetwork:

- moby/libnetwork#2366 Bump vishvananda/netlink to 1.0.0
- moby/libnetwork#2339 controller: Check if IPTables is enabled for arrangeUserFilterRule
  - addresses moby/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER
  - addresses moby/moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules
  - addresses docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway
- moby/libnetwork#2394 Make DNS records and queries case-insensitive
  - addresses moby/moby#28689 Embedded DNS is case-sensitive
  - addresses moby/moby#21169 hostnames with new networking are case-sensitive

Signed-off-by: Sebastiaan van Stijn <[email protected]>
Upstream-commit: 344b093258fcb2195fa393081e5224a6c766c798
Component: engine
thaJeztah added a commit to thaJeztah/docker that referenced this pull request Sep 16, 2019
full diffs:

- moby/libnetwork@fc5a7d9...62a13ae
- vishvananda/netlink@b2de5d1...v1.0.0
- vishvananda/netns@604eaf1...13995c7

notable changes in libnetwork:

- moby/libnetwork#2366 Bump vishvananda/netlink to 1.0.0
- moby/libnetwork#2339 controller: Check if IPTables is enabled for arrangeUserFilterRule
  - addresses moby/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER
  - addresses moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules
  - addresses docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway
- moby/libnetwork#2394 Make DNS records and queries case-insensitive
  - addresses moby#28689 Embedded DNS is case-sensitive
  - addresses moby#21169 hostnames with new networking are case-sensitive

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit 344b093)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
docker-jenkins pushed a commit to docker-archive/docker-ce that referenced this pull request Sep 17, 2019
full diffs:

- moby/libnetwork@fc5a7d9...62a13ae
- vishvananda/netlink@b2de5d1...v1.0.0
- vishvananda/netns@604eaf1...13995c7

notable changes in libnetwork:

- moby/libnetwork#2366 Bump vishvananda/netlink to 1.0.0
- moby/libnetwork#2339 controller: Check if IPTables is enabled for arrangeUserFilterRule
  - addresses moby/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER
  - addresses moby/moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules
  - addresses docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway
- moby/libnetwork#2394 Make DNS records and queries case-insensitive
  - addresses moby/moby#28689 Embedded DNS is case-sensitive
  - addresses moby/moby#21169 hostnames with new networking are case-sensitive

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit 344b093258fcb2195fa393081e5224a6c766c798)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
Upstream-commit: f3e1aff81df959e9178433b77e7f3364c22aee59
Component: engine
arkodg pushed a commit to arkodg/libnetwork that referenced this pull request Oct 9, 2019
This PR fixes the regression introduced by
moby#2339 to
correctly insert the DOCKER-USER chain if iptables=true
is set in the Daemon config

Signed-off-by: Arko Dasgupta <[email protected]>
arkodg pushed a commit to arkodg/libnetwork that referenced this pull request Oct 9, 2019
This PR fixes the regression introduced by
moby#2339 to
correctly insert the DOCKER-USER chain if iptables=true
is set in the Daemon config

Addresses : docker/for-linux#810

Signed-off-by: Arko Dasgupta <[email protected]>
arkodg pushed a commit to arkodg/libnetwork that referenced this pull request Oct 11, 2019
This PR fixes the regression introduced by
moby#2339 to
correctly insert the DOCKER-USER chain if iptables=true
is set in the Daemon config

Addresses : docker/for-linux#810

Signed-off-by: Arko Dasgupta <[email protected]>
arkodg pushed a commit to arkodg/libnetwork that referenced this pull request Oct 11, 2019
This reverts commit 820deef, reversing
changes made to 19e372a.
arkodg pushed a commit to arkodg/libnetwork that referenced this pull request Oct 11, 2019
This reverts commit 820deef, reversing
changes made to 19e372a.

Signed-off-by: Arko Dasgupta <[email protected]>
selansen added a commit that referenced this pull request Oct 11, 2019
Revert "Merge pull request #2339 from phyber/iptables-check"
arkodg pushed a commit to arkodg/libnetwork that referenced this pull request Oct 11, 2019
Revert "Merge pull request moby#2339 from phyber/iptables-check"

(cherry picked from commit 90afbb0)
Signed-off-by: Arko Dasgupta <[email protected]>
burnMyDread pushed a commit to burnMyDread/moby that referenced this pull request Oct 21, 2019
full diffs:

- moby/libnetwork@fc5a7d9...62a13ae
- vishvananda/netlink@b2de5d1...v1.0.0
- vishvananda/netns@604eaf1...13995c7

notable changes in libnetwork:

- moby/libnetwork#2366 Bump vishvananda/netlink to 1.0.0
- moby/libnetwork#2339 controller: Check if IPTables is enabled for arrangeUserFilterRule
  - addresses moby/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER
  - addresses moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules
  - addresses docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway
- moby/libnetwork#2394 Make DNS records and queries case-insensitive
  - addresses moby#28689 Embedded DNS is case-sensitive
  - addresses moby#21169 hostnames with new networking are case-sensitive

Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: zach <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants