[27.x backport] Fix: setup user chains even if there are running containers #48714
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Currently, the DOCKER-USER chains are set up on firewall reload or network creation. If there are running containers at startup, configureNetworking won"t be called (daemon/daemon_unix.go), so the user chains won"t be setup. This commit puts the setup logic on a separate function, and calls it on the original place and on initNetworkController. Signed-off-by: Andrés Maldonado <[email protected]> (cherry picked from commit a8bfa83) Signed-off-by: Rob Murray <[email protected]>
robmry
added
area/networking
kind/bugfix
akerouanton
approved these changes
Oct 21, 2024
austinvazquez
approved these changes
Oct 21, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
fixes #48560
Currently, the
DOCKER-USERchains are set up when the firewall is reloaded or when a network is created:moby/libnetwork/controller.go
Lines 709 to 715 in 4001d07
During a normal startup, the daemon creates the
bridgenetwork, so theDOCKER-USERchains are set up.But when
live-restoreis enabled, there may be running containers when the daemon starts. If that"s the case, theconfigureNetworkingfunction will not be called:moby/daemon/daemon_unix.go
Lines 848 to 852 in 4001d07
configureNetworkingcallsinitBridgeDriver, which callsNewNetwork, which callssetupUserChain, so ifconfigureNetworkingisn"t called the user chains won"t be set up.This is a problem if the iptables rules change while the daemon is stopped.
- What I did
I made sure the user chains are set up on startup, even if the
configureNetworkingfunction is not called- How I did it
I put the logic for setting up user chains for IPv4 and IPv6 in a separate function, which is called in the original place in
NewNetwork, but also ininitNetworkControllereven if there are running containers.- How to verify it
I still didn"t write an integration test, I"ll add it when I have some time.
To manually test:
dockerd --live-restoredocker run -d busybox sleep 300FORWARDchain:iptables -F FORWARDdockerd --live-restoreiptables -S FORWARD-A FORWARD -j DOCKER-USERshould be there- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)