Adjust iptables-legacy fallback implementation to use an image-provid…

…ed symlink farm instead of symlinking over package-provided files in /sbin/ at runtime
docker-library · Dec 15, 2023 · cadf44c · cadf44c
1 parent 2f5b0e6
commit cadf44c
Show file tree

Hide file tree

Showing 6 changed files with 84 additions and 36 deletions.
diff --git a/24/dind/Dockerfile b/24/dind/Dockerfile
diff --git a/24/dind/dockerd-entrypoint.sh b/24/dind/dockerd-entrypoint.sh
diff --git a/25-rc/dind/Dockerfile b/25-rc/dind/Dockerfile
diff --git a/25-rc/dind/dockerd-entrypoint.sh b/25-rc/dind/dockerd-entrypoint.sh
diff --git a/Dockerfile-dind.template b/Dockerfile-dind.template
@@ -9,9 +9,6 @@ RUN set -eux; \
 		e2fsprogs-extra \
 		ip6tables \
 		iptables \
-# dind might be used on systems where the nf_tables kernel module isn't available. In that case,
-# we need to switch over to xtables-legacy. See https://github.com/docker-library/docker/issues/463
-		iptables-legacy \
 		openssl \
 		shadow-uidmap \
 		xfsprogs \
@@ -28,6 +25,31 @@ RUN set -eux; \
 
 # TODO aufs-tools
 
+# dind might be used on systems where the nf_tables kernel module isn't available. In that case,
+# we need to switch over to xtables-legacy. See https://github.com/docker-library/docker/issues/463
+RUN set -eux; \
+	apk add --no-cache iptables-legacy; \
+# set up a symlink farm we can use PATH to switch to legacy with
+	mkdir -p /usr/local/sbin/.iptables-legacy; \
+# https://git.alpinelinux.org/aports/tree/main/iptables/APKBUILD?id=b215d54de159eacafecb13c68dfadce6eefd9ec9#n73
+	for f in \
+		iptables \
+		iptables-save \
+		iptables-restore \
+		ip6tables \
+		ip6tables-save \
+		ip6tables-restore \
+	; do \
+# "iptables-save" -> "iptables-legacy-save", "ip6tables" -> "ip6tables-legacy", etc.
+# https://pkgs.alpinelinux.org/contents?branch=v3.19&name=iptables-legacy&arch=x86_64
+		b="/sbin/${f/tables/tables-legacy}"; \
+		"$b" --version; \
+		ln -svT "$b" "/usr/local/sbin/.iptables-legacy/$f"; \
+	done; \
+# verify it works (and gets us legacy)
+	export PATH="/usr/local/sbin/.iptables-legacy:$PATH"; \
+	iptables --version | grep legacy
+
 # set up subuid/subgid so that "--userns-remap=default" works out-of-the-box
 RUN set -eux; \
 	addgroup -S dockremap; \

diff --git a/dockerd-entrypoint.sh b/dockerd-entrypoint.sh
@@ -143,23 +143,17 @@ if [ "$1" = 'dockerd' ]; then
 	# XXX inject "docker-init" (tini) as pid1 to workaround https://github.com/docker-library/docker/issues/318 (zombie container-shim processes)
 	set -- docker-init -- "$@"
 
-	use_xtables_legacy=false
 	if ! iptables -nL > /dev/null 2>&1; then
-		# if iptables fails to run, chances are high the necessary kernel modules aren't loaded (perhaps the host is using nftables with the translating "iptables" wrappers, for example)
+		# if iptables fails to run, chances are high the necessary kernel modules aren't loaded (perhaps the host is using xtables, for example)
 		# https://github.com/docker-library/docker/issues/350
 		# https://github.com/moby/moby/issues/26824
 		# https://github.com/docker-library/docker/pull/437#issuecomment-1854900620
 		if ! modprobe nf_tables; then
 			modprobe ip_tables || :
-			use_xtables_legacy=true
+			# see https://github.com/docker-library/docker/issues/463 (and the dind Dockerfile where this directory is set up)
+			export PATH="/usr/local/sbin/.iptables-legacy:$PATH"
 		fi
 	fi
-	if [ "$use_xtables_legacy" = "true" ]; then
-		ln -fs /sbin/iptables-legacy /sbin/iptables
-		# iptables-restore and iptables-save aren't used by dockerd currently, but let's not ship a half broken image.
-		ln -fs /sbin/iptables-legacy-restore /sbin/iptables-restore
-		ln -fs /sbin/iptables-legacy-save /sbin/iptables-save
-	fi
 
 	uid="$(id -u)"
 	if [ "$uid" != '0' ]; then