Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[master] deb,rpm: add kmod as recommended dependency to provide modprobe #1118

Merged
merged 1 commit into from
Dec 4, 2024
Merged

[master] deb,rpm: add kmod as recommended dependency to provide modprobe #1118

merged 1 commit into from
Dec 4, 2024

Conversation

thaJeztah
Copy link
Member

Depending on the host configuration, the br_netfilter module may not be loaded by default. In this situation, docker will try to load the module through modprobe.

Older versions of docker would silently ignore failing to do so, log a message, and continue;

time="2024-11-29T20:04:58.538404376Z" level=warning msg="Running modprobe bridge br_netfilter failed with message: , error: exec: \"modprobe\": executable file not found in $PATH"

However, starting with db25b0dcd0461802289e962aa0df3abd323d1994 and 264c15bfc427d1321c5b302e48e16d113b06ef92, we now produce an error:

=== FAIL: libnetwork/drivers/bridge TestCreateFullOptions (0.04s)
time="2024-11-29T19:03:44Z" level=error msg="Running modprobe br_netfilter failed with message: " error="exec: \"modprobe\": executable file not found in $PATH"
    bridge_linux_test.go:280: Failed to create bridge: loadBridgeNetFilterModule failed: cannot restrict inter-container communication: modprobe br_netfilter failed: exec: "modprobe": executable file not found in $PATH

This patch updates the packages to add kmod (which provides modprobe) as a recommended dependency. We should probably look for alternatives in our code to not require modprobe.

- What I did

- How I did it

- How to verify it

- Description for the changelog

- A picture of a cute animal (not mandatory but encouraged)

@thaJeztah
deb,rpm: add kmod as recommended dependency to provide modprobe
deed8d9 
Depending on the host configuration, the `br_netfilter` module may not
be loaded by default. In this situation, docker will try to load the module
through `modprobe`.

Older versions of docker would silently ignore failing to do so, log a message,
and continue;

    time="2024-11-29T20:04:58.538404376Z" level=warning msg="Running modprobe bridge br_netfilter failed with message: , error: exec: \"modprobe\": executable file not found in $PATH"

However, starting with [db25b0dcd0461802289e962aa0df3abd323d1994][1] and
[264c15bfc427d1321c5b302e48e16d113b06ef92][2], we now produce an error:

    === FAIL: libnetwork/drivers/bridge TestCreateFullOptions (0.04s)
    time="2024-11-29T19:03:44Z" level=error msg="Running modprobe br_netfilter failed with message: " error="exec: \"modprobe\": executable file not found in $PATH"
        bridge_linux_test.go:280: Failed to create bridge: loadBridgeNetFilterModule failed: cannot restrict inter-container communication: modprobe br_netfilter failed: exec: "modprobe": executable file not found in $PATH

This patch updates the packages to add `kmod` (which provides `modprobe`)
as a recommended dependency. We should probably look for alternatives in
our code to not require `modprobe`.

[1]: moby/moby@db25b0d
[2]: moby/moby@264c15b

Signed-off-by: Sebastiaan van Stijn <[email protected]>
@thaJeztah thaJeztah self-assigned this Nov 29, 2024
This was referenced Nov 29, 2024
Closed
Merged
@thaJeztah thaJeztah mentioned this pull request Dec 4, 2024
Merged
@thaJeztah
Copy link
Member Author

Thanks for reviewing! Since opening this PR, I also discussed a bit with @robmry @neersighted to look for possible alternatives that don't require modprobe (more so because running modprobe inside a container doesn't work for what we try to do.

I was a bit hesitant on adding a new dependency, but pending an alternative in the daemon itself, I think it's the most correct thing to do for the time being (i.e., we need modprobe in some cases, so we may as well reflect that in the package).

Once we have an alternative for calling modprobe, this is probably fine to bring in (just need a reminder to "self" to remove it again once we no longer need it.

Also opened a backport for 27.x;

@thaJeztah thaJeztah requested a review from akerouanton December 4, 2024 15:01
@robmry
Copy link
Contributor

robmry commented Dec 4, 2024

I just tried an equivalent to the ip link show trick, based on https://github.com/weaveworks/go-odp/blob/master/odp/dpif.go#L70-L90

It worked perfectly in a (privileged) docker-in-docker container on a Debian host that didn't have ip6_tables loaded. So I'll get a PR raised soon.

I'll make it try to fall-back to real modprobe ... so maybe it's still a good idea to add this dependency?

laurazard
laurazard approved these changes Dec 4, 2024
View reviewed changes
Copy link
Member

@laurazard laurazard left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@thaJeztah
Copy link
Member Author

Thanks @robmry ! Yeah, I think this patch is still OK to have.

@thaJeztah thaJeztah merged commit e9f9575 into docker:master Dec 4, 2024
8 checks passed
@thaJeztah thaJeztah deleted the add_kmod branch December 4, 2024 15:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@laurazard laurazard laurazard approved these changes

@austinvazquez austinvazquez austinvazquez approved these changes

@tianon tianon tianon approved these changes

@akerouanton akerouanton Awaiting requested review from akerouanton

Assignees

@thaJeztah thaJeztah

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@thaJeztah @robmry @tianon @austinvazquez @laurazard