[docker-in-docker] Use iptables-legacy only if it's working #1425
Conversation
Currently, docker-in-docker configures `iptables` to use `iptables-legacy` if it exists. However, if the `ip_tables` kernel module is not loaded on the host, `iptables-legacy` will not work. With this change, docker-in-docker checks if `iptables-legacy` works before using `update-alternatives`. Fixes devcontainers#1235
There was a problem hiding this comment.
Hello @olivierlemasle ,
Thank you for the contribution. I have left a small comment for the same.
There was a problem hiding this comment.
Hello @olivierlemasle ,
Would you kindly add test for this fix. Also please do a version bump.
There was a problem hiding this comment.
Hello @Kaniska244,
Do you have any suggestion on how to test this fix? The error depends on if the ip_tables kernel module is loaded on the host, so a test needs to access the host kernel 🤔.
Actually, when the host kernel does not have the ip_tables module loaded, the generated tests already fail, and this is fixed with this PR.
E.g. on Fedora 42 system (host), with kernel module ip_tables not loaded (this can be reproduced with modprobe -r ip_tables), the command
devcontainer features test -f docker-in-docker --skip-scenarios --skip-duplicated -i debian:12
fails with:
🏃 Starting test(s)...
🧪 Starting 'docker-in-docker' tests...
🔄 Testing 'version'
Docker version 28.3.3-1, build 980b85681696fbd95927fd8ded8f6d91bdca95b0
✅ Passed 'version'!
🔄 Testing 'docker-init-exists'
/usr/local/share/docker-init.sh
✅ Passed 'docker-init-exists'!
🔄 Testing 'docker-ps'
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
❌ docker-ps check failed.
🧹 Cleaning up 1 test containers...
🧹 Removing container 03e19c445011...
================== TEST REPORT ==================
❌ Failed: 'docker-in-docker'
This is fixed with the PR:
🏃 Starting test(s)...
🧪 Starting 'docker-in-docker' tests...
🔄 Testing 'version'
Docker version 28.3.3-1, build 980b85681696fbd95927fd8ded8f6d91bdca95b0
✅ Passed 'version'!
🔄 Testing 'docker-init-exists'
/usr/local/share/docker-init.sh
✅ Passed 'docker-init-exists'!
🔄 Testing 'docker-ps'
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
✅ Passed 'docker-ps'!
🔄 Testing 'log-exists'
/tmp/dockerd.log
✅ Passed 'log-exists'!
🔄 Testing 'log-for-completion'
time="2025-08-06T12:58:32.864310897Z" level=info msg="Daemon has completed initialization"
✅ Passed 'log-for-completion'!
🔄 Testing 'log-contents'
time="2025-08-06T12:58:32.864568877Z" level=info msg="API listen on /var/run/docker.sock"
✅ Passed 'log-contents'!
🔄 Testing 'moby-buildx'
moby-buildx 0.26.0-debian12u1
✅ Passed 'moby-buildx'!
Test Passed!
🧹 Cleaning up 1 test containers...
🧹 Removing container 767628a63e7d...
================== TEST REPORT ==================
✅ Passed: 'docker-in-docker'
There was a problem hiding this comment.
Hello @olivierlemasle ,
Indeed that's a very pertinent question. How do we get a fedora host/ VM to test this? Let me check on this and also discuss with the maintainers and get back to you.
There was a problem hiding this comment.
A Fedora host is not required, but at least an environment where it is possible to manage kernel modules.
There was a problem hiding this comment.
I've actually found a way to add a test. It is actually possible to load/unload kernel modules on Github Actions environment. However, unloading the module currently works on CI environment only when I run my added scenario, not when all scenarios are run. Still working on it.
olivierlemasle
force-pushed
the
fix-1235
branch
from
956e07a to
07d003d
Compare
olivierlemasle
force-pushed
the
fix-1235
branch
from
07d003d to
7b59ca9
Compare
Currently, docker-in-docker configures
iptablesto useiptables-legacyif it exists.However, if the
ip_tableskernel module is not loaded on the host (such as with Fedora hosts),iptables-legacywill not work (andiptables-nftwill probably work).With this change, docker-in-docker checks if
iptables-legacyworks before usingupdate-alternatives.Fixes #1235