Enforce requirement for iptables/ip6tables to implement ICC=false #48494
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
a8eb017
to
2dea933
Compare
Disabling Inter-Container Communication (ICC) in the bridge
driver is implemented using iptables.
The bridge driver has not been checking that iptables/ip6tables
are enabled if required for ICC=false, and some unit tests do
not set up consistent config.
Supplying "netlabel.GenericData" in "options.Generic" form
("map[string]any") does not set up "EnableICC: false". But,
suppling it in "map[string]string" form does - and that's
the form used when a driver option is supplied via the API
as, for example "-o com.docker.network.bridge.enable_icc=false".
So, do that in more tests.
Set EnableIPTables/EnableIP6Tables in the driver config for
other tests, and explicitly enable/disable EnableICC in others.
Signed-off-by: Rob Murray <rob.murray@docker.com>
The integration test helpers like NewSwarm that start a daemon with swarm enabled have been setting "--iptables=false". Now deleted comments from 2018 say "avoid networking conflicts". But, when a swarm network needs a "docker_gwbridge" network, it's always created with ICC=false, and that can't be implemented with iptables disabled - the tests have silently been running with ICC enabled on gateway networks (as well as any other effects running without iptables may have had). Non-swarm tests that start their own daemons don't disable iptables, and CI is happy with iptables enabled. So, don't disable iptables. Signed-off-by: Rob Murray <rob.murray@docker.com>
2dea933
to
3d14a40
Compare
With "-icc=false", no inter-container comms on the default bridge, the daemon will produce an error and fail to start if iptables or ip6tables are disabled (and ipv4/ipv6 are enabled for the network). Add a similar check for user-defined networks, so that "network create" fails if ICC can't be implemented. Along with the new errors, test that ICC can be disabled for a user-defined network. Signed-off-by: Rob Murray <rob.murray@docker.com>
3d14a40
to
ce3edca
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
- What I did
With "--icc=false" (no inter-container comms on the default bridge), the daemon will produce an error and fail to start if iptables/ip6tables are disabled and ipv4/ipv6 are enabled for the network.
There's no such check for user-defined networks. (And I don't think we test ICC=false in user-defined networks.)
- How I did it
Make "network create" fail if ICC=false can't be implemented.
- How to verify it
New tests.
- Description for the changelog