Browse code
Dev container: try to load kernel module ip6_tables
On an nftables host, the ip6_tables kernel module may not be loaded,
but it needs to be for dockerd to run (with ip6tables now enabled by
default).
If ip6tables doesn't work, try the dind official image's trick for
loading the module using "ip link show".
Signed-off-by: Rob Murray <rob.murray@docker.com>
Rob Murray authored on 2024/06/12 22:01:42Showing 1 changed files
| ... | ... |
@@ -91,6 +91,19 @@ if [ -n "$DOCKER_ROOTLESS" ]; then |
| 91 | 91 |
) |
| 92 | 92 |
fi |
| 93 | 93 |
|
| 94 |
+# On a host using nftables, the ip6_tables kernel module may need to be loaded. |
|
| 95 |
+# This trick is borrowed from the docker (dind) official image ... |
|
| 96 |
+# "modprobe" without modprobe |
|
| 97 |
+# https://twitter.com/lucabruno/status/902934379835662336 |
|
| 98 |
+# This isn't 100% fool-proof, but it'll have a much higher success rate than |
|
| 99 |
+# simply using the "real" modprobe (which isn't installed in the dev container). |
|
| 100 |
+if ! ip6tables -nL > /dev/null 2>&1; then |
|
| 101 |
+ ip link show ip6_tables > /dev/null 2>&1 || true |
|
| 102 |
+ if ! ip6tables -nL > /dev/null 2>&1; then |
|
| 103 |
+ echo >&2 'ip6tables is not available' |
|
| 104 |
+ fi |
|
| 105 |
+fi |
|
| 106 |
+ |
|
| 94 | 107 |
set -x |
| 95 | 108 |
# shellcheck disable=SC2086 |
| 96 | 109 |
exec "${dockerd[@]}" "${args[@]}"
|