Conversation
Historically, the `bridge` network-driver would detect whether netfiltering
was enabled in the kernel or, if disabled, try to do a `modprobe` when
initializing the driver. This approach became problematic, as loading the
module was not always performed at startup depending on daemon configuration,
or the daemon may have failed to load the module. The `/info` response
would include a warning to inform the user that some functionality may not
be available;
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
Starting with db25b0d, detecting whether
netfiltering is enabled now [happens when needed][1], which was further improved
on to not depend on `modprobe` in 264c15b and
4740820.
Because of the above, the `/info` output would now return warnings in any
situation where netfiltering was not enabled on the host before the daemon
started, which may be either _incorrect_ (i.e., the module may have been
loaded afterwards), or irrelevant, because netfiltering is not needed in
all situations.
This patch removes the warnings from the `/info` response,
[1]: https://github.com/moby/moby/blob/944e40350259f040950d871d402d848ff2a799bc/libnetwork/drivers/bridge/setup_bridgenetfiltering.go#L16-L77
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 5c35874)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
vvoland
approved these changes
Dec 13, 2024
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
daemon: info: remove bridge-nf-call-iptables / ip6tables warnings
Historically, the
bridgenetwork-driver would detect whether netfiltering was enabled in the kernel or, if disabled, try to do amodprobewhen initializing the driver. This approach became problematic, as loading the module was not always performed at startup depending on daemon configuration, or the daemon may have failed to load the module. The/inforesponse would include a warning to inform the user that some functionality may not be available;Starting with db25b0d, detecting whether netfiltering is enabled now happens when needed, which was further improved on to not depend on
modprobein 264c15b and 4740820.Because of the above, the
/infooutput would now return warnings in any situation where netfiltering was not enabled on the host before the daemon started, which may be either incorrect (i.e., the module may have been loaded afterwards), or irrelevant, because netfiltering is not needed in all situations.This patch removes the warnings from the
/inforesponse,- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)