nixos/containers: explicitly load kernel modules for networking #70447
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
List all modules that *may* be required depending on individual container configurations; don't expect that further modules can be loaded after boot. Fixes NixOS#38676
joachifm
added
the
9.needs: port to stable
dtzWill
pushed a commit
to dtzWill/nixpkgs
that referenced
this pull request
Oct 6, 2019
…networking-lockKernelModules-compat nixos/containers: explicitly load kernel modules for networking (cherry picked from commit 1031801)
10 tasks
ryneeverett
added a commit
to ryneeverett/nixpkgs
that referenced
this pull request
Jul 18, 2020
This is analogous to NixOS#70447. With security.lockKernelModules=true, docker commands result in the following error without at least loading veth: $ docker run hello-world /nix/store/mr50kaan2vs4gc40ymwncb2vci25aq7z-docker-19.03.2/libexec/docker/docker: Error response from daemon: failed to create endpoint epic_kare on network bridge: failed to add the host (veth8b381f3) <=> sandbox (veth348e197) pair interfaces: operation not supported. ERRO[0003] error waiting for container: context canceled
10 tasks
mkg20001
pushed a commit
that referenced
this pull request
Apr 29, 2021
This is analogous to #70447 and #76487. These are all needed to attach a container to the default bridge network, without which the final line of the following script fails with the error for each respective kernel module listed below. ```sh lxc storage create foo dir lxc launch -s foo ubuntu:trusty bar lxc network attach lxdbr0 bar ``` veth ---- > Error: Failed to start device 'lxdbr0': Failed to create the veth interfaces vethefbc3cd6 and vetha4abbcbc: Failed to run: ip link add dev vethefbc3cd6 type veth peer name vetha4abbcbc: RTNETLINK answers: Operation not supported iptable_mangle -------------- > lvl=eror msg="Failed to bring up network" err="Failed to list ipv4 rules for LXD network lxdbr0 (table mangle)" name=lxdbr0 xt_comment ---------- > lvl=error msg="Failed to bring up network" err="Failed to run: iptables -w -t filter -I INPUT -i lxdbr0 -p udp --dport 67 -j ACCEPT -m comment --comment generated for LXD network lxdbr0: iptables v1.8.4 (legacy): Couldn't load match `comment':No such file or directory\n\nTry `iptables -h' or 'iptables --help' for more information." name=lxdbr0 xt_MASQUERADE ------------- > vl=eror msg="Failed to bring up network" err="Failed to run: iptables -w -t nat -I POSTROUTING -s 10.0.107.0/24 ! -d 10.0.107.0/24 -j MASQUERADE -m comment --comment generated for LXD network lxdbr0: iptables v1.8.4 (legacy): Couldn't load target `MASQUERADE':No such file or directory\n\nTry `iptables -h' or 'iptables --help' for more information." name=lxdbr0
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
List all modules that may be required depending on individual container
configurations; don't expect that further modules can be loaded after boot.
Fixes #38676