Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/docker: explicitly load kernel modules #76487

Merged
merged 1 commit into from Jul 18, 2020
Merged

nixos/docker: explicitly load kernel modules #76487

merged 1 commit into from Jul 18, 2020

Conversation

ryneeverett
Copy link
Contributor

This is analogous to #70447.

With security.lockKernelModules=true, docker commands result in the following
error without at least loading veth:

$ docker run hello-world
/nix/store/mr50kaan2vs4gc40ymwncb2vci25aq7z-docker-19.03.2/libexec/docker/docker: Error response from daemon: failed to create endpoint epic_kare on network bridge: failed to add the host (veth8b381f3) <=> sandbox (veth348e197) pair interfaces: operation not supported.
ERRO[0003] error waiting for container: context canceled

Motivation for this change
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
Notify maintainers

cc @

@danbst
Copy link
Contributor

danbst commented Dec 25, 2019

does this mean, that when security.lockKernelModules = false, docker will load kernel modules (the mentioned veth) dynamically?

@ryneeverett
Copy link
Contributor Author

ryneeverett commented Dec 26, 2019
edited

@danbst From the fact that this change fixes the networking issue I conclude that docker does indeed load veth. I don't know whether it's always loaded on daemon initialization or on demand when a network is created.

@danbst
Copy link
Contributor

danbst commented Dec 26, 2019

it may be that veth is not the only one needed. For example, bridge, tun may also be required.

systemd-nspawn containers also have list of preloaded modules: https://github.com/NixOS/nixpkgs/blob/release-19.09/nixos/modules/virtualisation/containers.nix#L828-L833

@Mic92
Copy link
Member

Mic92 commented Dec 26, 2019
edited

I would actually only load the modules if security.lockKernelModules is enabled. People might not use all kernel modules listed here. Or does this only white-list allowed modules instead of actually loading them?

@ryneeverett
Copy link
Contributor Author

it may be that veth is not the only one needed.

Yes, there probably are others needed but I don't know of a method to discover them. Most people aren't going to notice, even with lockKernelModules enabled, because they're loaded as side effects of other packages.

I would actually only load the modules if security.lockKernelModules is enabled. People might not use all kernel modules listed here. Or does this only white-list allowed modules instead of actually loading them?

This does load them but the absence of this particular module breaks the most basic of docker usage so it needs to be loaded when the docker module is enabled.

@stale
Copy link

stale bot commented Jul 16, 2020

Hello, I'm a bot and I thank you in the name of the community for your contributions.

Nixpkgs is a busy repository, and unfortunately sometimes PRs get left behind for too long. Nevertheless, we'd like to help committers reach the PRs that are still important. This PR has had no activity for 180 days, and so I marked it as stale, but you can rest assured it will never be closed by a non-human.

If this is still important to you and you'd like to remove the stale label, we ask that you leave a comment. Your comment can be as simple as "still important to me". But there's a bit more you can do:

If you received an approval by an unpriviledged maintainer and you are just waiting for a merge, you can @ mention someone with merge permissions and ask them to help. You might be able to find someone relevant by using Git blame on the relevant files, or via GitHub's web interface. You can see if someone's a member of the nixpkgs-committers team, by hovering with the mouse over their username on the web interface, or by searching them directly on the list.

If your PR wasn't reviewed at all, it might help to find someone who's perhaps a user of the package or module you are changing, or alternatively, ask once more for a review by the maintainer of the package/module this is about. If you don't know any, you can use Git blame on the relevant files, or GitHub's web interface to find someone who touched the relevant files in the past.

If your PR has had reviews and nevertheless got stale, make sure you've responded to all of the reviewer's requests / questions. Usually when PR authors show responsibility and dedication, reviewers (privileged or not) show dedication as well. If you've pushed a change, it's possible the reviewer wasn't notified about your push via email, so you can always officially request them for a review, or just @ mention them and say you've addressed their comments.

Lastly, you can always ask for help at our Discourse Forum, or more specifically, at this thread or at #nixos' IRC channel.

@stale stale bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Jul 16, 2020
@Mic92
Copy link
Member

Mic92 commented Jul 17, 2020

I would add at least bridges. I have not seen docker seen using tun/tap/macvlan in the common case.

@stale stale bot removed the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Jul 17, 2020
@ryneeverett
nixos/docker: explicitly load kernel modules
f12581a 
This is analogous to NixOS#70447.

With security.lockKernelModules=true, docker commands result in the following
error without at least loading veth:

$ docker run hello-world
/nix/store/mr50kaan2vs4gc40ymwncb2vci25aq7z-docker-19.03.2/libexec/docker/docker: Error response from daemon: failed to create endpoint epic_kare on network bridge: failed to add the host (veth8b381f3) <=> sandbox (veth348e197) pair interfaces: operation not supported.
ERRO[0003] error waiting for container: context canceled
@Mic92 Mic92 merged commit eb66a32 into NixOS:master Jul 18, 2020
@ryneeverett ryneeverett mentioned this pull request Sep 10, 2020
Merged
10 tasks
@ryneeverett ryneeverett mentioned this pull request Sep 10, 2020
Merged
10 tasks
mkg20001 pushed a commit that referenced this pull request Apr 29, 2021
@ryneeverett @mkg20001
nixos/lxd: explicitly load kernel modules
80e263b 
This is analogous to #70447 and #76487.

These are all needed to attach a container to the default bridge
network, without which the final line of the following script fails with
the error for each respective kernel module listed below.

```sh
lxc storage create foo dir
lxc launch -s foo ubuntu:trusty bar
lxc network attach lxdbr0 bar
```

veth
----

> Error: Failed to start device 'lxdbr0': Failed to create the veth interfaces vethefbc3cd6 and vetha4abbcbc: Failed to run: ip link add dev vethefbc3cd6 type veth peer name vetha4abbcbc: RTNETLINK answers: Operation not supported

iptable_mangle
--------------

> lvl=eror msg="Failed to bring up network" err="Failed to list ipv4 rules for LXD network lxdbr0 (table mangle)" name=lxdbr0

xt_comment
----------

> lvl=error msg="Failed to bring up network" err="Failed to run: iptables -w -t filter -I INPUT -i lxdbr0 -p udp --dport 67 -j ACCEPT -m comment --comment generated for LXD network lxdbr0: iptables v1.8.4 (legacy): Couldn't load match `comment':No such file or directory\n\nTry `iptables -h' or 'iptables --help' for more information." name=lxdbr0

xt_MASQUERADE
-------------

> vl=eror msg="Failed to bring up network" err="Failed to run: iptables -w -t nat -I POSTROUTING -s 10.0.107.0/24 ! -d 10.0.107.0/24 -j MASQUERADE -m comment --comment generated for LXD network lxdbr0: iptables v1.8.4 (legacy): Couldn't load target `MASQUERADE':No such file or directory\n\nTry `iptables -h' or 'iptables --help' for more information." name=lxdbr0
Artturin pushed a commit that referenced this pull request Feb 17, 2023
@ryneeverett
nixos/docker: load more required kernel modules
12755ec 
This builds on #76487.

br_netfilter
------------

When I first added veth it was suggested I add bridge as well. Without
veth I get the following error message when starting the daemon with
security.lockKernelModules=true:

> Running modprobe bridge br_netfilter failed with message: modprobe: ERROR: could not insert 'br_netfilter': Operation not permitted

Therefore if we're going to add bridge we may as well add br_netfilter
as well.

xt_nat
------

Without xt_nat, docker cannot do dnat with iptables, failing with:

> iptables v1.8.4 (legacy): unknown option \"--to-destination\"\nTry `iptables -h' or 'iptables --help' for more information.\n (exit status 2))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
6.topic: nixos 8.has: documentation 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ryneeverett @danbst @Mic92