Skip to content

[docker-in-docker] Use iptables-legacy only if it's working #1425

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

[docker-in-docker] Use iptables-legacy only if it's working #1425

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
8fc69f4
[docker-in-docker] Use iptables-legacy only if it's working
olivierlemasle Jul 30, 2025
77b8ec0
Add test, bump version
olivierlemasle Aug 6, 2025
ee2ed47
Fix unload kernel module ip_tables
olivierlemasle Aug 8, 2025
7b59ca9
Test with module ip_tables
olivierlemasle Aug 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/docker-in-docker/devcontainer-feature.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"id": "docker-in-docker",
"version": "2.12.2",
"version": "2.12.3",
"name": "Docker (Docker-in-Docker)",
"documentationURL": "https://github.com/devcontainers/features/tree/main/src/docker-in-docker",
"description": "Create child containers *inside* a container, independent from the host's docker instance. Installs Docker extension in the container along with needed CLIs.",
Expand Down
2 changes: 1 addition & 1 deletion src/docker-in-docker/install.sh
View file
Open in desktop
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @olivierlemasle ,

Would you kindly add test for this fix. Also please do a version bump.

Copy link
Contributor Author

@olivierlemasle olivierlemasle Aug 6, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @Kaniska244,

Do you have any suggestion on how to test this fix? The error depends on if the ip_tables kernel module is loaded on the host, so a test needs to access the host kernel 🤔.

Actually, when the host kernel does not have the ip_tables module loaded, the generated tests already fail, and this is fixed with this PR.

E.g. on Fedora 42 system (host), with kernel module ip_tables not loaded (this can be reproduced with modprobe -r ip_tables), the command

devcontainer features test -f docker-in-docker --skip-scenarios --skip-duplicated -i debian:12

fails with:

🏃 Starting test(s)...

🧪 Starting 'docker-in-docker' tests...


🔄 Testing 'version'

Docker version 28.3.3-1, build 980b85681696fbd95927fd8ded8f6d91bdca95b0


✅  Passed 'version'!


🔄 Testing 'docker-init-exists'

/usr/local/share/docker-init.sh


✅  Passed 'docker-init-exists'!


🔄 Testing 'docker-ps'

Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?


❌ docker-ps check failed.
🧹 Cleaning up 1 test containers...
🧹 Removing container 03e19c445011...



  ================== TEST REPORT ==================
❌ Failed:      'docker-in-docker'

This is fixed with the PR:

🏃 Starting test(s)...

🧪 Starting 'docker-in-docker' tests...


🔄 Testing 'version'

Docker version 28.3.3-1, build 980b85681696fbd95927fd8ded8f6d91bdca95b0


✅  Passed 'version'!


🔄 Testing 'docker-init-exists'

/usr/local/share/docker-init.sh


✅  Passed 'docker-init-exists'!


🔄 Testing 'docker-ps'

CONTAINER ID   IMAGE     COMMAND   CREATED   STATUS    PORTS     NAMES


✅  Passed 'docker-ps'!


🔄 Testing 'log-exists'

/tmp/dockerd.log


✅  Passed 'log-exists'!


🔄 Testing 'log-for-completion'

time="2025-08-06T12:58:32.864310897Z" level=info msg="Daemon has completed initialization"


✅  Passed 'log-for-completion'!


🔄 Testing 'log-contents'

time="2025-08-06T12:58:32.864568877Z" level=info msg="API listen on /var/run/docker.sock"


✅  Passed 'log-contents'!


🔄 Testing 'moby-buildx'

moby-buildx     0.26.0-debian12u1


✅  Passed 'moby-buildx'!


Test Passed!
🧹 Cleaning up 1 test containers...
🧹 Removing container 767628a63e7d...



  ================== TEST REPORT ==================
✅ Passed:      'docker-in-docker'

Copy link
Contributor

@Kaniska244 Kaniska244 Aug 6, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @olivierlemasle ,

Indeed that's a very pertinent question. How do we get a fedora host/ VM to test this? Let me check on this and also discuss with the maintainers and get back to you.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A Fedora host is not required, but at least an environment where it is possible to manage kernel modules.

Copy link
Contributor Author

@olivierlemasle olivierlemasle Aug 6, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've actually found a way to add a test. It is actually possible to load/unload kernel modules on Github Actions environment. However, unloading the module currently works on CI environment only when I run my added scenario, not when all scenarios are run. Still working on it.

Original file line number Diff line number Diff line change
Expand Up @@ -218,7 +218,7 @@ if ! type git > /dev/null 2>&1; then
fi

# Swap to legacy iptables for compatibility
if type iptables-legacy > /dev/null 2>&1; then
if type iptables-legacy > /dev/null 2>&1 && iptables-legacy -L > /dev/null 2>&1; then
update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
fi
Expand Down
19 changes: 19 additions & 0 deletions test/docker-in-docker/docker_with_iptables.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
#!/bin/bash

set -e

# Optional: Import test library
source dev-container-features-test-lib

# Feature specific tests
check "iptables works" sudo iptables -L
check "iptables uses legacy" bash -c "iptables --version | grep legacy"

check "version" docker --version
check "docker-ps" bash -c "docker ps"
check "log-exists" bash -c "ls /tmp/dockerd.log"
check "log-for-completion" bash -c "cat /tmp/dockerd.log | grep 'Daemon has completed initialization'"
check "log-contents" bash -c "cat /tmp/dockerd.log | grep 'API listen on /var/run/docker.sock'"

# Report result
reportResults
19 changes: 19 additions & 0 deletions test/docker-in-docker/docker_without_iptables.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
#!/bin/bash

set -e

# Optional: Import test library
source dev-container-features-test-lib

# Feature specific tests
check "iptables works" sudo iptables -L
check "iptables uses nf_tables" bash -c "iptables --version | grep nf_tables"

check "version" docker --version
check "docker-ps" bash -c "docker ps"
check "log-exists" bash -c "ls /tmp/dockerd.log"
check "log-for-completion" bash -c "cat /tmp/dockerd.log | grep 'Daemon has completed initialization'"
check "log-contents" bash -c "cat /tmp/dockerd.log | grep 'API listen on /var/run/docker.sock'"

# Report result
reportResults
18 changes: 18 additions & 0 deletions test/docker-in-docker/scenarios.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,6 +158,24 @@
}
}
},
"docker_without_iptables": {
"image": "mcr.microsoft.com/devcontainers/base:debian",
"features": {
"docker-in-docker": {
"moby": "false"
}
},
"initializeCommand": "sudo modprobe --remove --remove-holders --wait 1000 ip_tables"
},
"docker_with_iptables": {
"image": "mcr.microsoft.com/devcontainers/base:debian",
"features": {
"docker-in-docker": {
"moby": "false"
}
},
"initializeCommand": "sudo modprobe ip_tables"
},
// DO NOT REMOVE: This scenario is used by the docker-in-docker-stress-test workflow
"docker_with_on_create_command": {
"image": "mcr.microsoft.com/devcontainers/base:debian",
Expand Down