!141 Fix: setup user chains even if there are running containers

From: @dog-life Reviewed-by: @xu_lei_123 Signed-off-by: @xu_lei_123
2025-04-21 07:38:24 +00:00 · 2025-04-21 07:38:24 +00:00 · 261943fc47
commit 261943fc47
parent c5e564a4dc e1c233ed80
2 changed files with 127 additions and 1 deletions
--- a/1018-Fix-setup-user-chains-even-if-there-are-running-cont.patch
+++ b/1018-Fix-setup-user-chains-even-if-there-are-running-cont.patch
@ -0,0 +1,122 @@
 From 60eece38cd2c5f41f948cd463a6ee0f0ad2f9d99 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Andr=C3=A9s=20Maldonado?= <maldonado@codelutin.com>
 Date: Fri, 4 Oct 2024 01:53:46 +0200
 Subject: Fix: setup user chains even if there are running containers
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Currently, the DOCKER-USER chains are set up on firewall reload or network
 creation. If there are running containers at startup, configureNetworking won't
 be called (daemon/daemon_unix.go), so the user chains won't be setup.
 This commit puts the setup logic on a separate function, and calls it on the
 original place and on initNetworkController.
 Signed-off-by: Andrés Maldonado <maldonado@codelutin.com>
 (cherry picked from commit a8bfa83667fb7c31e7274dc83a2aa9c98ace2af2)
 Signed-off-by: Justin Alvarez <alvajus@amazon.com>
 ---
 daemon/daemon_unix.go             |  4 ++++
 integration/daemon/daemon_test.go | 29 +++++++++++++++++++++++++++++
 libnetwork/controller.go          | 17 ++++++++++++-----
 3 files changed, 45 insertions(+), 5 deletions(-)
 diff --git a/daemon/daemon_unix.go b/daemon/daemon_unix.go
 index 1143dda063..f6704df752 100644
 --- a/daemon/daemon_unix.go
 +++ b/daemon/daemon_unix.go
@@ -852,6 +852,10 @@ func (daemon *Daemon) initNetworkController(cfg *config.Config, activeSandboxes
 		return err
 	}
 +	if err := daemon.netController.SetupUserChains(); err != nil {
 +		log.G(context.TODO()).WithError(err).Warnf("initNetworkController")
 +	}
 +
 	// Set HostGatewayIP to the default bridge's IP if it is empty
 	setHostGatewayIP(daemon.netController, cfg)
 	return nil
 diff --git a/integration/daemon/daemon_test.go b/integration/daemon/daemon_test.go
 index a6436ae7da..045f9bed4f 100644
 --- a/integration/daemon/daemon_test.go
 +++ b/integration/daemon/daemon_test.go
@@ -388,6 +388,7 @@ func TestLiveRestore(t *testing.T) {
 	t.Run("volume references", testLiveRestoreVolumeReferences)
 	t.Run("autoremove", testLiveRestoreAutoRemove)
 +	t.Run("user chains", testLiveRestoreUserChainsSetup)
 }
 func testLiveRestoreAutoRemove(t *testing.T) {
@@ -606,6 +607,34 @@ func testLiveRestoreVolumeReferences(t *testing.T) {
 	})
 }
 +func testLiveRestoreUserChainsSetup(t *testing.T) {
 +	skip.If(t, testEnv.IsRootless(), "rootless daemon uses it's own network namespace")
 +
 +	t.Parallel()
 +	ctx := testutil.StartSpan(baseContext, t)
 +
 +	t.Run("user chains should be inserted", func(t *testing.T) {
 +		d := daemon.New(t)
 +		d.StartWithBusybox(ctx, t, "--live-restore")
 +		t.Cleanup(func() {
 +			d.Stop(t)
 +			d.Cleanup(t)
 +		})
 +
 +		c := d.NewClientT(t)
 +
 +		cID := container.Run(ctx, t, c, container.WithCmd("top"))
 +		defer c.ContainerRemove(ctx, cID, containertypes.RemoveOptions{Force: true})
 +
 +		d.Stop(t)
 +		icmd.RunCommand("iptables", "--flush", "FORWARD").Assert(t, icmd.Success)
 +		d.Start(t, "--live-restore")
 +
 +		result := icmd.RunCommand("iptables", "-S", "FORWARD", "1")
 +		assert.Check(t, is.Equal(strings.TrimSpace(result.Stdout()), "-A FORWARD -j DOCKER-USER"), "the jump to DOCKER-USER should be the first rule in the FORWARD chain")
 +	})
 +}
 +
 func TestDaemonDefaultBridgeWithFixedCidrButNoBip(t *testing.T) {
 	skip.If(t, runtime.GOOS == "windows")
 diff --git a/libnetwork/controller.go b/libnetwork/controller.go
 index 8341946756..9c066d238e 100644
 --- a/libnetwork/controller.go
 +++ b/libnetwork/controller.go
@@ -707,15 +707,22 @@ addToStore:
 		c.mu.Unlock()
 	}
 -	// Sets up the DOCKER-USER chain for each iptables version (IPv4, IPv6)
 -	// that's enabled in the controller's configuration.
 +	if err := c.SetupUserChains(); err != nil {
 +		log.G(context.TODO()).WithError(err).Warnf("Controller.NewNetwork %s:", name)
 +	}
 +
 +	return nw, nil
 +}
 +
 +// Sets up the DOCKER-USER chain for each iptables version (IPv4, IPv6) that's
 +// enabled in the controller's configuration.
 +func (c *Controller) SetupUserChains() error {
 	for _, ipVersion := range c.enabledIptablesVersions() {
 		if err := setupUserChain(ipVersion); err != nil {
 -			log.G(context.TODO()).WithError(err).Warnf("Controller.NewNetwork %s:", name)
 +			return err
 		}
 	}
 -
 -	return nw, nil
 +	return nil
 }
 var joinCluster NetworkWalker = func(nw *Network) bool {
 -- 
 2.27.0
--- a/moby.spec
+++ b/moby.spec
@ -7,7 +7,7 @@
 Name: 	  moby
 Version:  25.0.3
-Release:  29
+Release:  30
 Summary:  The open-source application container engine
 License:  Apache-2.0
 URL:	  https://www.docker.com
@ -41,6 +41,7 @@ Patch1014:  1014-daemon-overlay2-remove-world-writable-permission-fro.patch
 Patch1015:  1015-rootless-fix-open-etc-docker-plugins-permission-deni.patch
 Patch1016:  1016-Fix-cases-where-we-are-wrapping-a-nil-error.patch
 Patch1017:  1017-libnetwork-fix-non-constant-format-string-in-call-go.patch
 Patch1018:  1018-Fix-setup-user-chains-even-if-there-are-running-cont.patch
 # Patch 2001-2999 for tini
 Patch2001:  2001-tini.c-a-function-declaration-without-a-prototype-is.patch
 Requires(meta): %{name}-engine = %{version}-%{release}
@ -232,6 +233,9 @@ fi
 %systemd_postun_with_restart docker.service
 %changelog
 * Sun Apr 20 2025 shechenglong <shechenglong@xfusion.com> - 25.0.3-30
 - Fix: setup user chains even if there are running containers
 * Sun Apr 20 2025 shechenglong <shechenglong@xfusion.com> - 25.0.3-29
 - libnetwork: fix non-constant format string in call (govet)