Merge pull request #47747 from robmry/non-experimental-ip6tables

Enable 'ip6tables' by default, don't require 'experimental'.
moby · May 24, 2024 · 62ddd3d · 62ddd3d
2 parents 5cd2e6a + 41ddc47
commit 62ddd3d
Show file tree

Hide file tree

Showing 23 changed files with 165 additions and 190 deletions.
diff --git a/cmd/dockerd/config_unix.go b/cmd/dockerd/config_unix.go
@@ -28,7 +28,7 @@ func installConfigFlags(conf *config.Config, flags *pflag.FlagSet) error {
  flags.BoolVar(&conf.EnableSelinuxSupport, "selinux-enabled", false, "Enable selinux support")
  flags.Var(opts.NewNamedUlimitOpt("default-ulimits", &conf.Ulimits), "default-ulimit", "Default ulimits for containers")
  flags.BoolVar(&conf.BridgeConfig.EnableIPTables, "iptables", true, "Enable addition of iptables rules")
- flags.BoolVar(&conf.BridgeConfig.EnableIP6Tables, "ip6tables", false, "Enable addition of ip6tables rules (experimental)")
+ flags.BoolVar(&conf.BridgeConfig.EnableIP6Tables, "ip6tables", true, "Enable addition of ip6tables rules")
  flags.BoolVar(&conf.BridgeConfig.EnableIPForward, "ip-forward", true, "Enable net.ipv4.ip_forward")
  flags.BoolVar(&conf.BridgeConfig.EnableIPMasq, "ip-masq", true, "Enable IP masquerading")
  flags.BoolVar(&conf.BridgeConfig.EnableIPv6, "ipv6", false, "Enable IPv6 networking")

diff --git a/daemon/daemon_unix.go b/daemon/daemon_unix.go
@@ -737,11 +737,13 @@ func verifyDaemonSettings(conf *config.Config) error {
  if conf.BridgeConfig.Iface != "" && conf.BridgeConfig.IP != "" {
  return fmt.Errorf("You specified -b & --bip, mutually exclusive options. Please specify only one")
  }
- if !conf.BridgeConfig.EnableIPTables && !conf.BridgeConfig.InterContainerCommunication {
- return fmt.Errorf("You specified --iptables=false with --icc=false. ICC=false uses iptables to function. Please set --icc or --iptables to true")
- }
- if conf.BridgeConfig.EnableIP6Tables && !conf.Experimental {
- return fmt.Errorf("ip6tables rules are only available if experimental features are enabled")
+ if !conf.BridgeConfig.InterContainerCommunication {
+ if !conf.BridgeConfig.EnableIPTables {
+ return fmt.Errorf("You specified --iptables=false with --icc=false. ICC=false uses iptables to function. Please set --icc or --iptables to true")
+ }
+ if conf.BridgeConfig.EnableIPv6 && !conf.BridgeConfig.EnableIP6Tables {
+ return fmt.Errorf("You specified --ip6tables=false with --icc=false. ICC=false uses ip6tables to function. Please set --icc or --ip6tables to true")
+ }
  }
  if !conf.BridgeConfig.EnableIPTables && conf.BridgeConfig.EnableIPMasq {
  conf.BridgeConfig.EnableIPMasq = false

diff --git a/integration-cli/docker_api_swarm_test.go b/integration-cli/docker_api_swarm_test.go
@@ -861,7 +861,7 @@ func (s *DockerSwarmSuite) TestAPISwarmRestartCluster(c *testing.T) {
  for _, d := range nodes {
  go func(daemon *daemon.Daemon) {
  defer wg.Done()
- if err := daemon.StartWithError("--iptables=false"); err != nil {
+ if err := daemon.StartWithError("--iptables=false", "--ip6tables=false"); err != nil {
  errs <- err
  }
  }(d)

diff --git a/integration-cli/docker_cli_logs_test.go b/integration-cli/docker_cli_logs_test.go
@@ -292,7 +292,7 @@ func (s *DockerCLILogsSuite) TestLogsFollowGoroutinesWithStdout(c *testing.T) {
  d.Stop(c)
  d.Cleanup(c)
  }()
- d.StartWithBusybox(ctx, c, "--iptables=false")
+ d.StartWithBusybox(ctx, c, "--iptables=false", "--ip6tables=false")
 
  out, err := d.Cmd("run", "-d", "busybox", "/bin/sh", "-c", "while true; do echo hello; sleep 2; done")
  assert.NilError(c, err)
@@ -349,7 +349,7 @@ func (s *DockerCLILogsSuite) TestLogsFollowGoroutinesNoOutput(c *testing.T) {
 
  ctx := testutil.GetContext(c)
 
- d.StartWithBusybox(ctx, c, "--iptables=false")
+ d.StartWithBusybox(ctx, c, "--iptables=false", "--ip6tables=false")
 
  out, err := d.Cmd("run", "-d", "busybox", "/bin/sh", "-c", "while true; do sleep 2; done")
  assert.NilError(c, err)

diff --git a/integration/container/daemon_linux_test.go b/integration/container/daemon_linux_test.go
@@ -41,7 +41,7 @@ func TestContainerStartOnDaemonRestart(t *testing.T) {
  ctx := testutil.StartSpan(baseContext, t)
 
  d := daemon.New(t)
- d.StartWithBusybox(ctx, t, "--iptables=false")
+ d.StartWithBusybox(ctx, t, "--iptables=false", "--ip6tables=false")
  defer d.Stop(t)
 
  c := d.NewClientT(t)
@@ -66,7 +66,7 @@ func TestContainerStartOnDaemonRestart(t *testing.T) {
  err = unix.Kill(ppid, unix.SIGKILL)
  assert.Check(t, err, "failed to kill containerd-shim")
 
- d.Start(t, "--iptables=false")
+ d.Start(t, "--iptables=false", "--ip6tables=false")
 
  err = c.ContainerStart(ctx, cID, containertypes.StartOptions{})
  assert.Check(t, err, "failed to start test container")
@@ -95,7 +95,7 @@ func TestDaemonRestartIpcMode(t *testing.T) {
  ctx := testutil.StartSpan(baseContext, t)
 
  d := daemon.New(t)
- d.StartWithBusybox(ctx, t, "--iptables=false", "--default-ipc-mode=private")
+ d.StartWithBusybox(ctx, t, "--iptables=false", "--ip6tables=false", "--default-ipc-mode=private")
  defer d.Stop(t)
 
  c := d.NewClientT(t)
@@ -112,7 +112,7 @@ func TestDaemonRestartIpcMode(t *testing.T) {
  assert.Check(t, is.Equal(string(inspect.HostConfig.IpcMode), "private"))
 
  // restart the daemon with shareable default ipc mode
- d.Restart(t, "--iptables=false", "--default-ipc-mode=shareable")
+ d.Restart(t, "--iptables=false", "--ip6tables=false", "--default-ipc-mode=shareable")
 
  // check the container is still having private ipc mode
  inspect, err = c.ContainerInspect(ctx, cID)
@@ -144,7 +144,7 @@ func TestDaemonHostGatewayIP(t *testing.T) {
  // Verify the IP in /etc/hosts is same as host-gateway-ip
  d := daemon.New(t)
  // Verify the IP in /etc/hosts is same as the default bridge's IP
- d.StartWithBusybox(ctx, t, "--iptables=false")
+ d.StartWithBusybox(ctx, t, "--iptables=false", "--ip6tables=false")
  c := d.NewClientT(t)
  cID := container.Run(ctx, t, c,
  container.WithExtraHost("host.docker.internal:host-gateway"),
@@ -160,7 +160,7 @@ func TestDaemonHostGatewayIP(t *testing.T) {
  d.Stop(t)
 
  // Verify the IP in /etc/hosts is same as host-gateway-ip
- d.StartWithBusybox(ctx, t, "--iptables=false", "--host-gateway-ip=6.7.8.9")
+ d.StartWithBusybox(ctx, t, "--iptables=false", "--ip6tables=false", "--host-gateway-ip=6.7.8.9")
  cID = container.Run(ctx, t, c,
  container.WithExtraHost("host.docker.internal:host-gateway"),
  )
@@ -195,7 +195,7 @@ func TestRestartDaemonWithRestartingContainer(t *testing.T) {
  d := daemon.New(t)
  defer d.Cleanup(t)
 
- d.StartWithBusybox(ctx, t, "--iptables=false")
+ d.StartWithBusybox(ctx, t, "--iptables=false", "--ip6tables=false")
  defer d.Stop(t)
 
  apiClient := d.NewClientT(t)
@@ -212,7 +212,7 @@ func TestRestartDaemonWithRestartingContainer(t *testing.T) {
  c.HasBeenStartedBefore = true
  })
 
- d.Start(t, "--iptables=false")
+ d.Start(t, "--iptables=false", "--ip6tables=false")
 
  ctxTimeout, cancel := context.WithTimeout(ctx, 30*time.Second)
  defer cancel()
@@ -241,7 +241,7 @@ func TestHardRestartWhenContainerIsRunning(t *testing.T) {
  d := daemon.New(t)
  defer d.Cleanup(t)
 
- d.StartWithBusybox(ctx, t, "--iptables=false")
+ d.StartWithBusybox(ctx, t, "--iptables=false", "--ip6tables=false")
  defer d.Stop(t)
 
  apiClient := d.NewClientT(t)
@@ -261,7 +261,7 @@ func TestHardRestartWhenContainerIsRunning(t *testing.T) {
  })
  }
 
- d.Start(t, "--iptables=false")
+ d.Start(t, "--iptables=false", "--ip6tables=false")
 
  t.Run("RestartPolicy=none", func(t *testing.T) {
  ctx := testutil.StartSpan(ctx, t)

diff --git a/integration/container/daemon_test.go b/integration/container/daemon_test.go
@@ -26,7 +26,7 @@ func TestContainerKillOnDaemonStart(t *testing.T) {
  d := daemon.New(t)
  defer d.Cleanup(t)
 
- d.StartWithBusybox(ctx, t, "--iptables=false")
+ d.StartWithBusybox(ctx, t, "--iptables=false", "--ip6tables=false")
  defer d.Stop(t)
 
  apiClient := d.NewClientT(t)
@@ -44,7 +44,7 @@ func TestContainerKillOnDaemonStart(t *testing.T) {
  assert.Assert(t, inspect.State.Running)
 
  assert.NilError(t, d.Kill())
- d.Start(t, "--iptables=false")
+ d.Start(t, "--iptables=false", "--ip6tables=false")
 
  inspect, err = apiClient.ContainerInspect(ctx, id)
  assert.Check(t, is.Nil(err))

diff --git a/integration/container/restart_test.go b/integration/container/restart_test.go
@@ -85,7 +85,7 @@ func TestDaemonRestartKillContainers(t *testing.T) {
  d := daemon.New(t)
  apiClient := d.NewClientT(t)
 
- args := []string{"--iptables=false"}
+ args := []string{"--iptables=false", "--ip6tables=false"}
  if liveRestoreEnabled {
  args = append(args, "--live-restore")
  }

diff --git a/integration/daemon/daemon_test.go b/integration/daemon/daemon_test.go
@@ -40,7 +40,7 @@ func TestConfigDaemonID(t *testing.T) {
  d := daemon.New(t)
  defer d.Stop(t)
 
- d.Start(t, "--iptables=false")
+ d.Start(t, "--iptables=false", "--ip6tables=false")
  info := d.Info(t)
  assert.Check(t, info.ID != "")
  d.Stop(t)
@@ -54,7 +54,7 @@ func TestConfigDaemonID(t *testing.T) {
  err := os.WriteFile(idFile, []byte(engineID), 0o644)
  assert.NilError(t, err)
 
- d.Start(t, "--iptables=false")
+ d.Start(t, "--iptables=false", "--ip6tables=false")
  info = d.Info(t)
  assert.Equal(t, info.ID, engineID)
  d.Stop(t)
@@ -212,7 +212,7 @@ func TestDaemonProxy(t *testing.T) {
  ))
  c := d.NewClientT(t)
 
- d.Start(t, "--iptables=false")
+ d.Start(t, "--iptables=false", "--ip6tables=false")
  defer d.Stop(t)
 
  info := d.Info(t)
@@ -248,7 +248,7 @@ func TestDaemonProxy(t *testing.T) {
  "no_proxy=ignore.invalid",
  "OTEL_EXPORTER_OTLP_ENDPOINT=", // To avoid OTEL hitting the proxy.
  ))
- d.Start(t, "--iptables=false", "--http-proxy", proxyServer.URL, "--https-proxy", proxyServer.URL, "--no-proxy", "example.com")
+ d.Start(t, "--iptables=false", "--ip6tables=false", "--http-proxy", proxyServer.URL, "--https-proxy", proxyServer.URL, "--no-proxy", "example.com")
  defer d.Stop(t)
 
  c := d.NewClientT(t)
@@ -305,7 +305,7 @@ func TestDaemonProxy(t *testing.T) {
  configJSON := fmt.Sprintf(`{"proxies":{"http-proxy":%[1]q, "https-proxy": %[1]q, "no-proxy": "example.com"}}`, proxyServer.URL)
  assert.NilError(t, os.WriteFile(configFile, []byte(configJSON), 0o644))
 
- d.Start(t, "--iptables=false", "--config-file", configFile)
+ d.Start(t, "--iptables=false", "--ip6tables=false", "--config-file", configFile)
  defer d.Stop(t)
 
  info := d.Info(t)
@@ -370,7 +370,7 @@ func TestDaemonProxy(t *testing.T) {
  d := daemon.New(t, daemon.WithEnvVars(
  "OTEL_EXPORTER_OTLP_ENDPOINT=", // To avoid OTEL hitting the proxy.
  ))
- d.Start(t, "--iptables=false", "--http-proxy", proxyRawURL, "--https-proxy", proxyRawURL, "--no-proxy", "example.com")
+ d.Start(t, "--iptables=false", "--ip6tables=false", "--http-proxy", proxyRawURL, "--https-proxy", proxyRawURL, "--no-proxy", "example.com")
  defer d.Stop(t)
  err := d.Signal(syscall.SIGHUP)
  assert.NilError(t, err)
@@ -398,7 +398,7 @@ func testLiveRestoreAutoRemove(t *testing.T) {
 
  run := func(t *testing.T) (*daemon.Daemon, func(), string) {
  d := daemon.New(t)
- d.StartWithBusybox(ctx, t, "--live-restore", "--iptables=false")
+ d.StartWithBusybox(ctx, t, "--live-restore", "--iptables=false", "--ip6tables=false")
  t.Cleanup(func() {
  d.Stop(t)
  d.Cleanup(t)
@@ -425,7 +425,7 @@ func testLiveRestoreAutoRemove(t *testing.T) {
  t.Run("engine restart shouldnt kill alive containers", func(t *testing.T) {
  d, finishContainer, cID := run(t)
 
- d.Restart(t, "--live-restore", "--iptables=false")
+ d.Restart(t, "--live-restore", "--iptables=false", "--ip6tables=false")
 
  apiClient := d.NewClientT(t)
  _, err := apiClient.ContainerInspect(ctx, cID)
@@ -450,7 +450,7 @@ func testLiveRestoreAutoRemove(t *testing.T) {
  finishContainer()
  poll.WaitOn(t, process.NotAlive(pid))
 
- d.Start(t, "--live-restore", "--iptables=false")
+ d.Start(t, "--live-restore", "--iptables=false", "--ip6tables=false")
 
  poll.WaitOn(t, container.IsRemoved(ctx, apiClient, cID))
  })
@@ -461,7 +461,7 @@ func testLiveRestoreVolumeReferences(t *testing.T) {
  ctx := testutil.StartSpan(baseContext, t)
 
  d := daemon.New(t)
- d.StartWithBusybox(ctx, t, "--live-restore", "--iptables=false")
+ d.StartWithBusybox(ctx, t, "--live-restore", "--iptables=false", "--ip6tables=false")
  defer func() {
  d.Stop(t)
  d.Cleanup(t)
@@ -486,7 +486,7 @@ func testLiveRestoreVolumeReferences(t *testing.T) {
  defer c.ContainerRemove(ctx, cID, containertypes.RemoveOptions{Force: true})
 
  // Stop the daemon
- d.Restart(t, "--live-restore", "--iptables=false")
+ d.Restart(t, "--live-restore", "--iptables=false", "--ip6tables=false")
 
  // Try to remove the volume
  err = c.VolumeRemove(ctx, volName, false)
@@ -544,7 +544,7 @@ func testLiveRestoreVolumeReferences(t *testing.T) {
  return poll.Success()
  })
 
- d.Restart(t, "--live-restore", "--iptables=false")
+ d.Restart(t, "--live-restore", "--iptables=false", "--ip6tables=false")
 
  // Try to remove the volume
  // This should fail since its used by a container
@@ -599,7 +599,7 @@ func testLiveRestoreVolumeReferences(t *testing.T) {
  cID := container.Run(ctx, t, c, container.WithMount(m), container.WithCmd("top"))
  defer c.ContainerRemove(ctx, cID, containertypes.RemoveOptions{Force: true})
 
- d.Restart(t, "--live-restore", "--iptables=false")
+ d.Restart(t, "--live-restore", "--iptables=false", "--ip6tables=false")
 
  err := c.ContainerRemove(ctx, cID, containertypes.RemoveOptions{Force: true})
  assert.NilError(t, err)

diff --git a/integration/image/import_test.go b/integration/image/import_test.go
@@ -29,7 +29,7 @@ func TestImportExtremelyLargeImageWorks(t *testing.T) {
 
  // Spin up a new daemon, so that we can run this test in parallel (it's a slow test)
  d := daemon.New(t)
- d.Start(t, "--iptables=false")
+ d.Start(t, "--iptables=false", "--ip6tables=false")
  defer d.Stop(t)
 
  client := d.NewClientT(t)