diff --git a/24/dind/dockerd-entrypoint.sh b/24/dind/dockerd-entrypoint.sh index 26e78ad96..e610ccaf5 100755 --- a/24/dind/dockerd-entrypoint.sh +++ b/24/dind/dockerd-entrypoint.sh @@ -144,7 +144,15 @@ if [ "$1" = 'dockerd' ]; then set -- docker-init -- "$@" iptablesLegacy= - if [ -s /proc/net/ip_tables_names ] || [ -s /proc/net/ip6_tables_names ] || [ -s /proc/net/arp_tables_names ]; then + if [ -n "${DOCKER_IPTABLES_LEGACY+x}" ]; then + # let users choose explicitly to legacy or not to legacy + iptablesLegacy="$DOCKER_IPTABLES_LEGACY" + if [ -n "$iptablesLegacy" ]; then + modprobe ip_tables || : + else + modprobe nf_tables || : + fi + elif [ -s /proc/net/ip_tables_names ] || [ -s /proc/net/ip6_tables_names ] || [ -s /proc/net/arp_tables_names ]; then # https://git.netfilter.org/iptables/tree/iptables/nft-shared.c?id=f5cf76626d95d2c491a80288bccc160c53b44e88#n420 # if we already have any "legacy" iptables rules, we should always use legacy (https://github.com/docker-library/docker/pull/468#discussion_r1430804593) iptablesLegacy=1 @@ -166,6 +174,7 @@ if [ "$1" = 'dockerd' ]; then # see https://github.com/docker-library/docker/issues/463 (and the dind Dockerfile where this directory is set up) export PATH="/usr/local/sbin/.iptables-legacy:$PATH" fi + iptables --version # so users can see whether it's legacy or not uid="$(id -u)" if [ "$uid" != '0' ]; then diff --git a/25-rc/dind/dockerd-entrypoint.sh b/25-rc/dind/dockerd-entrypoint.sh index 26e78ad96..e610ccaf5 100755 --- a/25-rc/dind/dockerd-entrypoint.sh +++ b/25-rc/dind/dockerd-entrypoint.sh @@ -144,7 +144,15 @@ if [ "$1" = 'dockerd' ]; then set -- docker-init -- "$@" iptablesLegacy= - if [ -s /proc/net/ip_tables_names ] || [ -s /proc/net/ip6_tables_names ] || [ -s /proc/net/arp_tables_names ]; then + if [ -n "${DOCKER_IPTABLES_LEGACY+x}" ]; then + # let users choose explicitly to legacy or not to legacy + iptablesLegacy="$DOCKER_IPTABLES_LEGACY" + if [ -n "$iptablesLegacy" ]; then + modprobe ip_tables || : + else + modprobe nf_tables || : + fi + elif [ -s /proc/net/ip_tables_names ] || [ -s /proc/net/ip6_tables_names ] || [ -s /proc/net/arp_tables_names ]; then # https://git.netfilter.org/iptables/tree/iptables/nft-shared.c?id=f5cf76626d95d2c491a80288bccc160c53b44e88#n420 # if we already have any "legacy" iptables rules, we should always use legacy (https://github.com/docker-library/docker/pull/468#discussion_r1430804593) iptablesLegacy=1 @@ -166,6 +174,7 @@ if [ "$1" = 'dockerd' ]; then # see https://github.com/docker-library/docker/issues/463 (and the dind Dockerfile where this directory is set up) export PATH="/usr/local/sbin/.iptables-legacy:$PATH" fi + iptables --version # so users can see whether it's legacy or not uid="$(id -u)" if [ "$uid" != '0' ]; then diff --git a/dockerd-entrypoint.sh b/dockerd-entrypoint.sh index 26e78ad96..e610ccaf5 100755 --- a/dockerd-entrypoint.sh +++ b/dockerd-entrypoint.sh @@ -144,7 +144,15 @@ if [ "$1" = 'dockerd' ]; then set -- docker-init -- "$@" iptablesLegacy= - if [ -s /proc/net/ip_tables_names ] || [ -s /proc/net/ip6_tables_names ] || [ -s /proc/net/arp_tables_names ]; then + if [ -n "${DOCKER_IPTABLES_LEGACY+x}" ]; then + # let users choose explicitly to legacy or not to legacy + iptablesLegacy="$DOCKER_IPTABLES_LEGACY" + if [ -n "$iptablesLegacy" ]; then + modprobe ip_tables || : + else + modprobe nf_tables || : + fi + elif [ -s /proc/net/ip_tables_names ] || [ -s /proc/net/ip6_tables_names ] || [ -s /proc/net/arp_tables_names ]; then # https://git.netfilter.org/iptables/tree/iptables/nft-shared.c?id=f5cf76626d95d2c491a80288bccc160c53b44e88#n420 # if we already have any "legacy" iptables rules, we should always use legacy (https://github.com/docker-library/docker/pull/468#discussion_r1430804593) iptablesLegacy=1 @@ -166,6 +174,7 @@ if [ "$1" = 'dockerd' ]; then # see https://github.com/docker-library/docker/issues/463 (and the dind Dockerfile where this directory is set up) export PATH="/usr/local/sbin/.iptables-legacy:$PATH" fi + iptables --version # so users can see whether it's legacy or not uid="$(id -u)" if [ "$uid" != '0' ]; then