Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

encrypted overlay is not compatible with CONFIG_XFRM_ALGO and CONFIG_XFRM_USER kernel options compiled-in #1439

Closed
realdimas opened this issue Sep 9, 2016 · 5 comments
Closed

encrypted overlay is not compatible with CONFIG_XFRM_ALGO and CONFIG_XFRM_USER kernel options compiled-in #1439

realdimas opened this issue Sep 9, 2016 · 5 comments
Assignees
@aboch

Comments

@realdimas
Copy link

realdimas commented Sep 9, 2016
edited
Loading

I'm getting error of missing IPSEC kernel modules on the system where such kernel options are statically compiled.

Steps to reproduce:

  1. Get Linux kernel with options CONFIG_XFRM_ALGO and CONFIG_XFRM_USER compiled in (such as boot2docker.iso v1.12.1)
  2. Run Docker Engine 1.12.1 in swarm mode on it
  3. Create encrypted overlay network
  4. Attempt to schedule service container on it

Expected result: container starts just fine

Actual result:

  • Container fails to start: cannot join secure network: required modules to install IPSEC rules are missing on host
  • Warning in docker.log: Could not load necessary modules for IPSEC rules: Running modprobe xfrm_user failed with message: modprobe: module xfrm_user not found in modules.dep``

Seems like #1281 implemented an unconditional modprobe for xfrm_user and xfrm_algo.
This leads to false reports of lack of IPSEC kernel support on systems which had those modules compiled in.
@realdimas realdimas mentioned this issue Sep 9, 2016
Closed
@realdimas realdimas changed the title encrypted overlay is not compatible with CONFIG_XFRM_ALGO and CONFIG_XFRM_USER statically enabled encrypted overlay is not compatible with CONFIG_XFRM_ALGO and CONFIG_XFRM_USER kernel options compiled-in Sep 9, 2016
@aboch
Copy link
Contributor

aboch commented Sep 9, 2016

From what I read online modprobe should not fail when used to insert an already builtin module.
In fact, if I try it over a builtin module, I see it correctly detects it as builtin (when I attempt a remove) and it quietly succeeds if I attempt an install:

$ sudo modprobe -r crypto
modprobe: FATAL: Module crypto is builtin.
$ sudo modprobe -va crypto
$

If your image effectively included the two xfrm modules, then I am not sure why the probing failed.

@aboch
Copy link
Contributor

aboch commented Sep 9, 2016

Maybe modprobe cannot do the builtin modules detection properly because of missing files in this kind of lightweight Linux images ?

@realdimas
Copy link
Author

realdimas commented Sep 9, 2016
edited
Loading

At least BusyBox’s modprobe returns error for builtins:

$ modprobe -r xfrm_user; echo $?
modprobe: module xfrm_user not found in modules.dep
1
$ modprobe -va xfrm_user; echo $?
modprobe: module xfrm_user not found in modules.dep
1
$ gunzip < /proc/config.gz | grep -i xfrm_user
CONFIG_XFRM_USER=y
$ uname -a
Linux docker-machine-1 4.4.17-boot2docker #1 SMP Mon Aug 15 17:12:38 UTC 2016 x86_64 GNU/Linux
$ modprobe --help
BusyBox v1.24.2 (2016-05-16 13:28:30 UTC) multi-call binary.

Usage: modprobe [-alrqvsDb] MODULE [SYMBOL=VALUE]...

    -a  Load multiple MODULEs
    -l  List (MODULE is a pattern)
    -r  Remove MODULE (stacks) or do autoclean
    -q  Quiet
    -v  Verbose
    -s  Log to syslog
    -D  Show dependencies
    -b  Apply blacklist to module names too
$ docker info
Containers: 57
 Running: 1
 Paused: 0
 Stopped: 56
Images: 4
Server Version: 1.12.1
Storage Driver: aufs
 Root Dir: /mnt/sda1/var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 129
 Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: overlay bridge null host
Swarm: active
 NodeID: 5xp24h3knde47vyaqtz5pd1so
 Is Manager: true
 ClusterID: 1qa7783tpkcstnap0u00mpc7i
 Managers: 3
 Nodes: 3
 Orchestration:
  Task History Retention Limit: 5
 Raft:
  Snapshot Interval: 10000
  Heartbeat Tick: 1
  Election Tick: 3
 Dispatcher:
  Heartbeat Period: 5 seconds
 CA Configuration:
  Expiry Duration: 3 months
 Node Address: 10.11.12.13
Runtimes: runc
Default Runtime: runc
Security Options: seccomp
Kernel Version: 4.4.17-boot2docker
Operating System: Boot2Docker 1.12.1 (TCL 7.2); HEAD : ef7d0b4 - Thu Aug 18 21:18:06 UTC 2016
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 1.955 GiB
Name: docker-machine-1
ID: 6OZ3:QSJW:RATP:77ZQ:XTAR:WGGO:7MXG:YPHG:W356:MTRH:OFHZ:B4BU
Docker Root Dir: /mnt/sda1/var/lib/docker
Debug Mode (client): false
Debug Mode (server): true
 File Descriptors: 48
 Goroutines: 124
 System Time: 2016-09-09T01:41:31.422547758Z
 EventsListeners: 1
Registry: https://index.docker.io/v1/
Labels:
 provider=vmwarevsphere
Insecure Registries:
 127.0.0.0/8

@aboch aboch mentioned this issue Oct 7, 2016
Closed
@aboch aboch self-assigned this Oct 7, 2016
@aboch aboch mentioned this issue Oct 10, 2016
Merged
@justincormack
Copy link
Contributor

I think assuming modprobe failing is unreliable - the kernel may not even have modules. I get

modprobe -va crypto
modprobe: module crypto not found in modules.dep

@justincormack
Copy link
Contributor

Also it does not appear that all the modules needed for ipsec are in the docker check-config shell script.

@justincormack justincormack mentioned this issue Nov 2, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aboch aboch

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@justincormack @realdimas @aboch