Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

iptables-nft not supported in qemu-aarch64-static #191

Open
AndyEWang opened this issue Apr 23, 2023 · 6 comments
Open

iptables-nft not supported in qemu-aarch64-static #191

AndyEWang opened this issue Apr 23, 2023 · 6 comments

Comments

@AndyEWang
Copy link

AndyEWang commented Apr 23, 2023

Is this a bug report, feature (enhancement) request or question? (leave only one on its own line)
/kind enhancement

Description:
Running cmd iptables-nft shows "nft: Protocol not supported" in the container using arm64 alpine with qemu-aarch64-static.

/ # /sbin/iptables-nft --version
iptables: Failed to initialize nft: Protocol not supported
/ # ls -l /sbin/iptables-nft
lrwxrwxrwx    1 root     root            17 Apr 23 05:39 /sbin/iptables-nft -> xtables-nft-multi

Steps to reproduce the issue:

  1. using CentOS Linux release 7.8.2003 (Core)

  2. docker run --rm --privileged multiarch/qemu-user-static --reset

  3. docker run --rm -it -v "/usr/bin/qemu-aarch64-static:/usr/bin/qemu-aarch64-static" alpine:3.17.3 sh

  4. apk add iptables

  5. /sbin/iptables-nft --version

Describe the results you received:
/ # /sbin/iptables-nft --version
iptables: Failed to initialize nft: Protocol not supported

Describe the results you expected:
Should be the same output as alpine linux/amd64.
/ # iptables-nft --version
iptables v1.8.8 (nf_tables)

Environment:
CentOS Linux release 7.8.2003 (Core)

  • QEMU version: (if you can know it):
  • Container application: Docker

Output of docker version

Client: Docker Engine - Community
 Version:           20.10.22
 API version:       1.41
 Go version:        go1.18.9
 Git commit:        3a2c30b
 Built:             Thu Dec 15 22:30:24 2022
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.22
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.18.9
  Git commit:       42c8b31
  Built:            Thu Dec 15 22:28:33 2022
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.14
  GitCommit:        9ba4b250366a5ddde94bb7c9d1def331423aa323
 runc:
  Version:          1.1.4
  GitCommit:        v1.1.4-0-g5fd4c4d
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0
@konjas
Copy link

konjas commented Jun 30, 2023

Same issue with RPM-based containers.

For example, fedora:36 docker image running on:

  • Debian 12 / Linux 6.1.0-9-amd64
  • Docker version 20.10.24+dfsg1, build 297e128
  • qemu-aarch64 version 7.2.2 (Debian 1:7.2+dfsg-7)

@zandercodes
Copy link

You can't use IpTable in qemu if you use a different architecture than the one from the host.

@AndyEWang
Copy link
Author

@zandercodes Thanks for your reply. Does qemu-aarch64-static plan to support it?

@zandercodes
Copy link

zandercodes commented Sep 6, 2023

@zandercodes Thanks for your reply. Does qemu-aarch64-static plan to support it?

You can try docker run --rm --privileged multiarch/qemu-user-static --reset -p yes and docker run --rm -it arm64v8/alpine:3.17.3 sh

root@ZanderCodes ~ # docker run --rm --cap-add=NET_ADMIN --cap-add=NET_RAW -it arm64v8/alpine:3.17.3 sh
WARNING: The requested image's platform (linux/arm64/v8) does not match the detected host platform (linux/amd64/v3) and no specific platform was requested
/ # apk add iptables
fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/main/aarch64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/community/aarch64/APKINDEX.tar.gz
(1/3) Installing libmnl (1.0.5-r0)
(2/3) Installing libnftnl (1.2.4-r0)
(3/3) Installing iptables (1.8.8-r2)
Executing busybox-1.35.0-r29.trigger
OK: 15 MiB in 18 packages
/ # /sbin/iptables-nft -v
iptables: Failed to initialize nft: Protocol not supported
/ # /sbin/iptables -v
iptables v1.8.8 (legacy): no command specified
Try `iptables -h' or 'iptables --help' for more information.
/ #

With emulation not working.
Without works.

root@ZanderCodes ~ # docker run --rm --cap-add=NET_ADMIN --cap-add=NET_RAW -it alpine:3.17.3 sh
Unable to find image 'alpine:3.17.3' locally
3.17.3: Pulling from library/alpine
f56be85fc22e: Already exists
Digest: sha256:124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126
Status: Downloaded newer image for alpine:3.17.3
/ # apk add iptables
fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/community/x86_64/APKINDEX.tar.gz
(1/3) Installing libmnl (1.0.5-r0)
(2/3) Installing libnftnl (1.2.4-r0)
(3/3) Installing iptables (1.8.8-r2)
Executing busybox-1.35.0-r29.trigger
OK: 9 MiB in 18 packages
/ # /sbin/iptables-nft -v
iptables v1.8.8 (nf_tables): no command specified
Try `iptables -h' or 'iptables --help' for more information.
/ #

@AndyEWang
Copy link
Author

@zandercodes Actually, we wants your first case to work. So we cannot rely on qemu-aarch64-static to run arm64 alpine container on amd64 host, right? I mean qemu-aarch64-static cannot simulate iptables inside arm64 container on the amd64 host.

@hasan4791
Copy link

Same here on M1 mac with toolbox running x86 container on qemu-user-static-x86

[root@toolbox ~]# iptables-nft -L
iptables: Failed to initialize nft: Protocol not supported
⬢[root@toolbox ~]# 

Surprisingly everything works fine with rosetta.

lahabana added a commit to lahabana/kuma that referenced this issue Mar 5, 2024
When using nftables based iptables it fails on arm64
because of multiarch/qemu-user-static#191

Signed-off-by: Charly Molter <charly.molter@konghq.com>
lahabana added a commit to kumahq/kuma that referenced this issue Mar 5, 2024
When using nftables based iptables it fails on arm64
because of multiarch/qemu-user-static#191

Signed-off-by: Charly Molter <charly.molter@konghq.com>
jsf9k added a commit to cisagov/ansible-role-ufw that referenced this issue Jun 11, 2024
We cannot currently test _any_ ARM64 platforms under qemu because qemu
cannot currently support iptables.  See multiarch/qemu-user-static#191
for more details.
jsf9k added a commit to cisagov/ansible-role-openvpn that referenced this issue Jun 11, 2024
We cannot currently test _any_ ARM64 platforms under qemu because qemu
cannot currently support iptables.  See multiarch/qemu-user-static#191
for more details.
jsf9k added a commit to cisagov/ansible-role-guacamole that referenced this issue Jun 11, 2024
We cannot currently test _any_ ARM64 platforms under qemu because qemu
cannot currently support iptables.  See multiarch/qemu-user-static#191
for more details.

This is because this role actually starts the Docker service before
pre-downloading some Docker images, and starting the Docker service
requires some interaction with iptables.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants