Bug#921600: docker.io: use of iptables-legacy is incompatible with nftables-based iptables

Tue, 16 Apr 2019 08:48:28 -0700 

Package: docker.io
Version: 18.09.1+dfsg1-5+b10
Followup-For: Bug #921600

Bugs like these are very very disappointing. Our users are going to be
left out scratching heads and pulling hairs.

I'm not sure who to vent out the frustration on. docker has its own
iptables setup, the legacy one. So, for docker, they'd simply recommend
to stick to it.

iptables, by itself, has switched to the new nftables. And thus has
Debian. And thus has users like us, who migrated to the new setup. So,
here the recommendation would be to stick with nftables.

Mix and match of legacy and current nft tables are highly discouraged in
the kernel.

I think the best bare minimal recommended solution is to have an
external interface (without the Docker networking bling) and tell docker
just to use it as its path.

In my case, my custom bridge (sysbr0), is the interface to which
everyone has to talk to: VBox, Libvirt, nspawn and now docker. That way
I can consolidate policies, fixes and what not at just a single
location.

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (900, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-4-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_USER, TAINT_WARN, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages docker.io depends on:
ii  adduser             3.118
ii  iptables            1.8.2-4
ii  libc6               2.28-8
ii  libdevmapper1.02.1  2:1.02.155-2
ii  libltdl7            2.4.6-9
ii  libnspr4            2:4.20-1
ii  libnss3             2:3.42.1-1
ii  libseccomp2         2.3.3-4
ii  libsystemd0         241-3
ii  lsb-base            10.2019031300
ii  runc                1.0.0~rc6+dfsg1-3
ii  tini                0.18.0-1

Versions of packages docker.io recommends:
ii  ca-certificates  20190110
ii  cgroupfs-mount   1.4
ii  git              1:2.20.1-2
ii  needrestart      3.4-1
ii  xz-utils         5.2.4-1

Versions of packages docker.io suggests:
pn  aufs-tools           <none>
ii  btrfs-progs          4.20.1-2
ii  debootstrap          1.0.114
ii  docker-doc           18.09.1+dfsg1-5
ii  e2fsprogs            1.44.5-1
pn  rinse                <none>
ii  xfsprogs             4.20.0-1
pn  zfs-fuse | zfsutils  <none>

-- no debconf information

Reply via email to