#v0.11.7 stopped working with iptables in legacy mode

Hey folks,

I just tried upgrading my Dagger playground to v0.11.7 and ran into an interesting issue with dagger init hanging indefinitely:

$ docker ps -a
CONTAINER ID   IMAGE                               COMMAND                  CREATED          STATUS                         PORTS     NAMES
5fe9bffc797e   registry.dagger.io/engine:v0.11.7   "dagger-entrypoint.s…"   17 seconds ago   Restarting (1) 2 seconds ago

A brief investigation showed that the engine container is in a crash loop because the iptables command fails:

...
dnsmasq[35]: using nameserver 1.1.1.1#53
dnsmasq[35]: using only locally-known addresses for dagger.local
dnsmasq[35]: read /etc/hosts - 18 names
dnsmasq[35]: read /var/run/containers/cni/dnsname/dagger/addnhosts - 0 names
time="2024-06-15T14:00:52Z" level=info msg="auto snapshotter: using overlayfs"
time="2024-06-15T14:00:52Z" level=warning msg="failed to release network namespace \"akq0o8xxuugnzhyux411vqg56\" left over from previous run: plugin type=\"loopback\" failed (delete): unknown FS magic on \"/var/lib/dagger/net/cni/akq0o8xxuugnzhyux411vqg56\": ef53"
time="2024-06-15T14:00:52Z" level=debug msg="shutting down otel pub/sub"
time="2024-06-15T14:00:52Z" level=debug msg="shutting down otel pub/sub"
buildkitd: failed to create worker: failed to create network providers: CNI setup error: plugin type="bridge" failed (add): running [/sbin/iptables -t nat -A POSTROUTING -s 10.87.0.11 -j CNI-fb0ef6dbec94aecf623cd11e -m comment --comment name: "dagger" id: "eeyq02izuj1a98shgcga38wwo" --wait]: exit status 4: iptables v1.8.10 (nf_tables):  CHAIN_ADD failed (Not supported): chain POSTROUTING

The host is freshly upgraded Ubuntu 22.04 with iptables in the legacy mode (and a custom kernel build 🙈 ):

$ iptables --version
iptables v1.8.7 (legacy)

You can easily repro it here https://labs.iximiuz.com/playgrounds/dagger - just upgrade the currently installed v0.11.6 to the latest v0.11.7.

hey @clear hound ! looks like the environment has a particular configuration on kernel + os version

I see that /etc/debian_version shows bookworm/sid but apt packages seem to be from ubuntu/jammy

on top of that, kernel version shows 5.10 when bookworm should have 6.1 by default?

I have debian bookworm stable in my machine and I'm not running into any issues

docker run ubuntu:22.04 cat /etc/debian_version
bookworm/sid

🙂

Honestly, idk why ubuntu image has this file 🙂 But it doesn't really matter. Something changed in 0.11.7 that made it use the nf_tables version of iptables.

my impression is that it might be a combination of newer buildkit CNI version with the environment specific config

The "problem" with my environment is that it doesn't support nf_tables

I don't know how many environments out there still default to the legacy version of iptables. But docker and vanialla containerd still seem to support this mode - just tried with the fresh versions.

yes, that makes sense. Given that we're using a custom CNI network plugin for buildkit which is probably causing the issue. I'll open an issue in dagger/dagger 🙏

thx for reporting

Also, just tried building an image with nerdctl (hence, buildkit), and it also works with the legacy version 🙂

yes, thing is nerdctl and docker don't use buildkit's CNI feature

that's why you're very likely not seeing the error there

Please let me know if you decide to support only the nf_tables mode - I'll finally have a good excuse to reconfigure the kernel and maybe even bump up the version 🙂

I don't think that's the case since it'll very likely break for a lot of users

I think the issue might be that we bumped buildkit's default alpine image which might have changed the iptables version

It's good to know - I still need to find time to dig deeper into it 🙂

Sounds plausible!

cat: can't open '/etc/alpine_release': No such file or directory
root@docker:~# docker run --rm --entrypoint /bin/sh registry.dagger.io/engine:v0.11.6 -c "cat /etc/alpine-release"
3.18.6
root@docker:~# docker run --rm --entrypoint /bin/sh registry.dagger.io/engine:v0.11.6 -c "cat /etc/alpine-release && iptables --version"
3.18.6
iptables v1.8.9 (legacy)
root@docker:~# 
root@docker:~# 
root@docker:~# docker run --rm --entrypoint /bin/sh registry.dagger.io/engine:v0.11.7 -c "cat /etc/alpine-release && iptables --version"
3.20.0
iptables v1.8.10 (nf_tables)
root@docker:~# ```

yep, that's the case

will open a fix in a bit 🙏

Could you tag me on the GH issue? I'll keep an eye on it and upgrade the dagger playground as soon as the fix released

will do. Thx again for reporting 🙏

Thanks for a great tool! And for the quick reply 🙂

Speaking of the fix, I remember there was a lengthy discussion in https://github.com/kubernetes/kubernetes/ on a very similar issue. Something along the lines of what kube-proxy should do if its iptables version differs from the host's version.

https://github.com/kubernetes/kubernetes/issues/71305

IIRC, the TL;DR is that it's not a trivial choice 🙂

/me trade-offs eveywhere meme 😄

https://github.com/dagger/dagger/pull/7670