Dev container: try to load kernel module ip6_tables

On an nftables host, the ip6_tables kernel module may not be loaded, but it needs to be for dockerd to run (with ip6tables now enabled by default). If ip6tables doesn't work, try the dind official image's trick for loading the module using "ip link show". Signed-off-by: Rob Murray <rob.murray@docker.com>
2026-01-11 18:51:37 +00:00 · 2024-06-12 14:01:42 +01:00
parent 4fec999c11
commit 44d00e3b9b
1 changed files with 13 additions and 0 deletions
--- a/hack/make/run
+++ b/hack/make/run
@@ -91,6 +91,19 @@ if [ -n "$DOCKER_ROOTLESS" ]; then
 	)
 fi

+# On a host using nftables, the ip6_tables kernel module may need to be loaded.
+# This trick is borrowed from the docker (dind) official image ...
+# "modprobe" without modprobe
+#   https://twitter.com/lucabruno/status/902934379835662336
+# This isn't 100% fool-proof, but it'll have a much higher success rate than
+# simply using the "real" modprobe (which isn't installed in the dev container).
+if ! ip6tables -nL > /dev/null 2>&1; then
+	ip link show ip6_tables > /dev/null 2>&1 || true
+	if ! ip6tables -nL > /dev/null 2>&1; then
+		echo >&2 'ip6tables is not available'
+	fi
+fi
+
 set -x
 # shellcheck disable=SC2086
 exec "${dockerd[@]}" "${args[@]}"