Formed in 2009, the Archive Team (not to be confused with the archive.org Archive-It Team) is a rogue archivist collective dedicated to saving copies of rapidly dying or deleted websites for the sake of history and digital heritage. The group is 100% composed of volunteers and interested parties, and has expanded into a large amount of related projects for saving online and digital history.
libnetwork/drivers/overlay: only program xt_bpf rules #45281
Conversation
corhere
added
kind/enhancement
corhere
changed the title
Drop support for platforms which only have xt_u32 but not xt_bpf. No attempt is made to clean up old xt_u32 iptables rules left over from a previous daemon instance. Signed-off-by: Cory Snider <csnider@mirantis.com>
corhere
force-pushed
the
libnet/overlay-bpf-harder
branch
from
5b46d03 to
4d04068
Compare
Is there any Linux distribution that don't ship xt_bpf yet? |
|
It's present in RHEL 7.9's 3.10; since it's a default netfilter extension, it's more a matter of "are there platforms that deliberately exclude this module, and do we care about them?" It would be good to get some more confirmation of availability before merge, across the platforms that Docker CE and Mirantis Container Runtime support. |
Does that exclude RHEL 7.8 and below? From a "docker ce" perspective, we always considered CentOS to be a "rolling release" (so effectively only "latest" 7, 8, 9 are actual releases). That said, I frequently encounter users that may have "upgraded" their install .... except for the kernel 🙈, or running older versions as a "free" alternative to match their RHEL servers. IBM also builds binaries of Docker CE (which we publish on download.docker.com), which includes RHEL packages for s390x (CentOS does not support that architecture, but RHEL does). For my understanding (and if older 7.x versions do not support this) what is the effect of this patch for those platforms? (and how does it surface to the user)? |
|
We haven't confirmed below 7.9 because we do not currently support those platforms; I agree that 'latest' is the gold standard, and by that standard, we do support CentOS 7. Still, it could be interesting/reassuring to characterize presence in older CentOS/RHEL 7 kernels. |
|
<file>/lib/modules/3.10.0-123.el7.x86_64/kernel/net/netfilter/xt_bpf.ko</file> |
5 participants
Drop support for platforms which only have
xt_u32but notxt_bpf. No attempt is made to clean up oldxt_u32iptables rules left over from a previous daemon instance.- What I did
- How I did it
- How to verify it
- Description for the changelog
xt_bpfkernel module is now required to use encrypted overlay networks- A picture of a cute animal (not mandatory but encouraged)