Load ip_tables modules at boot

Rootless users cannot load the ip_tables module, in fedora 36 this module is no longer loaded by default so we have to add it manually. This is needed because rootless network setup tries to use iptables and if iptables-legacy is used instead of iptables-nft it will fail. To provide a better user experience we will load the module at boot. Note that this is not needed for RHEL because iptables-legacy is not supported on RHEL 8 and newer. [NO NEW TESTS NEEDED] Fixes #12661 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
2022-02-23 15:34:41 +01:00 · 2022-02-23 15:34:41 +01:00 · eab5a4cfb7
parent 8b2432422f
commit eab5a4cfb7
3 changed files with 17 additions and 0 deletions
--- a/6
+++ b/6
@ -44,6 +44,7 @@ MANDIR ?= ${PREFIX}/share/man
 SHAREDIR_CONTAINERS ?= ${PREFIX}/share/containers
 ETCDIR ?= ${PREFIX}/etc
 TMPFILESDIR ?= ${PREFIX}/lib/tmpfiles.d
+MODULESLOADDIR ?= ${PREFIX}/lib/modules-load.d
 SYSTEMDDIR ?= ${PREFIX}/lib/systemd/system
 USERSYSTEMDDIR ?= ${PREFIX}/lib/systemd/user
 REMOTETAGS ?= remote exclude_graphdriver_btrfs btrfs_noversion exclude_graphdriver_devicemapper containers_image_openpgp
@ -779,6 +780,11 @@ install.bin:
 	install ${SELINUXOPT} -m 755 -d ${DESTDIR}${TMPFILESDIR}
 	install ${SELINUXOPT} -m 644 contrib/tmpfile/podman.conf ${DESTDIR}${TMPFILESDIR}/podman.conf

+.PHONY: install.modules-load
+install.modules-load: # This should only be used by distros which might use iptables-legacy, this is not needed on RHEL
+	install ${SELINUXOPT} -m 755 -d ${DESTDIR}${MODULESLOADDIR}
+	install ${SELINUXOPT} -m 644 contrib/modules-load.d/podman-iptables.conf ${DESTDIR}${MODULESLOADDIR}/podman-iptables.conf
+
 .PHONY: install.man
 install.man:
 	install ${SELINUXOPT} -d -m 755 $(DESTDIR)$(MANDIR)/man1
--- a/contrib/modules-load.d/podman-iptables.conf
+++ b/contrib/modules-load.d/podman-iptables.conf
@ -0,0 +1,5 @@
+# On fedora 36 ip_tables is no longer auto loaded and rootless user have no permsissions to load it.
+# When we have actual nftables support in the future we might want to revisit this.
+# If you use iptables-nft this is not needed.
+ip_tables
+ip6_tables
--- a/podman.spec.rpkg
+++ b/podman.spec.rpkg
@ -206,6 +206,9 @@ PODMAN_VERSION=%{version} %{__make} DESTDIR=%{buildroot} PREFIX=%{_prefix} ETCDI
        install.docker \
        install.docker-docs \
        install.remote \
+%if 0%{?fedora} >= 36
+        install.modules-load
+%endif

 install -d -p %{buildroot}/%{_datadir}/%{name}/test/system
 cp -pav test/system %{buildroot}/%{_datadir}/%{name}/test/
@ -242,6 +245,9 @@ done
 %{_userunitdir}/%{name}.socket
 %{_userunitdir}/%{name}-restart.service
 %{_usr}/lib/tmpfiles.d/%{name}.conf
+%if 0%{?fedora} >= 36
+    %{_usr}/lib/modules-load.d/%{name}-iptables.conf
+%endif

 %files docker
 %{_bindir}/docker