Merge pull request moby#50467 from robmry/no_nftables_in_swarm

robmry · web-flow · commit 0c60a0e482e9 · 2025-07-22T16:58:26.000+01:00
No nftables in swarm
diff --git a/daemon/config/config_linux.go b/daemon/config/config_linux.go
@@ -126,6 +126,11 @@ func (conf *Config) IsSwarmCompatible() error {
 	if conf.LiveRestoreEnabled {
 		return errors.New("--live-restore daemon configuration is incompatible with swarm mode")
 	}
+	// Swarm has not yet been updated to use nftables. But, if "iptables" is disabled, it
+	// doesn't add rules anyway.
+	if conf.FirewallBackend == "nftables" && conf.EnableIPTables {
+		return errors.New("--firewall-backend=nftables is incompatible with swarm mode")
+	}
 	return nil
 }
 
diff --git a/integration/daemon/daemon_linux_test.go b/integration/daemon/daemon_linux_test.go
@@ -12,6 +12,7 @@ import (
 	"github.com/docker/docker/testutil"
 	"github.com/docker/docker/testutil/daemon"
 	"github.com/moby/moby/api/types/network"
+	swarmtypes "github.com/moby/moby/api/types/swarm"
 	"github.com/vishvananda/netlink"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
@@ -494,3 +495,31 @@ func createBridge(t *testing.T, ifName string, addrs []string) net.IP {
 	}
 	return llAddr
 }
+
+// TestSwarmNoNftables checks that, because swarm does not yet have nftables support,
+// it's not possible to:
+// - enable Swarm when nftables is enabled, or to
+// - restart an already Swarm enabled daemon with nftables enabled as well.
+func TestSwarmNoNftables(t *testing.T) {
+	ctx := testutil.StartSpan(baseContext, t)
+	skip.If(t, testEnv.IsRemoteDaemon)
+	skip.If(t, testEnv.IsRootless, "rootless mode doesn't support Swarm-mode")
+
+	t.Run("start", func(t *testing.T) {
+		d := daemon.New(t)
+		d.Start(t, "--firewall-backend=nftables")
+		defer d.Stop(t)
+		err := d.SwarmInitWithError(ctx, t, swarmtypes.InitRequest{AdvertiseAddr: "127.0.0.1:2377"})
+		assert.Check(t, is.ErrorContains(err, "--firewall-backend=nftables is incompatible with swarm mode"))
+	})
+
+	t.Run("restart", func(t *testing.T) {
+		d := daemon.New(t)
+		d.Start(t, "--firewall-backend=iptables")
+		defer d.Stop(t)
+		d.SwarmInit(ctx, t, swarmtypes.InitRequest{AdvertiseAddr: "127.0.0.1:2377"})
+
+		err := d.RestartWithError("--firewall-backend=nftables")
+		assert.Check(t, is.ErrorContains(err, "daemon exited during startup"))
+	})
+}
diff --git a/integration/network/overlay/overlay_test.go b/integration/network/overlay/overlay_test.go
@@ -65,7 +65,7 @@ func TestHostPortMappings(t *testing.T) {
 	ctx := setupTest(t)
 
 	d := daemon.New(t)
-	d.StartWithBusybox(ctx, t)
+	d.StartNodeWithBusybox(ctx, t)
 	defer d.Stop(t)
 
 	d.SwarmInit(ctx, t, swarmtypes.InitRequest{AdvertiseAddr: "127.0.0.1:2377"})
diff --git a/integration/system/ping_test.go b/integration/system/ping_test.go
@@ -60,7 +60,7 @@ func TestPingSwarmHeader(t *testing.T) {
 
 	ctx := setupTest(t)
 	d := daemon.New(t)
-	d.Start(t)
+	d.StartNode(t)
 	defer d.Stop(t)
 	apiClient := d.NewClientT(t)
 	defer apiClient.Close()
diff --git a/testutil/daemon/daemon.go b/testutil/daemon/daemon.go
@@ -530,10 +530,10 @@ func (d *Daemon) StartWithLogFile(out *os.File, providedArgs ...string) error {
 		d.args = append(d.args, "--storage-driver", d.storageDriver)
 	}
 
-	hasFwBackendArg := !slices.ContainsFunc(providedArgs, func(s string) bool {
+	hasFwBackendArg := slices.ContainsFunc(providedArgs, func(s string) bool {
 		return strings.HasPrefix(s, "--firewall-backend")
 	})
-	if hasFwBackendArg {
+	if !hasFwBackendArg {
 		if fw := os.Getenv("DOCKER_FIREWALL_BACKEND"); fw != "" {
 			d.args = append(d.args, "--firewall-backend="+fw)
 		}
diff --git a/testutil/daemon/swarm.go b/testutil/daemon/swarm.go
@@ -77,8 +77,8 @@ func (d *Daemon) NodeID() string {
 	return d.CachedInfo.Swarm.NodeID
 }
 
-// SwarmInit initializes a new swarm cluster.
-func (d *Daemon) SwarmInit(ctx context.Context, t testing.TB, req swarm.InitRequest) {
+// SwarmInitWithError initializes a new swarm cluster and returns an error.
+func (d *Daemon) SwarmInitWithError(ctx context.Context, t testing.TB, req swarm.InitRequest) error {
 	t.Helper()
 	if req.ListenAddr == "" {
 		req.ListenAddr = fmt.Sprintf("%s:%d", d.swarmListenAddr, d.SwarmPort)
@@ -93,8 +93,17 @@ func (d *Daemon) SwarmInit(ctx context.Context, t testing.TB, req swarm.InitRequ
 	cli := d.NewClientT(t)
 	defer cli.Close()
 	_, err := cli.SwarmInit(ctx, req)
+	if err == nil {
+		d.CachedInfo = d.Info(t)
+	}
+	return err
+}
+
+// SwarmInit initializes a new swarm cluster.
+func (d *Daemon) SwarmInit(ctx context.Context, t testing.TB, req swarm.InitRequest) {
+	t.Helper()
+	err := d.SwarmInitWithError(ctx, t, req)
 	assert.NilError(t, err, "initializing swarm")
-	d.CachedInfo = d.Info(t)
 }
 
 // SwarmJoin joins a daemon to an existing cluster.

Original file line number	Diff line number	Diff line change
`@@ -126,6 +126,11 @@ func (conf *Config) IsSwarmCompatible() error {`
`126`	`126`	`if conf.LiveRestoreEnabled {`
`127`	`127`	`return errors.New("--live-restore daemon configuration is incompatible with swarm mode")`
`128`	`128`	`}`
	`129`	`+ // Swarm has not yet been updated to use nftables. But, if "iptables" is disabled, it`
	`130`	`+ // doesn't add rules anyway.`
	`131`	`+ if conf.FirewallBackend == "nftables" && conf.EnableIPTables {`
	`132`	`+ return errors.New("--firewall-backend=nftables is incompatible with swarm mode")`
	`133`	`+ }`
`129`	`134`	`return nil`
`130`	`135`	`}`
`131`	`136`
Original file line number	Diff line number	Diff line change
`@@ -530,10 +530,10 @@ func (d Daemon) StartWithLogFile(out os.File, providedArgs ...string) error {`
`530`	`530`	`d.args = append(d.args, "--storage-driver", d.storageDriver)`
`531`	`531`	`}`
`532`	`532`
`533`		`- hasFwBackendArg := !slices.ContainsFunc(providedArgs, func(s string) bool {`
	`533`	`+ hasFwBackendArg := slices.ContainsFunc(providedArgs, func(s string) bool {`
`534`	`534`	`return strings.HasPrefix(s, "--firewall-backend")`
`535`	`535`	`})`
`536`		`- if hasFwBackendArg {`
	`536`	`+ if !hasFwBackendArg {`
`537`	`537`	`if fw := os.Getenv("DOCKER_FIREWALL_BACKEND"); fw != "" {`
`538`	`538`	`d.args = append(d.args, "--firewall-backend="+fw)`
`539`	`539`	`}`