br_netfilter module is not loaded by docker #48948
Description
Description
With docker-27.3.1 br_netfilter module is not loaded by default when docker service is started.
The code was removed in db25b0d;
And this seems to be a regression.
Reproduce
docker swarm init --advertise-addr 127.0.0.1:8090docker service create --name my_web --replicas 1 --publish 8090:80 nginx
When the second command is run, I see the below error in journal.
Nov 25 13:55:38 ph5dev dockerd[9682]: time="2024-11-25T13:55:38.866243855Z" level=error msg="fatal task error" error="error creating external connectivity network: cannot restrict inter-container communication: ensure that the br_netfilter kernel module is loaded" module=node/agent/taskmanager node.id=ymvxcf846da1w705604iv6mzd service.id=hbhvrkgmqbs7h4evch9c1q7gh task.id=izaubnqj8cnq02le61okgnlmg
cc: @robmry
Expected behavior
br_netfilter module should be loaded when docker service starts and backward compatibility should be maintained.
This was working as expected till docker-27.2.1
docker version
Client: Docker Engine - Community
Version: 27.3.1
API version: 1.47
Go version: go1.21.13
Git commit: 3ab4256
Built: Mon Nov 25 13:35:46 2024
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 27.3.1
API version: 1.47 (minimum version 1.24)
Go version: go1.21.13
Git commit: 3ab5c7d
Built: Mon Nov 25 13:36:04 2024
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.21
GitCommit: ''
runc:
Version: 1.1.14
GitCommit:
docker-init:
Version: 0.19.0
GitCommit: ''docker info
Client: Docker Engine - Community
Version: 27.3.1
Context: default
Debug Mode: false
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 0
Server Version: 27.3.1
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 3dce8eb055cbb6872793272b4f20ed16117344f8
runc version:
init version: de40ad0
Security Options:
apparmor
seccomp
Profile: builtin
cgroupns
Kernel Version: 6.1.118-1.ph5
Operating System: VMware Photon OS/Linux
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 1.916GiB
Name: ph5dev
ID: db2af409-5f08-402a-bb47-a57db13191b8
Docker Root Dir: /var/lib/docker
Debug Mode: false
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabledAdditional Info
No response