From d785b5ce1710014905042aad4fab5865f524fc12 Mon Sep 17 00:00:00 2001 From: Thomas Hallgren Date: Thu, 22 Aug 2024 16:26:00 +0200 Subject: [PATCH] Use nftables instead of iptables-legacy Some time ago, we introduced iptables-legacy because users had problems using Telepresence with Fly.io where nftables wasn't supported by the kernel. Fly.io has since fixed this, so Telepresence will now use nftables again. This in turn, ensures that modern systems that lack support for iptables-legacy will work. Closes #3542 Signed-off-by: Thomas Hallgren --- CHANGELOG.yml | 6 ++++++ build-aux/docker/images/Dockerfile.client | 4 +--- build-aux/docker/images/Dockerfile.traffic | 6 +----- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.yml b/CHANGELOG.yml index 54b629b154..c24eb3445f 100644 --- a/CHANGELOG.yml +++ b/CHANGELOG.yml @@ -53,6 +53,12 @@ items: All OSS telepresence images are now published at the public registry ghcr.io/telepresenceio and all references from the client and traffic-manager has been updated to use this registry instead of the one at docker.io/datawire. + - title: Use nftables instead of iptables-legacy + type: change + body: >- + Some time ago, we introduced iptables-legacy because users had problems using Telepresence with Fly.io where nftables + wasn't supported by the kernel. Fly.io has since fixed this, so Telepresence will now use nftables again. This in turn, + ensures that modern systems that lack support iptables-legacy will work. - type: bugfix title: Root daemon wouldn't start when sudo timeout was zero. body: >- diff --git a/build-aux/docker/images/Dockerfile.client b/build-aux/docker/images/Dockerfile.client index 87064d0d90..87b41b7ca8 100644 --- a/build-aux/docker/images/Dockerfile.client +++ b/build-aux/docker/images/Dockerfile.client @@ -41,9 +41,7 @@ RUN setcap 'cap_net_bind_service+ep' /usr/local/bin/telepresence # The telepresence target is the one that gets published. It aims to be a small as possible. FROM alpine as telepresence -RUN apk add --no-cache ca-certificates iptables iptables-legacy bash -RUN rm /sbin/iptables && ln -s /sbin/iptables-legacy /sbin/iptables -RUN rm /sbin/ip6tables && ln -s /sbin/ip6tables-legacy /sbin/ip6tables +RUN apk add --no-cache ca-certificates iptables bash # the telepresence binary COPY --from=telepresence-build /usr/local/bin/telepresence /usr/local/bin diff --git a/build-aux/docker/images/Dockerfile.traffic b/build-aux/docker/images/Dockerfile.traffic index fd839640bc..d08ef901b7 100644 --- a/build-aux/docker/images/Dockerfile.traffic +++ b/build-aux/docker/images/Dockerfile.traffic @@ -40,11 +40,7 @@ RUN setcap 'cap_net_bind_service+ep' /usr/local/bin/traffic # The tel2 target is the one that gets published. It aims to be a small as possible. FROM alpine as tel2 -# some cluster providers don't support nftables, so we gotta use iptables-legacy -# This ticket contains some good info: https://github.com/tailscale/tailscale/issues/10540 -RUN apk add --no-cache ca-certificates iptables iptables-legacy -RUN rm /sbin/iptables && ln -s /sbin/iptables-legacy /sbin/iptables -RUN rm /sbin/ip6tables && ln -s /sbin/ip6tables-legacy /sbin/ip6tables +RUN apk add --no-cache ca-certificates iptables # the traffic binary COPY --from=tel2-build /usr/local/bin/traffic /usr/local/bin