fix: configure docker / iptables rules on the host (#115)

Author: bcho

components/linux/action.pb.go

@@ -18,4 +18,32 @@ message ConfigureBaseOSSpec {
 }
 
 message ConfigureBaseOSStatus {
+}
+
+message DisableDocker {
+  api.Metadata metadata = 1;
+
+  DisableDockerSpec spec = 2;
+
+  DisableDockerStatus status = 3;
+}
+
+message DisableDockerSpec {
+}
+
+message DisableDockerStatus {
+}
+
+message ConfigureIPTables {
+  api.Metadata metadata = 1;
+
+  ConfigureIPTablesSpec spec = 2;
+
+  ConfigureIPTablesStatus status = 3;
+}
+
+message ConfigureIPTablesSpec {
+}
+
+message ConfigureIPTablesStatus {
 }

components/linux/action.proto

@@ -2,3 +2,9 @@ package linux
 
 func (x *ConfigureBaseOS) Redact() {
 }
+
+func (x *DisableDocker) Redact() {
+}
+
+func (x *ConfigureIPTables) Redact() {
+}

components/linux/redact.go

@@ -0,0 +1,27 @@
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+COMMIT
+*raw
+:PREROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+*security
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+COMMIT

components/linux/v20260301/assets/iptables-clear

@@ -0,0 +1,11 @@
+[Unit]
+Description=Flush iptables rules to a clean ACCEPT state
+Before=kubelet.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/iptables-restore -cv /etc/aks-flex-node/iptables-clear
+RemainAfterExit=no
+
+[Install]
+RequiredBy=kubelet.service

components/linux/v20260301/assets/iptables-flush.service

@@ -0,0 +1,96 @@
+package v20260301
+
+import (
+	"context"
+	_ "embed"
+	"fmt"
+
+	"google.golang.org/protobuf/types/known/anypb"
+
+	"github.com/Azure/AKSFlexNode/components/linux"
+	"github.com/Azure/AKSFlexNode/components/services/actions"
+	"github.com/Azure/AKSFlexNode/pkg/config"
+	"github.com/Azure/AKSFlexNode/pkg/systemd"
+	"github.com/Azure/AKSFlexNode/pkg/utils/utilio"
+	"github.com/Azure/AKSFlexNode/pkg/utils/utilpb"
+)
+
+const (
+	iptablesFlushUnit = "iptables-flush.service"
+	iptablesClearPath = config.ConfigDir + "/iptables-clear"
+)
+
+//go:embed assets/iptables-flush.service
+var iptablesFlushServiceUnit []byte
+
+//go:embed assets/iptables-clear
+var iptablesClearRules []byte
+
+// configureIPTablesAction installs a oneshot systemd unit that flushes all
+// iptables rules to a clean ACCEPT state before kubelet starts. This ensures
+// stale rules (e.g. left behind by Docker) do not interfere with Kubernetes
+// networking.
+type configureIPTablesAction struct {
+	systemd systemd.Manager
+}
+
+func newConfigureIPTablesAction() (actions.Server, error) {
+	return &configureIPTablesAction{
+		systemd: systemd.New(),
+	}, nil
+}
+
+var _ actions.Server = (*configureIPTablesAction)(nil)
+
+func (a *configureIPTablesAction) ApplyAction(
+	ctx context.Context,
+	req *actions.ApplyActionRequest,
+) (*actions.ApplyActionResponse, error) {
+	settings, err := utilpb.AnyTo[*linux.ConfigureIPTables](req.GetItem())
+	if err != nil {
+		return nil, err
+	}
+
+	if err := a.ensureIPTablesClearRules(); err != nil {
+		return nil, fmt.Errorf("installing iptables-clear rules: %w", err)
+	}
+
+	if err := a.ensureIPTablesFlushUnit(ctx); err != nil {
+		return nil, fmt.Errorf("configuring iptables-flush service: %w", err)
+	}
+
+	item, err := anypb.New(settings)
+	if err != nil {
+		return nil, err
+	}
+
+	return actions.ApplyActionResponse_builder{Item: item}.Build(), nil
+}
+
+// ensureIPTablesClearRules writes the iptables-restore rules file
+// to <config.ConfigDir>/iptables-clear. The file resets all tables (mangle, raw, filter,
+// security, nat) to their default ACCEPT policies with empty chains.
+func (a *configureIPTablesAction) ensureIPTablesClearRules() error {
+	return a.ensureIPTablesClearRulesAt(iptablesClearPath)
+}
+
+// ensureIPTablesClearRulesAt writes the iptables-clear rules to the given path.
+func (a *configureIPTablesAction) ensureIPTablesClearRulesAt(path string) error {
+	return utilio.WriteFile(path, iptablesClearRules, 0600)
+}
+
+// ensureIPTablesFlushUnit installs and enables the
+// iptables-flush.service oneshot unit. The unit runs iptables-restore with the
+// clean rules file before kubelet.service starts.
+func (a *configureIPTablesAction) ensureIPTablesFlushUnit(ctx context.Context) error {
+	unitUpdated, err := a.systemd.EnsureUnitFile(ctx, iptablesFlushUnit, iptablesFlushServiceUnit)
+	if err != nil {
+		return err
+	}
+
+	if err := a.systemd.EnableUnit(ctx, iptablesFlushUnit); err != nil {
+		return err
+	}
+
+	return systemd.EnsureUnitRunning(ctx, a.systemd, iptablesFlushUnit, unitUpdated, unitUpdated)
+}

components/linux/v20260301/configure_iptables.go

@@ -0,0 +1,130 @@
+package v20260301
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"os"
+
+	"google.golang.org/protobuf/types/known/anypb"
+
+	"github.com/Azure/AKSFlexNode/components/linux"
+	"github.com/Azure/AKSFlexNode/components/services/actions"
+	"github.com/Azure/AKSFlexNode/pkg/systemd"
+	"github.com/Azure/AKSFlexNode/pkg/utils/utilio"
+	"github.com/Azure/AKSFlexNode/pkg/utils/utilpb"
+)
+
+const (
+	dockerServiceUnit = "docker.service"
+	dockerSocketUnit  = "docker.socket"
+	daemonConfigPath  = "/etc/docker/daemon.json"
+)
+
+// disableDockerAction disables the docker service and configures the docker
+// daemon with "iptables": false. This prevents docker from manipulating
+// iptables rules, which would conflict with Kubernetes networking.
+type disableDockerAction struct {
+	systemd systemd.Manager
+}
+
+func newDisableDockerAction() (actions.Server, error) {
+	return &disableDockerAction{
+		systemd: systemd.New(),
+	}, nil
+}
+
+var _ actions.Server = (*disableDockerAction)(nil)
+
+func (a *disableDockerAction) ApplyAction(
+	ctx context.Context,
+	req *actions.ApplyActionRequest,
+) (*actions.ApplyActionResponse, error) {
+	settings, err := utilpb.AnyTo[*linux.DisableDocker](req.GetItem())
+	if err != nil {
+		return nil, err
+	}
+
+	if err := a.ensureDockerDisabled(ctx); err != nil {
+		return nil, fmt.Errorf("disabling docker: %w", err)
+	}
+
+	if err := a.ensureDaemonConfig(); err != nil {
+		return nil, fmt.Errorf("configuring docker daemon: %w", err)
+	}
+
+	item, err := anypb.New(settings)
+	if err != nil {
+		return nil, err
+	}
+
+	return actions.ApplyActionResponse_builder{Item: item}.Build(), nil
+}
+
+// ensureDockerDisabled idempotently stops, disables, and masks the docker
+// service and socket units so docker cannot be started.
+func (a *disableDockerAction) ensureDockerDisabled(ctx context.Context) error {
+	if err := systemd.EnsureUnitMasked(ctx, a.systemd, dockerSocketUnit); err != nil {
+		return fmt.Errorf("masking %s: %w", dockerSocketUnit, err)
+	}
+
+	if err := systemd.EnsureUnitMasked(ctx, a.systemd, dockerServiceUnit); err != nil {
+		return fmt.Errorf("masking %s: %w", dockerServiceUnit, err)
+	}
+
+	return nil
+}
+
+// ensureDaemonConfig ensures /etc/docker/daemon.json contains
+// "iptables": false.
+func (a *disableDockerAction) ensureDaemonConfig() error {
+	return a.ensureDaemonConfigAt(daemonConfigPath)
+}
+
+// ensureDaemonConfigAt ensures the daemon.json at the given path
+// contains "iptables": false. If the file already exists, the existing
+// configuration is preserved and only the iptables key is set. If the file does
+// not exist, a new one is created.
+func (a *disableDockerAction) ensureDaemonConfigAt(path string) error {
+	config := map[string]any{}
+
+	existing, err := os.ReadFile(path) //#nosec G304 -- trusted path
+	switch {
+	case errors.Is(err, os.ErrNotExist):
+		// file does not exist, will create with defaults
+	case err != nil:
+		return fmt.Errorf("reading %s: %w", path, err)
+	default:
+		if err := json.Unmarshal(existing, &config); err != nil {
+			return fmt.Errorf("parsing %s: %w", path, err)
+		}
+	}
+
+	if val, ok := config["iptables"]; ok {
+		if enabled, isBool := val.(bool); isBool && !enabled {
+			// iptables is already set to false, nothing to do
+			return nil
+		}
+	}
+
+	config["iptables"] = false
+
+	content, err := marshalDaemonConfig(config)
+	if err != nil {
+		return err
+	}
+
+	return utilio.WriteFile(path, content, 0644)
+}
+
+// marshalDaemonConfig serializes a daemon config map to indented JSON with a
+// trailing newline, matching the conventional format for daemon.json.
+func marshalDaemonConfig(config map[string]any) ([]byte, error) {
+	data, err := json.MarshalIndent(config, "", "    ")
+	if err != nil {
+		return nil, fmt.Errorf("marshaling daemon config: %w", err)
+	}
+	data = append(data, '\n')
+	return data, nil
+}

components/linux/v20260301/disable_docker.go

@@ -10,4 +10,12 @@ func init() {
 		newConfigureBaseOSAction,
 		&linux.ConfigureBaseOS{},
 	)
+	actions.MustRegister(
+		newDisableDockerAction,
+		&linux.DisableDocker{},
+	)
+	actions.MustRegister(
+		newConfigureIPTablesAction,
+		&linux.ConfigureIPTables{},
+	)
 }

components/linux/v20260301/exports.go

@@ -36,6 +36,9 @@ func (b *Bootstrapper) Bootstrap(ctx context.Context) (*ExecutionResult, error)
 		arc.NewInstaller(b.logger), // Setup Arc
 
 		configureSystem.Executor("configure-os", b.componentsAPIConn),
+		// Some environments might have docker pre-installed which can interfere with Kubernetes networking.
+		// This step disables the docker services and configures the docker daemon to not manage iptables rules.
+		disableDocker.Executor("disable-docker", b.componentsAPIConn),
 
 		// Fetch serverURL and caCertData from AKS cluster admin credentials for
 		// non-bootstrap-token auth modes (Arc, SP, MI). Must run before startKubelet
@@ -50,6 +53,8 @@ func (b *Bootstrapper) Bootstrap(ctx context.Context) (*ExecutionResult, error)
 
 		configureCNI.Executor("configure-cni", b.componentsAPIConn),
 		startContainerdService.Executor("start-containerd", b.componentsAPIConn),
+		// Configure iptables rules before kubelet starts to prevent conflicts with Kubernetes networking
+		configureIPTables.Executor("configure-iptables", b.componentsAPIConn),
 		startKubelet.Executor("start-kubelet", b.componentsAPIConn),
 		startNPD.Executor("start-npd", b.componentsAPIConn),
 	}

pkg/bootstrapper/bootstrapper.go

@@ -91,6 +91,30 @@ var configureSystem resolveActionFunc[*linux.ConfigureBaseOS] = func(
 	}.Build(), nil
 }
 
+var disableDocker resolveActionFunc[*linux.DisableDocker] = func(
+	name string,
+	cfg *config.Config,
+) (*linux.DisableDocker, error) {
+	spec := linux.DisableDockerSpec_builder{}.Build()
+
+	return linux.DisableDocker_builder{
+		Metadata: componentAction(name),
+		Spec:     spec,
+	}.Build(), nil
+}
+
+var configureIPTables resolveActionFunc[*linux.ConfigureIPTables] = func(
+	name string,
+	cfg *config.Config,
+) (*linux.ConfigureIPTables, error) {
+	spec := linux.ConfigureIPTablesSpec_builder{}.Build()
+
+	return linux.ConfigureIPTables_builder{
+		Metadata: componentAction(name),
+		Spec:     spec,
+	}.Build(), nil
+}
+
 var downloadCRIBinaries resolveActionFunc[*cri.DownloadCRIBinaries] = func(
 	name string,
 	cfg *config.Config,