Restore pre-upgrade Docker IPv6 iptables behavior#27863
Open
rameshraghupathy wants to merge 1 commit into
Open
Restore pre-upgrade Docker IPv6 iptables behavior#27863rameshraghupathy wants to merge 1 commit into
rameshraghupathy wants to merge 1 commit into
Conversation
Signed-off-by: Ramesh Raghupathy <ram@cisco.com>
Collaborator
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Contributor
Author
Collaborator
|
This PR has backport request for branch(es): 202511,202605. ---Powered by SONiC BuildBot
|
Contributor
|
@rameshraghupathy , do the PR #27477 needs a revert of changes with this PR? |
Contributor
|
I thought #27341 resolved the startup issue. Why is this PR needed now? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The Trixie image uses Docker 28.5.2, while the previous Bookworm environment used Docker 24.0.2. Docker 27+ changed IPv6 bridge/iptables behavior. As a result, dockerd now attempts IPv6 iptables programming during startup. On SmartSwitch first boot this can happen before the kernel netfilter path is fully ready, causing docker.service failure and cascading config/interface failures.
Add --ip6tables=false to restore the pre-upgrade behavior where Docker does not program IPv6 iptables rules.
Why I did it
Docker 28 (introduced during the Trixie upgrade) enables additional IPv6 iptables programming during daemon startup. On SmartSwitch first boot this can race with early platform/kernel initialization and cause docker.service startup failure.
How I did it
Added:
--ip6tables=false
to Docker daemon startup options in:
/etc/systemd/system/docker.service.d/docker.service.conf
This disables Docker IPv6 iptables rule programming during daemon startup.
How to verify it
Do sonic-to-sonic upgrade using sonic-installer install (.34 image)
reboot
Before change:
docker.service failed during first boot,
interfaces-config.service failed
eth0 management IP missing.
After change:
docker.service started successfully,
interfaces-config.service completed successfully,
management eth0 configuration applied correctly.
Which release branch to backport (provide reason below if selected)
Tested branch (Please provide the tested image version)
202511
Description of change
Add --ip6tables=false to Docker daemon startup options to restore the pre-upgrade behavior where Docker does not program IPv6 iptables rules during startup.