firecracker: make docker -p work in guest kernels without raw table support

bduffany · bduffany · commit 680b5faabcb7 · 2026-02-26T13:04:51.000-05:00
Docker 28 configures direct-access filtering via iptables `-t raw` for
published ports. In Firecracker guest VMs this can fail with:

  iptables ... can't initialize iptables table `raw': Table does not exist

because our current guest kernel configs all have `CONFIG_IP_NF_RAW` disabled.

Changes:
- Set `DOCKER_INSECURE_NO_IPTABLES_RAW=1` unconditionally when starting
  dockerd in goinit.
- Keep an inline note explaining why this is safe for our VM sandboxing model.
- Update docker-in-firecracker coverage to include `docker run -p ...` in
  `TestFirecrackerRunWithDockerOverUDS`.
- Update guest API hash expectation.
- Add TODOs at the top of all guest kernel config files to enable
  `CONFIG_NF_TABLES` and remove the env-var fallback.

Repro (before/after): run the same `bb execute` command with and without
`--action_env=DOCKER_INSECURE_NO_IPTABLES_RAW=1`; `docker run -p ...` fails
without it and succeeds with it.
diff --git a/enterprise/server/cmd/goinit/main.go b/enterprise/server/cmd/goinit/main.go
@@ -192,8 +192,9 @@ func startDockerd(ctx context.Context) error {
 	if *enableDockerdTCP {
 		args = append(args, "--host=unix:///var/run/docker.sock", "--host=tcp://0.0.0.0:2375", "--tls=false")
 	}
-
 	cmd := exec.CommandContext(ctx, "dockerd", args...)
+	// Note: despite the big scary INSECURE env var name, dockerd is completely sandboxed inside a VM, so it's secure for our usage. Once we upgrade our guest kernels to support nf tables, we can remove this.
+	cmd.Env = append(os.Environ(), "DOCKER_INSECURE_NO_IPTABLES_RAW=1")
 	// TODO(https://github.com/buildbuddy-io/buildbuddy-internal/issues/3306):
 	// enable logging by default
 	if *enableLogging {
diff --git a/enterprise/server/remote_execution/containers/firecracker/firecracker_test.go b/enterprise/server/remote_execution/containers/firecracker/firecracker_test.go
@@ -150,7 +150,7 @@ func TestGuestAPIVersion(t *testing.T) {
 	// Note that if you go with option 1, ALL VM snapshots will be invalidated
 	// which will negatively affect customer experience. Be careful!
 	const (
-		expectedHash    = "25c5043d9c3d465c5fe2e974da0e532fe113365182aa8fe59c0c1e028064562b"
+		expectedHash    = "d6e20637585cf821192d1b13d34b87316307ae286b4c31d27307052a3d7df45c"
 		expectedVersion = "17"
 	)
 	assert.Equal(t, expectedHash, firecracker.GuestAPIHash)
@@ -2472,7 +2472,7 @@ func TestFirecrackerRunWithDockerOverUDS(t *testing.T) {
 			docker pull ` + busyboxImage + ` &>/dev/null
 
 			# Try running a few commands
-			docker run --rm ` + busyboxImage + ` echo Hello
+			docker run --rm -p 127.0.0.1:18080:80 ` + busyboxImage + ` echo Hello
 			docker run --rm ` + busyboxImage + ` echo world
 
 			# Check what storage driver docker is using
diff --git a/enterprise/vmsupport/kernel/microvm-kernel-aarch64-v5.10.config b/enterprise/vmsupport/kernel/microvm-kernel-aarch64-v5.10.config
@@ -1,3 +1,4 @@
+# TODO: Enable CONFIG_NF_TABLES and remove the DOCKER_INSECURE_NO_IPTABLES_RAW fallback in enterprise/server/cmd/goinit/main.go.
 CONFIG_CC_VERSION_TEXT="gcc10-gcc (GCC) 10.5.0 20230707 (Red Hat 10.5.0-1)"
 CONFIG_CC_IS_GCC=y
 CONFIG_GCC_VERSION=100500
@@ -3113,4 +3114,4 @@ CONFIG_CC_HAS_SANCOV_TRACE_PC=y
 # CONFIG_RUNTIME_TESTING_MENU is not set
 # CONFIG_MEMTEST is not set
 # end of Kernel Testing and Coverage
-# end of Kernel hacking
+# end of Kernel hacking
diff --git a/enterprise/vmsupport/kernel/microvm-kernel-x86_64-v5.15.config b/enterprise/vmsupport/kernel/microvm-kernel-x86_64-v5.15.config
@@ -1,3 +1,4 @@
+# TODO: Enable CONFIG_NF_TABLES and remove the DOCKER_INSECURE_NO_IPTABLES_RAW fallback in enterprise/server/cmd/goinit/main.go.
 #
 # Config copied from https://github.com/firecracker-microvm/firecracker/blob/main/resources/guest_configs/microvm-kernel-ci-x86_64-5.10.config
 # Linux/x86 5.10.0 Kernel Configuration
diff --git a/enterprise/vmsupport/kernel/microvm-kernel-x86_64-v6.1.config b/enterprise/vmsupport/kernel/microvm-kernel-x86_64-v6.1.config
@@ -1,3 +1,4 @@
+# TODO: Enable CONFIG_NF_TABLES and remove the DOCKER_INSECURE_NO_IPTABLES_RAW fallback in enterprise/server/cmd/goinit/main.go.
 # Config copied from https://github.com/firecracker-microvm/firecracker/blob/main/resources/guest_configs/microvm-kernel-ci-x86_64-6.1.config
 # BuildBuddy-specific modifications:
 # - Set CONFIG_PCI=y (see https://github.com/firecracker-microvm/firecracker/issues/4881)
@@ -3238,4 +3239,4 @@ CONFIG_ARCH_USE_MEMTEST=y
 # Rust hacking
 #
 # end of Rust hacking
-# end of Kernel hacking
+# end of Kernel hacking

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+# TODO: Enable CONFIG_NF_TABLES and remove the DOCKER_INSECURE_NO_IPTABLES_RAW fallback in enterprise/server/cmd/goinit/main.go.`
`1`	`2`	`#`
`2`	`3`	`# Config copied from https://github.com/firecracker-microvm/firecracker/blob/main/resources/guest_configs/microvm-kernel-ci-x86_64-5.10.config`
`3`	`4`	`# Linux/x86 5.10.0 Kernel Configuration`