firecracker: fix docker -p (#11427)

Docker v28 configures direct-access filtering via iptables `-t raw` for
published ports. As a result, commands like `docker run -p <port>` fail
with

> iptables ... can't initialize iptables table `raw': Table does not
exist

because our current guest kernel configs all have `CONFIG_IP_NF_RAW`
disabled.

Repro: run the same `bb execute` command with firecracker isolation,
with and without `--action_env=DOCKER_INSECURE_NO_IPTABLES_RAW=1`;
manually start `dockerd &`, sleep for a bit then run `docker run -p ...`

Fix:
- Set `DOCKER_INSECURE_NO_IPTABLES_RAW=1` unconditionally when starting
dockerd in goinit. Includes an inline note explaining why this is safe
for our VM sandboxing model.
- Add TODOs at the top of all guest kernel config files to enable
`CONFIG_NF_TABLES` and remove the env-var fallback. (I don't want to do
this right now since I think it's slightly risky, so I'd rather save
this for when we incrementally start migrating to our new 6.1 config)
- Update docker-in-firecracker coverage to include `docker run -p ...`
on a newer docker version.


Context:
https://buildbuddy-corp.slack.com/archives/C0AFN0SMNG5/p1772129387671119?thread_ts=1772012498.295389&cid=C0AFN0SMNG5

Author: bduffany

enterprise/server/cmd/goinit/main.go

@@ -192,8 +192,9 @@ func startDockerd(ctx context.Context) error {
 	if *enableDockerdTCP {
 		args = append(args, "--host=unix:///var/run/docker.sock", "--host=tcp://0.0.0.0:2375", "--tls=false")
 	}
-
 	cmd := exec.CommandContext(ctx, "dockerd", args...)
+	// Note: despite the big scary INSECURE env var name, dockerd is completely sandboxed inside a VM, so it's secure for our usage. Once we upgrade our guest kernels to support nf tables, we can remove this.
+	cmd.Env = append(os.Environ(), "DOCKER_INSECURE_NO_IPTABLES_RAW=1")
 	// TODO(https://github.com/buildbuddy-io/buildbuddy-internal/issues/3306):
 	// enable logging by default
 	if *enableLogging {

enterprise/server/remote_execution/containers/firecracker/firecracker.go

@@ -120,7 +120,7 @@ const (
 	//
 	// NOTE: this is part of the snapshot cache key, so bumping this version
 	// will make existing cached snapshots unusable.
-	GuestAPIVersion = "17"
+	GuestAPIVersion = "18"
 
 	// How long to wait when dialing the vmexec server inside the VM.
 	vSocketDialTimeout = 60 * time.Second

enterprise/server/remote_execution/containers/firecracker/firecracker_test.go

@@ -75,8 +75,9 @@ const (
 	// Alternate image to use if getting rate-limited by docker hub
 	// busyboxImage = "gcr.io/google-containers/busybox:latest"
 
-	ubuntuImage              = "mirror.gcr.io/library/ubuntu:20.04"
-	imageWithDockerInstalled = "gcr.io/flame-public/executor-docker-default:enterprise-v1.6.0"
+	ubuntuImage                 = "mirror.gcr.io/library/ubuntu:20.04"
+	imageWithDockerInstalled    = "gcr.io/flame-public/executor-docker-default:enterprise-v1.6.0"
+	imageWithDockerV28Installed = platform.Ubuntu24_04Image
 
 	// Minimum memory needed for a firecracker VM. This may need to be increased
 	// if the size of initrd.cpio increases.
@@ -150,8 +151,8 @@ func TestGuestAPIVersion(t *testing.T) {
 	// Note that if you go with option 1, ALL VM snapshots will be invalidated
 	// which will negatively affect customer experience. Be careful!
 	const (
-		expectedHash    = "25c5043d9c3d465c5fe2e974da0e532fe113365182aa8fe59c0c1e028064562b"
-		expectedVersion = "17"
+		expectedHash    = "d6e20637585cf821192d1b13d34b87316307ae286b4c31d27307052a3d7df45c"
+		expectedVersion = "18"
 	)
 	assert.Equal(t, expectedHash, firecracker.GuestAPIHash)
 	assert.Equal(t, expectedVersion, firecracker.GuestAPIVersion)
@@ -2455,7 +2456,7 @@ func TestFirecrackerRunNOPWithZeroDisk(t *testing.T) {
 	assert.Equal(t, "/workspace\n", string(res.Stdout))
 }
 
-func TestFirecrackerRunWithDockerOverUDS(t *testing.T) {
+func testFirecrackerRunWithDockerOverUDS(t *testing.T, containerImage string) {
 	if *skipDockerTests {
 		t.Skip()
 	}
@@ -2472,7 +2473,7 @@ func TestFirecrackerRunWithDockerOverUDS(t *testing.T) {
 			docker pull ` + busyboxImage + ` &>/dev/null
 
 			# Try running a few commands
-			docker run --rm ` + busyboxImage + ` echo Hello
+			docker run --rm -p 127.0.0.1:18080:80 ` + busyboxImage + ` echo Hello
 			docker run --rm ` + busyboxImage + ` echo world
 
 			# Check what storage driver docker is using
@@ -2481,7 +2482,7 @@ func TestFirecrackerRunWithDockerOverUDS(t *testing.T) {
 	}
 
 	opts := firecracker.ContainerOpts{
-		ContainerImage:         imageWithDockerInstalled,
+		ContainerImage:         containerImage,
 		ActionWorkingDirectory: workDir,
 		VMConfiguration: &fcpb.VMConfiguration{
 			NumCpus:           1,
@@ -2512,6 +2513,14 @@ func TestFirecrackerRunWithDockerOverUDS(t *testing.T) {
 	assert.Equal(t, "", string(res.Stderr), "stderr should be empty")
 }
 
+func TestFirecrackerRunWithDockerOverUDS(t *testing.T) {
+	testFirecrackerRunWithDockerOverUDS(t, imageWithDockerInstalled)
+}
+
+func TestFirecrackerRunWithDockerV28OverUDS(t *testing.T) {
+	testFirecrackerRunWithDockerOverUDS(t, imageWithDockerV28Installed)
+}
+
 func TestFirecrackerRunWithDockerOverTCP(t *testing.T) {
 	if *skipDockerTests {
 		t.Skip()

enterprise/vmsupport/kernel/microvm-kernel-aarch64-v5.10.config

@@ -1,3 +1,4 @@
+# TODO: For our current iptables-legacy path, enable CONFIG_IP_NF_RAW (and CONFIG_IP6_NF_RAW if needed), or fully migrate to nftables (CONFIG_NF_TABLES + non-legacy iptables), then remove the DOCKER_INSECURE_NO_IPTABLES_RAW fallback in enterprise/server/cmd/goinit/main.go.
 CONFIG_CC_VERSION_TEXT="gcc10-gcc (GCC) 10.5.0 20230707 (Red Hat 10.5.0-1)"
 CONFIG_CC_IS_GCC=y
 CONFIG_GCC_VERSION=100500
@@ -3113,4 +3114,4 @@ CONFIG_CC_HAS_SANCOV_TRACE_PC=y
 # CONFIG_RUNTIME_TESTING_MENU is not set
 # CONFIG_MEMTEST is not set
 # end of Kernel Testing and Coverage
-# end of Kernel hacking
+# end of Kernel hacking

enterprise/vmsupport/kernel/microvm-kernel-x86_64-v5.15.config

@@ -1,3 +1,4 @@
+# TODO: For our current iptables-legacy path, enable CONFIG_IP_NF_RAW (and CONFIG_IP6_NF_RAW if needed), or fully migrate to nftables (CONFIG_NF_TABLES + non-legacy iptables), then remove the DOCKER_INSECURE_NO_IPTABLES_RAW fallback in enterprise/server/cmd/goinit/main.go.
 #
 # Config copied from https://github.com/firecracker-microvm/firecracker/blob/main/resources/guest_configs/microvm-kernel-ci-x86_64-5.10.config
 # Linux/x86 5.10.0 Kernel Configuration

enterprise/vmsupport/kernel/microvm-kernel-x86_64-v6.1.config

@@ -1,3 +1,4 @@
+# TODO: For our current iptables-legacy path, enable CONFIG_IP_NF_RAW (and CONFIG_IP6_NF_RAW if needed), or fully migrate to nftables (CONFIG_NF_TABLES + non-legacy iptables), then remove the DOCKER_INSECURE_NO_IPTABLES_RAW fallback in enterprise/server/cmd/goinit/main.go.
 # Config copied from https://github.com/firecracker-microvm/firecracker/blob/main/resources/guest_configs/microvm-kernel-ci-x86_64-6.1.config
 # BuildBuddy-specific modifications:
 # - Set CONFIG_PCI=y (see https://github.com/firecracker-microvm/firecracker/issues/4881)
@@ -3238,4 +3239,4 @@ CONFIG_ARCH_USE_MEMTEST=y
 # Rust hacking
 #
 # end of Rust hacking
-# end of Kernel hacking
+# end of Kernel hacking