From 12755ecdd522b502048c5b915cae1241778feabf Mon Sep 17 00:00:00 2001 From: ryneeverett Date: Thu, 10 Sep 2020 15:30:01 +0000 Subject: [PATCH] nixos/docker: load more required kernel modules This builds on #76487. br_netfilter ------------ When I first added veth it was suggested I add bridge as well. Without veth I get the following error message when starting the daemon with security.lockKernelModules=true: > Running modprobe bridge br_netfilter failed with message: modprobe: ERROR: could not insert 'br_netfilter': Operation not permitted Therefore if we're going to add bridge we may as well add br_netfilter as well. xt_nat ------ Without xt_nat, docker cannot do dnat with iptables, failing with: > iptables v1.8.4 (legacy): unknown option \"--to-destination\"\nTry `iptables -h' or 'iptables --help' for more information.\n (exit status 2)) --- nixos/modules/virtualisation/docker.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/virtualisation/docker.nix b/nixos/modules/virtualisation/docker.nix index 29f133786d8d..9db408b53c6e 100644 --- a/nixos/modules/virtualisation/docker.nix +++ b/nixos/modules/virtualisation/docker.nix @@ -149,7 +149,7 @@ in ###### implementation config = mkIf cfg.enable (mkMerge [{ - boot.kernelModules = [ "bridge" "veth" ]; + boot.kernelModules = [ "bridge" "veth" "br_netfilter" "xt_nat" ]; boot.kernel.sysctl = { "net.ipv4.conf.all.forwarding" = mkOverride 98 true; "net.ipv4.conf.default.forwarding" = mkOverride 98 true;