Run API check to assert xfrm modules

- When docker is run inside a container, the infrastructure needed by modprobe is not always available, causing the xfrm module load to fail even when these modules are already loaded or builtin in the kernel. - In case of probe failure, before declaring the failure, run an API check by attempting the creation of a NETLINK_XFRM socket. Signed-off-by: Alessandro Boch <aboch@docker.com>
2016-10-10 11:56:03 -07:00 · 2016-10-10 11:56:03 -07:00 · a4f56880b2
commit a4f56880b2
parent 11b0e69fcd
1 changed files with 14 additions and 2 deletions
--- a/libnetwork/ns/init_linux.go
+++ b/libnetwork/ns/init_linux.go
@ -69,8 +69,10 @@ func NlHandle() *netlink.Handle {
 func getSupportedNlFamilies() []int {
 	fams := []int{syscall.NETLINK_ROUTE}
 	if err := loadXfrmModules(); err != nil {
-		log.Warnf("Could not load necessary modules for IPSEC rules: %v", err)
-		return fams
+		if checkXfrmSocket() != nil {
+			log.Warnf("Could not load necessary modules for IPSEC rules: %v", err)
+			return fams
+		}
 	}
 	return append(fams, syscall.NETLINK_XFRM)
 }
@ -84,3 +86,13 @@ func loadXfrmModules() error {
 	}
 	return nil
 }
+
+// API check on required xfrm modules (xfrm_user, xfrm_algo)
+func checkXfrmSocket() error {
+	fd, err := syscall.Socket(syscall.AF_NETLINK, syscall.SOCK_RAW, syscall.NETLINK_XFRM)
+	if err != nil {
+		return err
+	}
+	syscall.Close(fd)
+	return nil
+}