Skip to content

Embeded iptables version #40491

New issue
New issue
Open
Open
Embeded iptables version#40491
Labels
area/agentCilium agent related.area/buildAnything to do with the build, more general than area/CIarea/dockerImpacts the integration with Docker.area/iptablesImpacts how Cilium interacts with iptables.kind/enhancementThis would improve or streamline existing functionality.
@HadrienPatte

Description

@HadrienPatte
HadrienPatte
opened on Jul 11, 2025

Currently the cilium image includes iptables, but the way it gets there is a bit convoluted and may be simplified.

Here's how it goes:

The cilium image is based on the runtime image here:

cilium/images/cilium/Dockerfile

Line 97 in 236f0cd

FROM ${CILIUM_RUNTIME_IMAGE} AS release

The runtime image is based off an ubuntu:24.04 base:

cilium/images/runtime/Dockerfile

Line 28 in 236f0cd

FROM ${UBUNTU_IMAGE} AS rootfs

Here it runs the ./install-runtime-deps.sh script, which among other things, apt installs the iptables package:

cilium/images/runtime/install-runtime-deps.sh

Line 16 in 236f0cd

iptables

But then right after that, we copy the iptables deb package from the cilium/iptables image and dpkg install it:

cilium/images/runtime/Dockerfile

Lines 43 to 44 in 236f0cd

COPY --from=iptables-dist /iptables /iptables
RUN dpkg -i /iptables/*\.deb && rm -rf /iptables

That deb is manually compiled (apt-src -b install iptables) from debian bookworm sources with a fixed iptables version and debian snapshot date here.

This complex setup means we end up installing two different versions of the iptables package in two very different way, but the second one overrides the first one.

Final notes:

  • The iptables package from the ubuntu 24.04 archives is currently 1.8.10-3ubuntu2
  • The iptables package we build from debian archives sources in the cilium/iptables image is version 1.8.8-1

Proposed changes:

  • If the reason for the current setup was to precisely control the version of iptables installed in the cilium image, then we can keep the second one (the one from the cilium/iptables image that's built from source and version pinned), although ubuntu archives do have multiple past version of packages available and package version pinning is also an option with apt.
    • In this case, we should remove the apt install iptables from the ./install-runtime-deps.sh script.
  • If the reason for the current setup was to use an iptables version that was not yet available in the ubuntu archives of the ubuntu LTS used as a base then, then this is probably no longer necessary since the iptables package version available in the currently used ubuntu LTS is more recent than the one we currently build from debian sources. Looking at Cilium agent may fail to start due to crashing ip(6)tables command #22482, it looks like this is the situation that lead to this setup here
    • In this case, we should remove the separate cilium/iptables image and simply install iptables with apt install.

See #22482 (comment)

cc @jibi

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/agentCilium agent related.area/buildAnything to do with the build, more general than area/CIarea/dockerImpacts the integration with Docker.area/iptablesImpacts how Cilium interacts with iptables.kind/enhancementThis would improve or streamline existing functionality.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions