From d926879cf044a7d2149eee0df4667e264a15454b Mon Sep 17 00:00:00 2001
From: Gaurav Saini <147703805+gauravsaini04@users.noreply.github.com>
Date: Tue, 17 Sep 2024 02:03:34 +0530
Subject: [PATCH] [docker-in-docker] - toggle ip6tables settings value as
 option (#1068)

* [docker-in-docker] - toggle ip6tables settings value as option

* Update src/docker-in-docker/devcontainer-feature.json

Co-authored-by: Samruddhi Khandale <samruddhikhandale@github.com>

* Update src/docker-in-docker/devcontainer-feature.json

Co-authored-by: Samruddhi Khandale <samruddhikhandale@github.com>

* ip6tables - can be toggled

* changes as requested

* change to add test file..

* changes for docker_build_older test passing

* misc change

* CHANGE

* chg

* minor change to make tests pass

* for sh compatibility

* change for version

* small change

* few imp. changes

* few changes

* for test passing

* minor commit

* version added to a test scenario

* changes

* LOGIC was moved outside the init file for faster initialization times

* changes

* logic updated !

* chg

* default value to be null

* changes as suggested in review comments..

* by mistake

* another small change

* requested changes in comments (review pr)

* change as requested

* changes as suggested in review comments

* Update src/docker-in-docker/install.sh

Co-authored-by: Samruddhi Khandale <samruddhikhandale@github.com>

---------

Co-authored-by: Samruddhi Khandale <samruddhikhandale@github.com>
---
 .../devcontainer-feature.json                 |  7 +++++-
 src/docker-in-docker/install.sh               | 23 ++++++++++++++++--
 .../dockerIp6tablesDisabledTest.sh            | 24 +++++++++++++++++++
 test/docker-in-docker/scenarios.json          |  9 +++++++
 4 files changed, 60 insertions(+), 3 deletions(-)
 create mode 100644 test/docker-in-docker/dockerIp6tablesDisabledTest.sh

diff --git a/src/docker-in-docker/devcontainer-feature.json b/src/docker-in-docker/devcontainer-feature.json
index 4897ebf3e..f13b62d2d 100644
--- a/src/docker-in-docker/devcontainer-feature.json
+++ b/src/docker-in-docker/devcontainer-feature.json
@@ -1,6 +1,6 @@
 {
     "id": "docker-in-docker",
-    "version": "2.11.0",
+    "version": "2.12.0",
     "name": "Docker (Docker-in-Docker)",
     "documentationURL": "https://github.com/devcontainers/features/tree/main/src/docker-in-docker",
     "description": "Create child containers *inside* a container, independent from the host's docker instance. Installs Docker extension in the container along with needed CLIs.",
@@ -55,6 +55,11 @@
             "type": "boolean",
             "default": true,
             "description": "Install Compose Switch (provided docker compose is available) which is a replacement to the Compose V1 docker-compose (python) executable. It translates the command line into Compose V2 docker compose then runs the latter."
+        },
+        "disableIp6tables": {
+            "type": "boolean",
+            "default": false,
+            "description": "Disable ip6tables (this option is only applicable for Docker versions 27 and greater)"
         }
     },
     "entrypoint": "/usr/local/share/docker-init.sh",
diff --git a/src/docker-in-docker/install.sh b/src/docker-in-docker/install.sh
index ee9cb6ee6..c4c098ba8 100755
--- a/src/docker-in-docker/install.sh
+++ b/src/docker-in-docker/install.sh
@@ -20,6 +20,7 @@ INSTALL_DOCKER_COMPOSE_SWITCH="${INSTALLDOCKERCOMPOSESWITCH:-"true"}"
 MICROSOFT_GPG_KEYS_URI="https://packages.microsoft.com/keys/microsoft.asc"
 DOCKER_MOBY_ARCHIVE_VERSION_CODENAMES="bookworm buster bullseye bionic focal jammy noble"
 DOCKER_LICENSED_ARCHIVE_VERSION_CODENAMES="bookworm buster bullseye bionic focal hirsute impish jammy noble"
+DISABLE_IP6_TABLES="${DISABLEIP6TABLES:-false}"
 
 # Default: Exit on any failure.
 set -e
@@ -468,6 +469,23 @@ if [ "${INSTALL_DOCKER_BUILDX}" = "true" ]; then
     find "${docker_home}" -type d -print0 | xargs -n 1 -0 chmod g+s
 fi
 
+DOCKER_DEFAULT_IP6_TABLES=""
+if [ "$DISABLE_IP6_TABLES" == true ]; then
+    requested_version=""
+    # checking whether the version requested either is in semver format or just a number denoting the major version
+    # and, extracting the major version number out of the two scenarios
+    semver_regex="^(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(-([0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*))?(\+([0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*))?$"
+    if echo "$DOCKER_VERSION" | grep -Eq $semver_regex; then
+        requested_version=$(echo $DOCKER_VERSION | cut -d. -f1)
+    elif echo "$DOCKER_VERSION" | grep -Eq "^[1-9][0-9]*$"; then
+        requested_version=$DOCKER_VERSION
+    fi
+    if [ "$DOCKER_VERSION" = "latest" ] || [[ -n "$requested_version" && "$requested_version" -ge 27 ]] ; then
+        DOCKER_DEFAULT_IP6_TABLES="--ip6tables=false"
+        echo "(!) As requested, passing '${DOCKER_DEFAULT_IP6_TABLES}'"
+    fi
+fi
+
 tee /usr/local/share/docker-init.sh > /dev/null \
 << EOF
 #!/bin/sh
@@ -480,11 +498,12 @@ set -e
 
 AZURE_DNS_AUTO_DETECTION=${AZURE_DNS_AUTO_DETECTION}
 DOCKER_DEFAULT_ADDRESS_POOL=${DOCKER_DEFAULT_ADDRESS_POOL}
+DOCKER_DEFAULT_IP6_TABLES=${DOCKER_DEFAULT_IP6_TABLES}
 EOF
 
 tee -a /usr/local/share/docker-init.sh > /dev/null \
 << 'EOF'
-dockerd_start="AZURE_DNS_AUTO_DETECTION=${AZURE_DNS_AUTO_DETECTION} DOCKER_DEFAULT_ADDRESS_POOL=${DOCKER_DEFAULT_ADDRESS_POOL} $(cat << 'INNEREOF'
+dockerd_start="AZURE_DNS_AUTO_DETECTION=${AZURE_DNS_AUTO_DETECTION} DOCKER_DEFAULT_ADDRESS_POOL=${DOCKER_DEFAULT_ADDRESS_POOL} DOCKER_DEFAULT_IP6_TABLES=${DOCKER_DEFAULT_IP6_TABLES} $(cat << 'INNEREOF'
     # explicitly remove dockerd and containerd PID file to ensure that it can start properly if it was stopped uncleanly
     find /run /var/run -iname 'docker*.pid' -delete || :
     find /run /var/run -iname 'container*.pid' -delete || :
@@ -562,7 +581,7 @@ dockerd_start="AZURE_DNS_AUTO_DETECTION=${AZURE_DNS_AUTO_DETECTION} DOCKER_DEFAU
     fi
 
     # Start docker/moby engine
-    ( dockerd $CUSTOMDNS $DEFAULT_ADDRESS_POOL > /tmp/dockerd.log 2>&1 ) &
+    ( dockerd $CUSTOMDNS $DEFAULT_ADDRESS_POOL $DOCKER_DEFAULT_IP6_TABLES > /tmp/dockerd.log 2>&1 ) &
 INNEREOF
 )"
 
diff --git a/test/docker-in-docker/dockerIp6tablesDisabledTest.sh b/test/docker-in-docker/dockerIp6tablesDisabledTest.sh
new file mode 100644
index 000000000..977054ffc
--- /dev/null
+++ b/test/docker-in-docker/dockerIp6tablesDisabledTest.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+set -e
+
+# Optional: Import test library
+source dev-container-features-test-lib
+
+ip6tablesCheck() {
+    if command -v ip6tables > /dev/null 2>&1; then
+        if ip6tables -L > /dev/null 2>&1; then
+            echo "✔️ ip6tables is enabled."
+        else
+            echo "❌ ip6tables is disabled."
+        fi
+    else
+        echo "❕ip6tables command not found. ❕"
+    fi
+}
+
+check "ip6tables" ip6tablesCheck
+check "ip6tables check" bash -c "docker network inspect bridge"
+check "docker-build" docker build ./
+
+reportResults
\ No newline at end of file
diff --git a/test/docker-in-docker/scenarios.json b/test/docker-in-docker/scenarios.json
index 33333583d..699a1dd79 100644
--- a/test/docker-in-docker/scenarios.json
+++ b/test/docker-in-docker/scenarios.json
@@ -8,6 +8,15 @@
             }
         }
     },
+    "dockerIp6tablesDisabledTest": {
+        "image": "ubuntu:focal",
+        "features": {
+            "docker-in-docker": {
+                "version": "27.0.3",
+                "disableIp6tables": true
+            }
+        }
+    },
     "dockerDefaultAddressPool": {
         "image": "mcr.microsoft.com/vscode/devcontainers/javascript-node:0-18",
         "remoteUser": "node",