feat(bootstrap): use native nftables under Podman, drop legacy iptables modules

maxamillion · maxamillion · commit aac57d08caaf · 2026-04-07T17:25:45.000-05:00
When running under Podman, the k3s cluster now uses:
- Native nftables kube-proxy mode (--kube-proxy-arg=proxy-mode=nftables)
- Host DNS resolution instead of iptables DNAT proxy (Podman DNS is routable)
- Skipped iptables backend probe (unnecessary with nftables kube-proxy)

This eliminates the need for legacy iptables kernel modules (ip_tables,
iptable_nat, iptable_filter, iptable_mangle) on the host when using Podman.
The Docker path is completely unchanged — all new behavior is gated on
CONTAINER_RUNTIME=podman.

Container image: add nftables package (provides nft binary for kube-proxy).

RPM spec: modules-load.d now only loads br_netfilter (still required for
bridged pod traffic regardless of iptables/nftables). Remove podman-docker
recommends (no longer needed with native Podman socket detection and
nftables networking).
diff --git a/crates/openshell-bootstrap/src/docker.rs b/crates/openshell-bootstrap/src/docker.rs
@@ -878,6 +878,11 @@ pub async fn ensure_container(
         env_vars.push("GPU_ENABLED=true".to_string());
     }
 
+    // Pass the container runtime to the entrypoint so it can select the
+    // appropriate networking stack (nftables kube-proxy for Podman, iptables
+    // DNS proxy for Docker, etc.).
+    env_vars.push(format!("CONTAINER_RUNTIME={}", runtime.binary_name()));
+
     let env = Some(env_vars);
 
     // Set the health check explicitly on the container config so it works
diff --git a/deploy/docker/Dockerfile.images b/deploy/docker/Dockerfile.images
@@ -233,6 +233,7 @@ RUN dnf install -y fedora-repos && \
     dnf install -y \
     ca-certificates \
     iptables \
+    nftables \
     util-linux \
     bind-utils \
     && dnf clean all
diff --git a/deploy/docker/cluster-entrypoint.sh b/deploy/docker/cluster-entrypoint.sh
@@ -34,22 +34,13 @@ yaml_quote() {
     printf "'%s'" "$(printf '%s' "$1" | sed "s/'/''/g")"
 }
 
-# ---------------------------------------------------------------------------
-# Select iptables backend
-# ---------------------------------------------------------------------------
-# Some kernels (e.g. Jetson Linux 5.15-tegra) have the nf_tables subsystem
-# but lack the nft_compat bridge that allows flannel and kube-proxy to use
-# xt extension modules (xt_comment, xt_conntrack). Detect this by probing
-# whether xt_comment is usable via the current iptables backend. If the
-# probe fails, switch to iptables-legacy. Set USE_IPTABLES_LEGACY=1
-# externally to skip the probe and force the legacy backend.
 # ---------------------------------------------------------------------------
 # Check br_netfilter kernel module
 # ---------------------------------------------------------------------------
 # br_netfilter makes the kernel pass bridge (pod-to-pod) traffic through
-# iptables. Without it, kube-proxy's DNAT rules for ClusterIP services are
-# never applied to pod traffic, so pods cannot reach services such as
-# kube-dns (10.43.0.10), breaking all in-cluster DNS resolution.
+# netfilter (iptables or nftables). Without it, kube-proxy's DNAT rules for
+# ClusterIP services are never applied to pod traffic, so pods cannot reach
+# services such as kube-dns (10.43.0.10), breaking all in-cluster DNS.
 #
 # The module must be loaded on the HOST before the container starts —
 # containers cannot load kernel modules themselves. If it is missing, log a
@@ -65,25 +56,37 @@ if [ ! -f /proc/sys/net/bridge/bridge-nf-call-iptables ]; then
 	echo "           echo br_netfilter | sudo tee /etc/modules-load.d/br_netfilter.conf" >&2
 fi
 
-if [ -z "${USE_IPTABLES_LEGACY:-}" ]; then
-	if iptables -t filter -N _xt_probe 2>/dev/null; then
-		_probe_rc=0
-		iptables -t filter -A _xt_probe -m comment --comment "probe" -j ACCEPT \
-			2>/dev/null || _probe_rc=$?
-		iptables -t filter -D _xt_probe -m comment --comment "probe" -j ACCEPT \
-			2>/dev/null || true
-		iptables -t filter -X _xt_probe 2>/dev/null || true
-		[ "$_probe_rc" -ne 0 ] && USE_IPTABLES_LEGACY=1
+# ---------------------------------------------------------------------------
+# Select iptables backend (Docker only)
+# ---------------------------------------------------------------------------
+# Under Podman with nftables kube-proxy mode, the iptables backend probe is
+# unnecessary — kube-proxy uses nft directly. Flannel still uses the iptables
+# binary but through the nft compat shim which doesn't need the xt probe.
+#
+# Under Docker (or unset runtime), probe whether xt_comment is usable. Some
+# kernels (e.g. Jetson Linux 5.15-tegra) have nf_tables but lack the
+# nft_compat bridge. If the probe fails, switch to iptables-legacy.
+if [ "${CONTAINER_RUNTIME:-}" != "podman" ]; then
+	if [ -z "${USE_IPTABLES_LEGACY:-}" ]; then
+		if iptables -t filter -N _xt_probe 2>/dev/null; then
+			_probe_rc=0
+			iptables -t filter -A _xt_probe -m comment --comment "probe" -j ACCEPT \
+				2>/dev/null || _probe_rc=$?
+			iptables -t filter -D _xt_probe -m comment --comment "probe" -j ACCEPT \
+				2>/dev/null || true
+			iptables -t filter -X _xt_probe 2>/dev/null || true
+			[ "$_probe_rc" -ne 0 ] && USE_IPTABLES_LEGACY=1
+		fi
 	fi
-fi
 
-if [ "${USE_IPTABLES_LEGACY:-0}" = "1" ]; then
-	echo "iptables nf_tables xt extension bridge unavailable — switching to iptables-legacy"
-	if update-alternatives --set iptables /usr/sbin/iptables-legacy 2>/dev/null &&
-		update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy 2>/dev/null; then
-		echo "Now using iptables-legacy mode"
-	else
-		echo "Warning: could not switch to iptables-legacy — cluster networking may fail"
+	if [ "${USE_IPTABLES_LEGACY:-0}" = "1" ]; then
+		echo "iptables nf_tables xt extension bridge unavailable — switching to iptables-legacy"
+		if update-alternatives --set iptables /usr/sbin/iptables-legacy 2>/dev/null &&
+			update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy 2>/dev/null; then
+			echo "Now using iptables-legacy mode"
+		else
+			echo "Warning: could not switch to iptables-legacy — cluster networking may fail"
+		fi
 	fi
 fi
 
@@ -174,13 +177,20 @@ setup_dns_proxy() {
 	echo "Configured k3s DNS to use ${CONTAINER_IP} (proxied to Docker DNS)"
 }
 
-if ! setup_dns_proxy; then
-	echo "DNS proxy setup failed, falling back to public DNS servers"
-	echo "Note: this may not work on Docker Desktop (Mac/Windows)"
-	cat >"$RESOLV_CONF" <<EOF
+if [ "${CONTAINER_RUNTIME:-}" = "podman" ]; then
+	# Podman DNS is directly routable (aardvark-dns or host DNS) — no proxy
+	# needed. Copy the container's resolv.conf so k3s has a stable path.
+	cp /etc/resolv.conf "$RESOLV_CONF"
+	echo "Podman detected — using host DNS resolution (no proxy needed)"
+else
+	if ! setup_dns_proxy; then
+		echo "DNS proxy setup failed, falling back to public DNS servers"
+		echo "Note: this may not work on Docker Desktop (Mac/Windows)"
+		cat >"$RESOLV_CONF" <<EOF
 nameserver 8.8.8.8
 nameserver 8.8.4.4
 EOF
+	fi
 fi
 
 # ---------------------------------------------------------------------------
@@ -632,7 +642,9 @@ fi
 # On kernels where xt_comment is unavailable, kube-router's network policy
 # controller panics at startup. Disable it when the iptables-legacy probe
 # triggered; sandbox isolation is enforced by the NSSH1 HMAC handshake instead.
-if [ "${USE_IPTABLES_LEGACY:-0}" = "1" ]; then
+# Under Podman with nftables kube-proxy, the xt probe is skipped entirely so
+# USE_IPTABLES_LEGACY is never set — network policy stays enabled.
+if [ "${USE_IPTABLES_LEGACY:-0}" = "1" ] && [ "${CONTAINER_RUNTIME:-}" != "podman" ]; then
 	EXTRA_KUBELET_ARGS="$EXTRA_KUBELET_ARGS --disable-network-policy"
 fi
 
@@ -659,8 +671,23 @@ if [ -n "${OPENSHELL_NODE_NAME:-}" ]; then
     echo "Using deterministic k3s node name: ${OPENSHELL_NODE_NAME}"
 fi
 
+# ---------------------------------------------------------------------------
+# Select kube-proxy mode
+# ---------------------------------------------------------------------------
+# Under Podman, use native nftables kube-proxy mode so no legacy iptables
+# kernel modules (ip_tables, iptable_nat, etc.) are required on the host.
+# Docker retains the default iptables mode for maximum compatibility.
+EXTRA_KUBE_PROXY_ARGS=""
+if [ "${CONTAINER_RUNTIME:-}" = "podman" ]; then
+	echo "Podman detected — using nftables kube-proxy mode"
+	EXTRA_KUBE_PROXY_ARGS="--kube-proxy-arg=proxy-mode=nftables"
+fi
+
 # Execute k3s with explicit resolv-conf passed as a kubelet arg.
 # k3s v1.35.2+ no longer accepts --resolv-conf as a top-level server flag;
 # it must be passed via --kubelet-arg instead.
 # shellcheck disable=SC2086
-exec /bin/k3s "$@" $NODE_NAME_ARG --kubelet-arg=resolv-conf="$RESOLV_CONF" $EXTRA_KUBELET_ARGS
+exec /bin/k3s "$@" $NODE_NAME_ARG \
+	--kubelet-arg=resolv-conf="$RESOLV_CONF" \
+	$EXTRA_KUBELET_ARGS \
+	$EXTRA_KUBE_PROXY_ARGS
diff --git a/openshell.spec b/openshell.spec
@@ -39,10 +39,6 @@ BuildRequires:  python3-devel
 # Runtime: container runtime for gateway lifecycle (start/stop/destroy).
 # Podman is preferred; Docker is also supported via --container-runtime flag.
 Recommends:     podman
-# When Podman is the container runtime, podman-docker provides the
-# /var/run/docker.sock symlink and `docker` CLI alias that third-party
-# libraries (e.g., bollard) expect.
-Recommends:     podman-docker
 
 %description
 OpenShell provides safe, sandboxed runtimes for autonomous AI agents.
@@ -98,19 +94,18 @@ cargo build --release --bin openshell
 # Install CLI binary
 install -Dpm 0755 target/release/%{name} %{buildroot}%{_bindir}/%{name}
 
-# Install modules-load.d config for legacy iptables kernel modules.
-# k3s (used by the gateway cluster) bundles its own legacy iptables binary
-# for flannel CNI. Modern distros (Fedora 41+, RHEL 10+) only load nf_tables
-# by default, so these legacy modules must be explicitly loaded.
+# Install modules-load.d config for br_netfilter.
+# br_netfilter makes the kernel pass bridged (pod-to-pod) traffic through
+# netfilter hooks so kube-proxy DNAT rules (iptables or nftables) apply to
+# ClusterIP service traffic. Legacy iptables modules are not required —
+# kube-proxy uses native nftables under Podman, and the iptables binary on
+# modern distros (Fedora 41+, RHEL 10+) is iptables-nft which uses the
+# nf_tables kernel path.
 install -d %{buildroot}%{_modulesloaddir}
 cat > %{buildroot}%{_modulesloaddir}/%{name}.conf << 'EOF'
-# Load legacy iptables kernel modules required by k3s flannel CNI.
-# Modern kernels use nf_tables by default; these modules provide the
-# legacy iptables interface that k3s's bundled iptables-legacy needs.
-ip_tables
-iptable_nat
-iptable_filter
-iptable_mangle
+# Load br_netfilter for K3s bridge networking.
+# Required so kube-proxy DNAT rules (iptables or nftables) apply to
+# bridged pod-to-pod traffic for ClusterIP service resolution.
 br_netfilter
 EOF
 
@@ -154,9 +149,9 @@ echo "rpm" > %{buildroot}%{python3_sitelib}/%{name}-%{version}.dist-info/INSTALL
 touch %{buildroot}%{python3_sitelib}/%{name}-%{version}.dist-info/RECORD
 
 %post
-# Load kernel modules immediately so a reboot is not required after
-# initial installation. The modules-load.d config handles subsequent boots.
-modprobe -a ip_tables iptable_nat iptable_filter iptable_mangle br_netfilter > /dev/null 2>&1 || :
+# Load br_netfilter immediately so a reboot is not required after install.
+# The modules-load.d config handles subsequent boots.
+modprobe br_netfilter > /dev/null 2>&1 || :
 %sysctl_apply 99-%{name}.conf
 
 %check
