fix(bootstrap): load flannel iptables modules and fix nftables healthcheck

Flannel's embedded traffic manager in k3s v1.35.x is compiled without the
nft backend — it only supports iptables-legacy, which requires kernel
modules (ip_tables, iptable_nat, iptable_filter, iptable_mangle) that
modern distributions (Fedora 43+, RHEL 10+) no longer load by default.

Changes:

- cluster-entrypoint.sh: When running under Podman, explicitly load the
  legacy iptables kernel modules via modprobe before starting k3s.  The
  container already runs privileged, so modprobe works when /lib/modules
  is available.

- docker.rs: Bind-mount /lib/modules from the host into the gateway
  container (read-only) so the entrypoint's modprobe calls can find the
  host kernel modules.

- cluster-healthcheck.sh: Replace the hardcoded 127.0.0.1 NodePort check
  with the node's actual InternalIP.  When kube-proxy runs in nftables
  mode, NodePort DNAT rules only match the node's real IP addresses —
  loopback is not in the nftables nodeport-ips set, so the old check
  always failed.

Tested on Fedora 43 (kernel 6.19, Podman 5.8.1) with the full lifecycle:
gateway start, provider create/list/delete, sandbox create/exec/delete.

Author: maxamillion

crates/openshell-bootstrap/src/docker.rs

@@ -705,7 +705,17 @@ pub async fn ensure_container(
         privileged: Some(true),
         cgroupns_mode: Some(cgroupns),
         port_bindings: Some(port_bindings),
-        binds: Some(vec![format!("{}:/var/lib/rancher/k3s", volume_name(name))]),
+        binds: Some({
+            let mut binds = vec![format!("{}:/var/lib/rancher/k3s", volume_name(name))];
+            // Mount host kernel modules so the entrypoint can load iptable_nat
+            // and related modules required by flannel.  Modern distributions
+            // (Fedora 43+, RHEL 10+) no longer load legacy iptables modules by
+            // default, and the container image doesn't ship its own modules.
+            if std::path::Path::new("/lib/modules").exists() {
+                binds.push("/lib/modules:/lib/modules:ro".to_string());
+            }
+            binds
+        }),
         network_mode: Some(network_name(name)),
         // Automatically restart the container when Docker restarts, unless the
         // user explicitly stopped it with `gateway stop`.

deploy/docker/cluster-entrypoint.sh

@@ -675,12 +675,32 @@ fi
 # Select kube-proxy mode
 # ---------------------------------------------------------------------------
 # Under Podman, use native nftables kube-proxy mode so no legacy iptables
-# kernel modules (ip_tables, iptable_nat, etc.) are required on the host.
-# Docker retains the default iptables mode for maximum compatibility.
+# kernel modules are needed for kube-proxy service routing.
+#
+# Flannel's embedded traffic manager in k3s v1.35.x still uses the iptables
+# binary (no nft backend compiled in).  The iptables binary inside the
+# container is iptables-legacy, which requires the iptable_nat, iptable_filter,
+# and ip_tables kernel modules.  Modern distributions (Fedora 43+, RHEL 10+)
+# no longer load these modules by default.  Since the container runs
+# privileged with /lib/modules mounted from the host, load them explicitly
+# so flannel masquerade rules work.
+#
+# Docker retains the default iptables kube-proxy mode for maximum compatibility.
 EXTRA_KUBE_PROXY_ARGS=""
 if [ "${CONTAINER_RUNTIME:-}" = "podman" ]; then
 	echo "Podman detected — using nftables kube-proxy mode"
 	EXTRA_KUBE_PROXY_ARGS="--kube-proxy-arg=proxy-mode=nftables"
+
+	# Load legacy iptables kernel modules required by flannel.
+	# The container runs privileged with /lib/modules bind-mounted from the
+	# host, so modprobe works.  These modules are needed because flannel's
+	# traffic manager calls iptables-legacy for masquerade rules, which
+	# requires the kernel-side iptable_nat and related modules.
+	for _mod in ip_tables iptable_nat iptable_filter iptable_mangle; do
+		if ! modprobe "$_mod" 2>/dev/null; then
+			echo "Warning: could not load kernel module $_mod — flannel masquerade may fail" >&2
+		fi
+	done
 fi
 
 # Execute k3s with explicit resolv-conf passed as a kubelet arg.

deploy/docker/cluster-healthcheck.sh

@@ -75,8 +75,18 @@ kubectl -n openshell get secret openshell-ssh-handshake >/dev/null 2>&1 || exit
 # ---------------------------------------------------------------------------
 # Verify the gateway NodePort (30051) is actually accepting TCP connections.
 # After a container restart, kube-proxy may need extra time to re-program
-# iptables rules for NodePort routing.  Without this check the health check
-# can pass before the port is routable, causing "Connection refused" on the
-# host-mapped port.
+# iptables/nftables rules for NodePort routing.  Without this check the
+# health check can pass before the port is routable, causing "Connection
+# refused" on the host-mapped port.
+#
+# When kube-proxy runs in nftables mode (Podman), NodePort DNAT rules only
+# match traffic destined to the node's real IP addresses — loopback
+# (127.0.0.1) is not in the nodeport-ips set.  Use the node's InternalIP
+# so the check works with both iptables and nftables kube-proxy modes.
 # ---------------------------------------------------------------------------
-timeout 2 bash -c 'echo >/dev/tcp/127.0.0.1/30051' 2>/dev/null || exit 1
+NODEPORT_CHECK_IP="127.0.0.1"
+NODE_IP=$(kubectl get nodes -o jsonpath='{.items[0].status.addresses[?(@.type=="InternalIP")].address}' 2>/dev/null || true)
+if [ -n "$NODE_IP" ]; then
+    NODEPORT_CHECK_IP="$NODE_IP"
+fi
+timeout 2 bash -c "echo >/dev/tcp/${NODEPORT_CHECK_IP}/30051" 2>/dev/null || exit 1