guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Adjustments to Docker related packages and service

From: Jesse Dowell
Subject: Re: Adjustments to Docker related packages and service
Date: Mon, 21 Sep 2020 22:50:10 -0400 
On Mon, Sep 21, 2020 at 6:18 AM Efraim Flashner <efraim@flashner.co.il> wrote:
...
> > From ac3277477bda6741ff3a8af9530c2fd68e2bb062 Mon Sep 17 00:00:00 2001
> > From: Jesse Dowell <jessedowell@gmail.com>
> > Date: Sat, 19 Sep 2020 12:45:39 -0400
> > Subject: [PATCH 4/4] gnu: docker: use nftables via iptables-legacy
> >
>
> I think you meant nftables via iptables
>
> > ---
> >  gnu/packages/docker.scm | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/gnu/packages/docker.scm b/gnu/packages/docker.scm
> > index 825aa1ef0f..322f00026f 100644
> > --- a/gnu/packages/docker.scm
> > +++ b/gnu/packages/docker.scm
> > @@ -438,8 +438,8 @@ built-in registry server of Docker.")
> >                    ("pvdisplay" "lvm2" "sbin/pvdisplay")
> >                    ("blkid" "util-linux" "sbin/blkid")
> >                    ("unpigz" "pigz" "bin/unpigz")
> > -                  ("iptables" "iptables" "sbin/iptables")
> > -                  ("iptables-legacy" "iptables" "sbin/iptables")
> > +                  ("iptables" "iptables" "sbin/iptables-nft")
> > +                  ("iptables-legacy" "iptables" "sbin/iptables-legacy")
>
> I checked the iptables package. 'iptables' and 'iptables-legacy' are
> both symlinks for 'xtables-legacy-multi'. There is another binary for
> 'iptables-nft' which is a symlink for 'xtables-nft-multi'. Checking
> through the source there aren't actually any references to
> iptables-legacy in the docker tarball (except in the Dockerfile).
>
> Guix has services for both iptables and nftables. I'd rather not break
> existing workflows by switching iptables in docker to nftables. Also I
> don't know if it is possible to easily support both in the same package.
>
> >                    ("ip" "iproute2" "sbin/ip"))
> >
> >                   (substitute-Command*
> > --
> > 2.28.0
> >
>
> I've pushed the first 3 patches and I'd love to have some other input
> on the iptables/nftables bit in the 4th patch.
>
> --
> Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
> GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
> Confidentiality cannot be guaranteed on emails sent or received unencrypted

Hi Efraim,

Thanks for reviewing the patches! I figured the nftables change would
require more thought and input. Here's my 2 cents...

> > +                  ("iptables" "iptables" "sbin/iptables-nft")
> > +                  ("iptables-legacy" "iptables" "sbin/iptables-legacy")
...
> I checked the iptables package. 'iptables' and 'iptables-legacy' are
> both symlinks for 'xtables-legacy-multi'. There is another binary for
> 'iptables-nft' which is a symlink for 'xtables-nft-multi'. Checking
> through the source there aren't actually any references to
> iptables-legacy in the docker tarball (except in the Dockerfile).

My memory is a little foggy here but I think the goal is to fool
Docker into using nftables with the rename. It does work for me
locally - all Docker attempts to create iptables rules get translated
into the equivalent nftables rules. I'll try and test soon to see what
happens without that change. It's possible the "iptables-legacy" line
isn't needed at all but I suspect the iptables-nft line is.

In terms of whether defaulting Docker to nftables is appropriate...I
don't know what's best for Guix but it does seem that many distros are
updating their default firewall to use nftables (Debian, Fedora,
etc). Anecdotally - the nftables compatibility layer works great for
me :).

Best,
Jesse
reply via email to
[Prev in Thread] Current Thread [Next in Thread]