Re: Adjustments to Docker related packages and service

unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed

From: Jesse Dowell <jesse.dowell@gmail.com>
To: Efraim Flashner <efraim@flashner.co.il>
Cc: guix-devel@gnu.org, Pjotr Prins <pjotr2020@thebird.nl>
Subject: Re: Adjustments to Docker related packages and service
Date: Mon, 21 Sep 2020 22:50:10 -0400	[thread overview]
Message-ID: <CADdvwM_C6w7t6DkFzNACGktBPz9dZG=+ZdqRi90-xt6ORmh5yw@mail.gmail.com> (raw)
In-Reply-To: <20200921101812.GA1756@E5400>

On Mon, Sep 21, 2020 at 6:18 AM Efraim Flashner <efraim@flashner.co.il> wrote:
...
> > From ac3277477bda6741ff3a8af9530c2fd68e2bb062 Mon Sep 17 00:00:00 2001
> > From: Jesse Dowell <jessedowell@gmail.com>
> > Date: Sat, 19 Sep 2020 12:45:39 -0400
> > Subject: [PATCH 4/4] gnu: docker: use nftables via iptables-legacy
> >
>
> I think you meant nftables via iptables
>
> > ---
> >  gnu/packages/docker.scm | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/gnu/packages/docker.scm b/gnu/packages/docker.scm
> > index 825aa1ef0f..322f00026f 100644
> > --- a/gnu/packages/docker.scm
> > +++ b/gnu/packages/docker.scm
> > @@ -438,8 +438,8 @@ built-in registry server of Docker.")
> >                    ("pvdisplay" "lvm2" "sbin/pvdisplay")
> >                    ("blkid" "util-linux" "sbin/blkid")
> >                    ("unpigz" "pigz" "bin/unpigz")
> > -                  ("iptables" "iptables" "sbin/iptables")
> > -                  ("iptables-legacy" "iptables" "sbin/iptables")
> > +                  ("iptables" "iptables" "sbin/iptables-nft")
> > +                  ("iptables-legacy" "iptables" "sbin/iptables-legacy")
>
> I checked the iptables package. 'iptables' and 'iptables-legacy' are
> both symlinks for 'xtables-legacy-multi'. There is another binary for
> 'iptables-nft' which is a symlink for 'xtables-nft-multi'. Checking
> through the source there aren't actually any references to
> iptables-legacy in the docker tarball (except in the Dockerfile).
>
> Guix has services for both iptables and nftables. I'd rather not break
> existing workflows by switching iptables in docker to nftables. Also I
> don't know if it is possible to easily support both in the same package.
>
> >                    ("ip" "iproute2" "sbin/ip"))
> >
> >                   (substitute-Command*
> > --
> > 2.28.0
> >
>
> I've pushed the first 3 patches and I'd love to have some other input
> on the iptables/nftables bit in the 4th patch.
>
> --
> Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
> GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
> Confidentiality cannot be guaranteed on emails sent or received unencrypted

Hi Efraim,

Thanks for reviewing the patches! I figured the nftables change would
require more thought and input. Here's my 2 cents...

> > +                  ("iptables" "iptables" "sbin/iptables-nft")
> > +                  ("iptables-legacy" "iptables" "sbin/iptables-legacy")
...
> I checked the iptables package. 'iptables' and 'iptables-legacy' are
> both symlinks for 'xtables-legacy-multi'. There is another binary for
> 'iptables-nft' which is a symlink for 'xtables-nft-multi'. Checking
> through the source there aren't actually any references to
> iptables-legacy in the docker tarball (except in the Dockerfile).

My memory is a little foggy here but I think the goal is to fool
Docker into using nftables with the rename. It does work for me
locally - all Docker attempts to create iptables rules get translated
into the equivalent nftables rules. I'll try and test soon to see what
happens without that change. It's possible the "iptables-legacy" line
isn't needed at all but I suspect the iptables-nft line is.

In terms of whether defaulting Docker to nftables is appropriate...I
don't know what's best for Guix but it does seem that many distros are
updating their default firewall to use nftables (Debian, Fedora,
etc). Anecdotally - the nftables compatibility layer works great for
me :).

Best,
Jesse

     prev parent reply	other threads:[~2020-09-22  2:52 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-09-19 19:03 Adjustments to Docker related packages and service Jesse Dowell
2020-09-21 10:18 ` Efraim Flashner
2020-09-22  2:50   ` Jesse Dowell [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CADdvwM_C6w7t6DkFzNACGktBPz9dZG=+ZdqRi90-xt6ORmh5yw@mail.gmail.com' \
    --to=jesse.dowell@gmail.com \
    --cc=efraim@flashner.co.il \
    --cc=guix-devel@gnu.org \
    --cc=pjotr2020@thebird.nl \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).