From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id qCmRFvNmaV9gZgAA0tVLHw (envelope-from ) for ; Tue, 22 Sep 2020 02:52:35 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id AEgFEvNmaV+oJgAA1q6Kng (envelope-from ) for ; Tue, 22 Sep 2020 02:52:35 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id D4DF1940416 for ; Tue, 22 Sep 2020 02:52:34 +0000 (UTC) Received: from localhost ([::1]:52886 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kKYPx-0005im-Mt for larch@yhetil.org; Mon, 21 Sep 2020 22:52:33 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:47622) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kKYO0-0003qv-PB for guix-devel@gnu.org; Mon, 21 Sep 2020 22:50:32 -0400 Received: from mail-lj1-x236.google.com ([2a00:1450:4864:20::236]:33815) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kKYNw-0001yO-6n for guix-devel@gnu.org; Mon, 21 Sep 2020 22:50:32 -0400 Received: by mail-lj1-x236.google.com with SMTP id v23so12858637ljd.1 for ; Mon, 21 Sep 2020 19:50:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=cGWSv51Mlqcbjwq5EVizrhCLd+2YpF3pfrLjUF4b6g8=; b=PdfSiG+j6iSd3cHe/G0PvRmzZXtLjgXZAD51i9qQZW4C0LgGI/KdWNGnSe9Okk349j 3uXw+xCtQMmqSdxmnNEtgpFI3Dm4YmWhv11vE+rTVxc00bb23FE/XvXK1jzDznMrCmec KMXy1/PzrvQenVfgp0FcTHwDK7O7qY/4GSvtuxnrxL+gDG7gJDWU1AIZCY/5HAyLvMCV rtQP4xBXKgCyLLjklax/PmLJRIAoKGPvMYWfc9jLpgrT2l11hV9yrgcCJz55KK+bkgIa D3zW0os+PKD3qfyygoKHgxRGcAYPRKk8e28hs1WBF/MDtC6BI9Fc8GHjHR0t/vxFk5Jj 20Yg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=cGWSv51Mlqcbjwq5EVizrhCLd+2YpF3pfrLjUF4b6g8=; b=hHEjcxqvft/ckAK++u9qVyVymgmBrUT4/jm5FLP5iHzWGrZB/JOIq6iiYkBdDpFuQK Rj8I8Fgt7v09LpqNL6egZSHshNm/4siqI1P8zWDAFV4q0l5cmUOpTQT+F50ODO7c/EjF HL2qUW8rDxXcYubine1ySqknyVRgcjZHrq0m2C7wzXGneDvK1KYr5P5EIvaLHhj0nLsj ZN7KL4rw/EAK3cPHLXb5+0hCHOaGACsjB/Qo5+WoqlIETjgGXvNH/rB7qRlvO2KV4haX B96sz7nVulUuOoSphFAsA2XonfMUqORWmXBN3MXyfPfauG+9W98/NCulqYbeXEAFBgbT TIYA== X-Gm-Message-State: AOAM5308lgv679dn+4ixX329nlXkprvEfIxY3fxmRwoVfReZmqAx8Jy2 FCOmL/GBUwr7HI/l8cLBGA4EQL5jrgXZxJ68+dk= X-Google-Smtp-Source: ABdhPJyVvkXrpdJraQz3lTLM0kFwklgQC22ml8J0suc+2nJnbPAgPSkLzrGrecE9+WBG0hq53lZ3MoD4r5PpzoXX870= X-Received: by 2002:a2e:b5a8:: with SMTP id f8mr694601ljn.246.1600743023247; Mon, 21 Sep 2020 19:50:23 -0700 (PDT) MIME-Version: 1.0 References: <20200921101812.GA1756@E5400> In-Reply-To: <20200921101812.GA1756@E5400> From: Jesse Dowell Date: Mon, 21 Sep 2020 22:50:10 -0400 Message-ID: Subject: Re: Adjustments to Docker related packages and service To: Efraim Flashner Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=2a00:1450:4864:20::236; envelope-from=jesse.dowell@gmail.com; helo=mail-lj1-x236.google.com X-detected-operating-system: by eggs.gnu.org: No matching host in p0f cache. That's all we know. X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org, Pjotr Prins Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20161025 header.b=PdfSiG+j; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Spam-Score: -1.71 X-TUID: Owq3qL5l5RRL On Mon, Sep 21, 2020 at 6:18 AM Efraim Flashner wro= te: ... > > From ac3277477bda6741ff3a8af9530c2fd68e2bb062 Mon Sep 17 00:00:00 2001 > > From: Jesse Dowell > > Date: Sat, 19 Sep 2020 12:45:39 -0400 > > Subject: [PATCH 4/4] gnu: docker: use nftables via iptables-legacy > > > > I think you meant nftables via iptables > > > --- > > gnu/packages/docker.scm | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > diff --git a/gnu/packages/docker.scm b/gnu/packages/docker.scm > > index 825aa1ef0f..322f00026f 100644 > > --- a/gnu/packages/docker.scm > > +++ b/gnu/packages/docker.scm > > @@ -438,8 +438,8 @@ built-in registry server of Docker.") > > ("pvdisplay" "lvm2" "sbin/pvdisplay") > > ("blkid" "util-linux" "sbin/blkid") > > ("unpigz" "pigz" "bin/unpigz") > > - ("iptables" "iptables" "sbin/iptables") > > - ("iptables-legacy" "iptables" "sbin/iptables") > > + ("iptables" "iptables" "sbin/iptables-nft") > > + ("iptables-legacy" "iptables" "sbin/iptables-legacy"= ) > > I checked the iptables package. 'iptables' and 'iptables-legacy' are > both symlinks for 'xtables-legacy-multi'. There is another binary for > 'iptables-nft' which is a symlink for 'xtables-nft-multi'. Checking > through the source there aren't actually any references to > iptables-legacy in the docker tarball (except in the Dockerfile). > > Guix has services for both iptables and nftables. I'd rather not break > existing workflows by switching iptables in docker to nftables. Also I > don't know if it is possible to easily support both in the same package. > > > ("ip" "iproute2" "sbin/ip")) > > > > (substitute-Command* > > -- > > 2.28.0 > > > > I've pushed the first 3 patches and I'd love to have some other input > on the iptables/nftables bit in the 4th patch. > > -- > Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7= =9D =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 > GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 > Confidentiality cannot be guaranteed on emails sent or received unencrypt= ed Hi Efraim, Thanks for reviewing the patches! I figured the nftables change would require more thought and input. Here's my 2 cents... > > + ("iptables" "iptables" "sbin/iptables-nft") > > + ("iptables-legacy" "iptables" "sbin/iptables-legacy"= ) ... > I checked the iptables package. 'iptables' and 'iptables-legacy' are > both symlinks for 'xtables-legacy-multi'. There is another binary for > 'iptables-nft' which is a symlink for 'xtables-nft-multi'. Checking > through the source there aren't actually any references to > iptables-legacy in the docker tarball (except in the Dockerfile). My memory is a little foggy here but I think the goal is to fool Docker into using nftables with the rename. It does work for me locally - all Docker attempts to create iptables rules get translated into the equivalent nftables rules. I'll try and test soon to see what happens without that change. It's possible the "iptables-legacy" line isn't needed at all but I suspect the iptables-nft line is. In terms of whether defaulting Docker to nftables is appropriate...I don't know what's best for Guix but it does seem that many distros are updating their default firewall to use nftables (Debian, Fedora, etc). Anecdotally - the nftables compatibility layer works great for me :). Best, Jesse