From 8c693ff724476f141211d20c017ddc8d2638a1e0 Mon Sep 17 00:00:00 2001 From: sbwml Date: Wed, 12 Nov 2025 23:13:24 +0800 Subject: [PATCH] dockerd: Update to 29.0.0 Signed-off-by: sbwml --- Makefile | 23 +++----- files/dockerd.init | 55 ++----------------- files/etc/config/dockerd | 12 +--- .../etc/sysctl.d/sysctl-br-netfilter-ip.conf | 7 --- 4 files changed, 13 insertions(+), 84 deletions(-) delete mode 100644 files/etc/sysctl.d/sysctl-br-netfilter-ip.conf diff --git a/Makefile b/Makefile index 4c62539..7ebc537 100644 --- a/Makefile +++ b/Makefile @@ -1,17 +1,17 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dockerd -PKG_VERSION:=28.5.2 +PKG_VERSION:=29.0.0 PKG_RELEASE:=1 PKG_LICENSE:=Apache-2.0 PKG_LICENSE_FILES:=LICENSE PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_GIT_URL:=github.com/moby/moby -PKG_GIT_REF:=v$(PKG_VERSION) +PKG_GIT_REF:=docker-v$(PKG_VERSION) PKG_SOURCE_URL:=https://codeload.$(PKG_GIT_URL)/tar.gz/$(PKG_GIT_REF)? -PKG_HASH:=0e450c03c536a1304ba8fd26ca4c4ff96fac62182fd042fec90ffdf4a0969d40 -PKG_GIT_SHORT_COMMIT:=89c5e8f # SHA1 used within the docker executables +PKG_HASH:=5d0f9bb3c5210a14c8c2fcaebb9949f2f69514e4b41a17dba69dff36ab0d764b +PKG_GIT_SHORT_COMMIT:=d105562 # SHA1 used within the docker executables PKG_MAINTAINER:=Gerard Ryan @@ -19,7 +19,7 @@ PKG_BUILD_DEPENDS:=golang/host PKG_BUILD_PARALLEL:=1 PKG_BUILD_FLAGS:=no-mips16 -GO_PKG:=github.com/docker/docker +GO_PKG:=github.com/moby/moby include $(INCLUDE_DIR)/package.mk include $(TOPDIR)/feeds/packages/lang/golang/golang-package.mk @@ -36,13 +36,9 @@ define Package/dockerd DEPENDS:=$(GO_ARCH_DEPENDS) \ +ca-certificates \ +containerd \ - +iptables \ - +iptables-mod-extra \ - +IPV6:ip6tables \ - +IPV6:kmod-ipt-nat6 \ + +nftables-json \ +KERNEL_SECCOMP:libseccomp \ - +kmod-ipt-nat \ - +kmod-ipt-physdev \ + +kmod-nf-nat \ +kmod-nf-ipvs \ +kmod-veth \ +tini \ @@ -154,11 +150,6 @@ define Package/dockerd/install $(INSTALL_DIR) $(1)/etc/config $(INSTALL_CONF) ./files/etc/config/dockerd $(1)/etc/config/dockerd - - # Must be after systcl 11-br-netfilter.conf from kmod-br-netfilter - $(INSTALL_DIR) $(1)/etc/sysctl.d - $(INSTALL_DATA) ./files/etc/sysctl.d/sysctl-br-netfilter-ip.conf \ - $(1)/etc/sysctl.d/12-br-netfilter-ip.conf endef define Package/dockerd/postinst diff --git a/files/dockerd.init b/files/dockerd.init index 5762c11..8bfccc3 100755 --- a/files/dockerd.init +++ b/files/dockerd.init @@ -153,7 +153,7 @@ ucidel() { } process_config() { - local alt_config_file data_root log_level iptables ip6tables bip + local alt_config_file data_root log_level nftables bip [ -f /etc/config/dockerd ] || { # Use the daemon default configuration @@ -174,8 +174,7 @@ process_config() { config_get data_root globals data_root "/opt/docker/" config_get log_level globals log_level "warn" - config_get_bool iptables globals iptables "1" - config_get_bool ip6tables globals ip6tables "0" + config_get_bool nftables globals nftables "1" # Don't add these options by default # omission == docker defaults @@ -200,8 +199,9 @@ process_config() { json_init json_add_string "data-root" "${data_root}" json_add_string "log-level" "${log_level}" - json_add_boolean "iptables" "${iptables}" - json_add_boolean "ip6tables" "${ip6tables}" + [ "${nftables}" = "1" ] && { + json_add_string "firewall-backend" "nftables" + } [ "${buildkit}" = "1" ] && { json_add_object 'features' json_add_boolean "buildkit" "${buildkit}" @@ -232,8 +232,6 @@ process_config() { fi [ -z "${storage_driver}" ] || json_add_string "storage-driver" "${storage_driver}" json_dump > "${DOCKERD_CONF}" - - [ "${iptables}" -eq "1" ] && config_foreach iptables_add_blocking_rule firewall } start_service() { @@ -261,49 +259,6 @@ service_triggers() { procd_add_reload_trigger 'dockerd' } -iptables_add_blocking_rule() { - local cfg="${1}" - - local device="" - local extra_iptables_args="" - - handle_iptables_rule() { - local interface="${1}" - local outbound="${2}" - local extra_iptables_args="${3}" - - local inbound="" - - . /lib/functions/network.sh - network_get_physdev inbound "${interface}" - - [ -z "${inbound}" ] && { - logger -t "dockerd-init" -p notice "Unable to get physical device for interface ${interface}" - return - } - - # Wait for a maximum of 10 second per command, retrying every millisecond - local iptables_wait_args="--wait 10 --wait-interval 1000" - - # Ignore errors as it might already be present - iptables ${iptables_wait_args} --table filter --new DOCKER-USER 2>/dev/null - if ! iptables ${iptables_wait_args} --table filter --check DOCKER-USER --in-interface "${inbound}" --out-interface "${outbound}" ${extra_iptables_args} --jump REJECT 2>/dev/null; then - logger -t "dockerd-init" -p notice "Drop traffic from ${inbound} to ${outbound}" - iptables ${iptables_wait_args} --table filter --insert DOCKER-USER --in-interface "${inbound}" --out-interface "${outbound}" ${extra_iptables_args} --jump REJECT - fi - } - - config_get device "${cfg}" device - - [ -z "${device}" ] && { - logger -t "dockerd-init" -p notice "No device configured for ${cfg}" - return - } - - config_get extra_iptables_args "${cfg}" extra_iptables_args - config_list_foreach "${cfg}" blocked_interfaces handle_iptables_rule "${device}" "${extra_iptables_args}" -} - stop_service() { if /etc/init.d/dockerd running; then service_stop "/usr/bin/dockerd" diff --git a/files/etc/config/dockerd b/files/etc/config/dockerd index 1482a22..ca23138 100644 --- a/files/etc/config/dockerd +++ b/files/etc/config/dockerd @@ -10,7 +10,7 @@ config globals 'globals' option data_root '/opt/docker/' # option log_driver 'local' option log_level 'warn' - option iptables '1' + option nftables '1' # list hosts 'unix:///var/run/docker.sock' # option bip '172.18.0.1/24' # option fixed_cidr '172.17.0.0/16' @@ -30,18 +30,8 @@ config proxies 'proxies' # option https_proxy 'https://proxy.example.com:3129' # option no_proxy '*.test.example.com,.example.org,127.0.0.0/8' -# Docker doesn't work well out of the box with fw4. This is because Docker relies on a compatibility layer that -# naively translates iptables rules. For the best compatibility replace the following dependencies: -# `firewall4` -> `firewall` -# `iptables-nft` -> `iptables-legacy` -# `ip6tables-nft` -> `ip6tables-legacy` - -# Docker undermines the fw3 rules. By default all external source IPs are allowed to connect to the Docker host. -# See https://docs.docker.com/network/iptables/ for more details. - # firewall config changes are only additive i.e firewall will need to be restarted first to clear old changes, # then docker restarted to load in new changes. config firewall 'firewall' option device 'docker0' # list blocked_interfaces 'wan' -# option extra_iptables_args '--match conntrack ! --ctstate RELATED,ESTABLISHED' # allow outbound connections diff --git a/files/etc/sysctl.d/sysctl-br-netfilter-ip.conf b/files/etc/sysctl.d/sysctl-br-netfilter-ip.conf deleted file mode 100644 index 2e16fed..0000000 --- a/files/etc/sysctl.d/sysctl-br-netfilter-ip.conf +++ /dev/null @@ -1,7 +0,0 @@ -# Do not edit, changes to this file will be lost on upgrades -# /etc/sysctl.conf can be used to customize sysctl settings - -# enable bridge firewalling for docker -#net.bridge.bridge-nf-call-ip6tables=1 -#net.bridge.bridge-nf-call-iptables=1 -