dockerd: Add firewall independent dependencies

Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>

diff --git a/utils/dockerd/Config.in b/utils/dockerd/Config.in
index 21d55aa19393855289f330165e8f4ee42d2ee645..d5763f051c3699bbfd5a4907de648c6efd8afc50 100644 (file)
--- a/utils/dockerd/Config.in
+++ b/utils/dockerd/Config.in
@@ -1,3 +1,10 @@
+config DOCKER_CHECK_CONFIG
+       bool "Installs check-config.sh with dependencies"
+       default n
+       depends on PACKAGE_dockerd
+       select PACKAGE_bash
+       select PACKAGE_kmod-ikconfig
+
 # These options are mostly specified by https://github.com/moby/moby/blob/master/contrib/check-config.sh
 
 config DOCKER_CGROUP_OPTIONS
@@ -61,6 +68,11 @@ endmenu
 menu "Storage"
        depends on PACKAGE_dockerd
 
+       config DOCKER_STO_DEVMAPPER
+       bool "Enables support for devmapper snapshotting"
+               default n
+               select PACKAGE_libdevmapper
+
        config DOCKER_STO_EXT4
                bool "Enables support for ext3 or ext4 as the backing filesystem"
                default n
@@ -71,4 +83,5 @@ menu "Storage"
                bool "Enables support for btrfs as the backing filesystem"
                default n
                select KERNEL_BTRFS_FS_POSIX_ACL
+               select PACKAGE_btrfs-progs
 endmenu

diff --git a/utils/dockerd/Makefile b/utils/dockerd/Makefile
index 7b0cc294ed620482279f05f6d5ea37619abc04f9..c2cc43db72886e8cc943cc71fe84fe832edee72e 100644 (file)
--- a/utils/dockerd/Makefile
+++ b/utils/dockerd/Makefile
@@ -34,22 +34,20 @@ define Package/dockerd
   TITLE:=Docker Community Edition Daemon
   URL:=https://www.docker.com/
   DEPENDS:=$(GO_ARCH_DEPENDS) \
-    +btrfs-progs \
     +ca-certificates \
     +containerd \
-    +iptables-legacy \
+    +iptables \
     +iptables-mod-extra \
-    +iptables-mod-nat-extra \
+    +IPV6:ip6tables \
+    +IPV6:kmod-ipt-nat6 \
     +KERNEL_SECCOMP:libseccomp \
-    +kmod-br-netfilter \
-    +kmod-ikconfig \
-    +kmod-nf-conntrack-netlink \
+    +kmod-ipt-nat \
+    +kmod-ipt-physdev \
     +kmod-nf-ipvs \
-    +kmod-nf-nat \
     +kmod-veth \
-    +libdevmapper \
     +libnetwork \
-    +tini
+    +tini \
+    +uci-firewall
   USERID:=docker:docker
   MENU:=1
 endef
@@ -146,8 +144,11 @@ define Package/dockerd/install
        $(INSTALL_BIN) $(PKG_BUILD_DIR)/bundles/binary-daemon/dockerd $(1)/usr/bin/
 
        $(INSTALL_DIR) $(1)/opt/docker/
+
+  ifeq ($(CONFIG_DOCKER_CHECK_CONFIG),y)
        $(INSTALL_DIR) $(1)/usr/share/docker/
        $(INSTALL_BIN) $(PKG_BUILD_DIR)/contrib/check-config.sh $(1)/usr/share/docker/
+  endif
 
        $(INSTALL_DIR) $(1)/etc/init.d
        $(INSTALL_BIN) ./files/dockerd.init $(1)/etc/init.d/dockerd

diff --git a/utils/dockerd/files/etc/config/dockerd b/utils/dockerd/files/etc/config/dockerd
index 196391a86dbc4b1e80b3e4cb844b0ae683e7acc7..dd7523543c22ce011fca75a94ecb7cdf9dd7d4e6 100644 (file)
--- a/utils/dockerd/files/etc/config/dockerd
+++ b/utils/dockerd/files/etc/config/dockerd
@@ -21,8 +21,15 @@ config globals 'globals'
 #      list registry_mirrors 'https://<my-docker-mirror-host>'
 #      list registry_mirrors 'https://hub.docker.com'
 
-# Docker ignores fw3 rules and by default all external source IPs are allowed to connect to the Docker host.
+# Docker doesn't work well out of the box with fw4. This is because Docker relies on a compatibility layer that
+# naively translates iptables rules. For the best compatibility replace the following dependencies:
+# `firewall4` -> `firewall`
+# `iptables-nft` -> `iptables-legacy`
+# `ip6tables-nft` -> `ip6tables-legacy`
+
+# Docker undermines the fw3 rules. By default all external source IPs are allowed to connect to the Docker host.
 # See https://docs.docker.com/network/iptables/ for more details.
+
 # firewall config changes are only additive i.e firewall will need to be restarted first to clear old changes,
 # then docker restarted to load in new changes.
 config firewall 'firewall'