Skip to content

Add nftables / libnftables dependencies #1256

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
thaJeztah merged 1 commit into from
Oct 3, 2025
Merged

Add nftables / libnftables dependencies #1256

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions deb/common/control
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ Build-Depends: bash,
gcc,
git,
libc-dev,
libnftables-dev,
libsystemd-dev,
libtool,
make,
Expand All @@ -26,6 +27,7 @@ Pre-Depends: init-system-helpers (>= 1.54~)
Depends: containerd.io (>= 1.7.27),
docker-ce-cli,
iptables,
nftables,
Comment on lines 29 to +30
Copy link
Copy Markdown
Member

@thaJeztah thaJeztah Oct 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At some point, we should make the change to make iptables a weak dependency (or no dependency at all), and only nftables a required dependency.

Given that it's still experimental, we could make nftables a weak dependency, but maybe that's little gain, as it will become a hard requirement in the near future (I expect).

Copy link
Copy Markdown
Contributor Author

@robmry robmry Oct 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As discussed on Slack - let's just make it a hard dependency now. It'll already be installed in most places anyway, it'll be required when we deprecate iptables support, and it's needed to try out the experimental nftables support.

I'll make the update.

${shlibs:Depends}
Recommends: apparmor,
ca-certificates,
Expand Down
5 changes: 5 additions & 0 deletions rpm/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,11 @@ centos: $(CENTOS_RELEASES) ## build all centos rpm packages

.PHONY: rhel
rhel: $(RHEL_RELEASES) ## build all rhel rpm packages
# The nftables-devel package is only available in RHEL CRB. For now, build
# with tag "no_libnftables", so dockerd will exec the nft tool, and this
# package is not required. Note that this '--define' is also hard-coded in
# each of the rhel-*/Dockerfile files.
$(RHEL_RELEASES): RPMBUILD_EXTRA_FLAGS += --define '_no_libnftables true'

.PHONY: $(DISTROS)
$(DISTROS): sources
Expand Down
8 changes: 8 additions & 0 deletions rpm/SPECS/docker-ce.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,11 @@ Requires: iptables-nft
%else
Requires: iptables
%endif
%if %{undefined _no_libnftables}
# When dockerd is not linked against libnftables, the nftables package
# is not a hard requirement.
Requires: nftables
%endif
%if %{undefined rhel} || 0%{?rhel} < 9
# Libcgroup is no longer available in RHEL/CentOS >= 9 distros.
Requires: libcgroup
Expand All @@ -40,6 +45,9 @@ BuildRequires: gcc
BuildRequires: git
BuildRequires: glibc-static
BuildRequires: libtool
%if %{undefined _no_libnftables}
BuildRequires: nftables-devel
%endif
BuildRequires: make
BuildRequires: pkgconfig
BuildRequires: pkgconfig(systemd)
Expand Down
4 changes: 2 additions & 2 deletions rpm/rhel-10/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,15 +31,15 @@ ENV GOPATH=/go
ENV GOTOOLCHAIN=local
ENV PATH=$PATH:/usr/local/go/bin:$GOPATH/bin
ENV AUTO_GOPATH=1
ENV DOCKER_BUILDTAGS=exclude_graphdriver_btrfs
ENV DOCKER_BUILDTAGS="exclude_graphdriver_btrfs no_libnftables"
ARG DISTRO
ARG SUITE
ENV DISTRO=${DISTRO}
ENV SUITE=${SUITE}

RUN dnf install -y rpm-build
COPY --link SPECS /root/rpmbuild/SPECS
RUN dnf builddep -y /root/rpmbuild/SPECS/*.spec
RUN dnf builddep --define '_no_libnftables true' -y /root/rpmbuild/SPECS/*.spec
COPY --link --from=golang /usr/local/go /usr/local/go
WORKDIR /root/rpmbuild
ENTRYPOINT ["/bin/rpmbuild"]
4 changes: 2 additions & 2 deletions rpm/rhel-8/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,15 +31,15 @@ ENV GOPATH=/go
ENV GOTOOLCHAIN=local
ENV PATH=$PATH:/usr/local/go/bin:$GOPATH/bin
ENV AUTO_GOPATH=1
ENV DOCKER_BUILDTAGS=exclude_graphdriver_btrfs
ENV DOCKER_BUILDTAGS="exclude_graphdriver_btrfs no_libnftables"
ARG DISTRO
ARG SUITE
ENV DISTRO=${DISTRO}
ENV SUITE=${SUITE}

RUN dnf install -y rpm-build
COPY --link SPECS /root/rpmbuild/SPECS
RUN dnf builddep -y /root/rpmbuild/SPECS/*.spec
RUN dnf builddep --define '_no_libnftables true' -y /root/rpmbuild/SPECS/*.spec
COPY --link --from=golang /usr/local/go /usr/local/go
WORKDIR /root/rpmbuild
ENTRYPOINT ["/bin/rpmbuild"]
4 changes: 2 additions & 2 deletions rpm/rhel-9/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,15 +31,15 @@ ENV GOPATH=/go
ENV GOTOOLCHAIN=local
ENV PATH=$PATH:/usr/local/go/bin:$GOPATH/bin
ENV AUTO_GOPATH=1
ENV DOCKER_BUILDTAGS=exclude_graphdriver_btrfs
ENV DOCKER_BUILDTAGS="exclude_graphdriver_btrfs no_libnftables"
ARG DISTRO
ARG SUITE
ENV DISTRO=${DISTRO}
ENV SUITE=${SUITE}

RUN dnf install -y rpm-build
COPY --link SPECS /root/rpmbuild/SPECS
RUN dnf builddep -y /root/rpmbuild/SPECS/*.spec
RUN dnf builddep --define '_no_libnftables true' -y /root/rpmbuild/SPECS/*.spec
COPY --link --from=golang /usr/local/go /usr/local/go
WORKDIR /root/rpmbuild
ENTRYPOINT ["/bin/rpmbuild"]