From affd96fb426e97b0c4ee2731b80979aca337ec62 Mon Sep 17 00:00:00 2001 From: librelad Date: Sun, 24 May 2026 00:23:37 +0100 Subject: [PATCH] fix(rootless): don't disable userland-proxy (breaks rootless bridge on Debian) Disabling userland-proxy makes rootless dockerd require br_netfilter (/proc/sys/net/bridge/bridge-nf-call-iptables), absent in the rootless netns on Debian -> default bridge creation fails -> daemon won't start. Drop the daemon.json userland-proxy=false write. Source-IP is preserved at L7 by Traefik (X-Forwarded-For), so no real loss. Co-Authored-By: Claude Opus 4.7 Signed-off-by: librelad --- .../install/rootless/rootless_docker.sh | 27 +++++-------------- 1 file changed, 7 insertions(+), 20 deletions(-) diff --git a/scripts/docker/install/rootless/rootless_docker.sh b/scripts/docker/install/rootless/rootless_docker.sh index f4501b9..b50c019 100755 --- a/scripts/docker/install/rootless/rootless_docker.sh +++ b/scripts/docker/install/rootless/rootless_docker.sh @@ -155,26 +155,13 @@ EOL" local result=$(sudo chown $CFG_DOCKER_INSTALL_USER:$CFG_DOCKER_INSTALL_USER $override_conf_file) checkSuccess "Updating ownership for override.conf" - # Disable userland-proxy so the kernel/net driver forwards ports directly - # and the container sees the real client source IP instead of the - # rootlesskit gateway. Merge into any existing daemon.json rather than - # clobbering it. - docker_cfg_dir="/home/$CFG_DOCKER_INSTALL_USER/.config/docker" - daemon_json="$docker_cfg_dir/daemon.json" - - local result=$(sudo -u "$CFG_DOCKER_INSTALL_USER" mkdir -p "$docker_cfg_dir") - checkSuccess "Create the rootless docker config directory if it doesn't exist" - - if sudo test -f "$daemon_json"; then - local result=$(sudo bash -c "tmp=\$(mktemp) && jq '. + {\"userland-proxy\": false}' '$daemon_json' > \"\$tmp\" && mv \"\$tmp\" '$daemon_json'") - checkSuccess "Setting userland-proxy=false in existing daemon.json" - else - local result=$(sudo bash -c "printf '%s\n' '{\"userland-proxy\": false}' > '$daemon_json'") - checkSuccess "Writing rootless daemon.json with userland-proxy=false" - fi - - local result=$(sudo chown $CFG_DOCKER_INSTALL_USER:$CFG_DOCKER_INSTALL_USER "$daemon_json") - checkSuccess "Updating ownership for daemon.json" + # NOTE: we deliberately do NOT set "userland-proxy": false here. Disabling + # it makes rootless dockerd require br_netfilter + # (/proc/sys/net/bridge/bridge-nf-call-iptables), which isn't present in + # the rootless netns on Debian — the daemon then fails to create the + # default bridge and won't start. The userland proxy's lack of source-IP + # propagation doesn't matter here: apps sit behind Traefik, which carries + # the real client IP via X-Forwarded-For at L7. local result=$(dockerCommandRunInstallUser "systemctl --user daemon-reload") checkSuccess "Reload the systemd user manager configuration"