docker-engine: add nftables dependencies

hack/scripts/rpm-builddep.sh

@@ -16,9 +16,10 @@
 
 arch=$1
 specsDir=$2
+shift 2
 
 if [[ -z "$arch" ]] || [[ -z "$specsDir" ]]; then
-  echo "usage: ./rpm-builddep <arch> <specs-dir>" >&2
+  echo "usage: ./rpm-builddep <arch> <specs-dir> [extra-args...]" >&2
   exit 1
 fi
 
@@ -35,4 +36,4 @@ else
 fi
 
 set -x
-$builddepCmd -y "$specsDir"/*.spec
+$builddepCmd "$@" -y "$specsDir"/*.spec

hack/scripts/verify-rpm-init.sh

@@ -37,7 +37,7 @@ case "$pkgrelease" in
     dnf install -y findutils dnf-plugins-core oraclelinux-release-el9 oracle-epel-release-el9
     dnf config-manager --enable ol9_addons ol9_codeready_builder
     ;;
-  fedora*)
+  fedora*|rhel*)
     dnf install -y findutils dnf-plugins-core
     ;;
   rockylinux8|almalinux8)

pkg/docker-engine/Dockerfile

@@ -148,8 +148,16 @@ RUN --mount=type=bind,from=scripts,source=rpm-init.sh,target=/usr/local/bin/rpm-
     rpm-init $DISTRO_NAME
 COPY rpm /root/rpmbuild/SPECS
 ARG TARGETPLATFORM
-RUN --mount=type=bind,from=scripts,source=rpm-builddep.sh,target=/usr/local/bin/rpm-builddep \
-    rpm-builddep $(xx-info rhel-arch) /root/rpmbuild/SPECS
+RUN --mount=type=bind,from=scripts,source=rpm-builddep.sh,target=/usr/local/bin/rpm-builddep <<EOT
+  set -e
+  no_libnftables=0
+  case "$DISTRO_NAME" in
+    rhel*)
+      no_libnftables=1
+      ;;
+  esac
+  rpm-builddep $(xx-info rhel-arch) /root/rpmbuild/SPECS --define "_no_libnftables ${no_libnftables}"
+EOT
 WORKDIR /root/rpmbuild
 ARG NIGHTLY_BUILD
 ARG DISTRO_RELEASE
@@ -196,7 +204,7 @@ ARG PKG_REF
 ARG NIGHTLY_BUILD
 WORKDIR /build
 ARG TARGETPLATFORM
-RUN xx-apt-get install -y gcc libc6-dev libapparmor-dev libsecret-1-dev libsystemd-dev libudev-dev pkg-config
+RUN xx-apt-get install -y gcc libc6-dev libapparmor-dev libnftables-dev libsecret-1-dev libsystemd-dev libudev-dev pkg-config
 RUN --mount=type=bind,source=scripts/pkg-static-build.sh,target=/usr/local/bin/pkg-static-build \
     --mount=type=bind,source=scripts/check-gomod.sh,target=/usr/local/bin/check-gomod \
     --mount=type=bind,from=scripts,source=gen-ver.sh,target=/usr/local/bin/gen-ver \

pkg/docker-engine/deb/control

@@ -12,6 +12,7 @@ Build-Depends: ca-certificates,
                debhelper-compat (= 12),
                gcc,
                libc-dev,
+               libnftables-dev,
                libsystemd-dev,
                libtool,
                make,
@@ -22,6 +23,7 @@ Architecture: linux-any
 Depends: containerd.io (>= 1.7.27),
          docker-ce-cli,
          iptables,
+         nftables,
          ${shlibs:Depends}
 Recommends: apparmor,
             ca-certificates,

pkg/docker-engine/rpm/docker-ce.spec

@@ -20,6 +20,7 @@ Recommends: docker-ce-rootless-extras
 Requires: container-selinux
 Requires: systemd
 Requires: iptables
+Requires: nftables
 %if %{undefined rhel} || 0%{?rhel} < 9
 # Libcgroup is no longer available in RHEL/CentOS >= 9 distros.
 Requires: libcgroup
@@ -35,6 +36,9 @@ BuildRequires: gcc
 BuildRequires: glibc-static
 BuildRequires: libarchive
 BuildRequires: libtool
+%if 0%{?_no_libnftables} == 0
+BuildRequires: nftables-devel
+%endif
 BuildRequires: make
 BuildRequires: pkgconfig
 BuildRequires: pkgconfig(systemd)

pkg/docker-engine/scripts/pkg-rpm-build.sh

@@ -58,11 +58,23 @@ export GO111MODULE=$(check-gomod)
 xx-go --wrap
 fix-cc
 
+no_libnftables=0
+case "$DISTRO_NAME" in
+  rhel*)
+    # The nftables-devel package is only available in RHEL CRB. For now, build
+    # with tag "no_libnftables", so dockerd will exec the nft tool, and this
+    # package is not required. Note that this '--define' is also defined in
+    # the Dockerfile to install build dependencies.
+    no_libnftables=1
+    ;;
+esac
+
 rpmDefine=(
   --define "_version ${GENVER_PKG_VERSION}"
   --define "_origversion ${GENVER_VERSION}"
   --define "_release ${PKG_RPM_RELEASE:-${GENVER_RPM_RELEASE}}"
   --define "_commit ${GENVER_COMMIT_SHORT}"
+  --define "_no_libnftables ${no_libnftables}"
 )
 
 pkgoutput="${OUTDIR}/${DISTRO_RELEASE}/${DISTRO_SUITE}/$(xx-info arch)"
@@ -75,6 +87,9 @@ case "$DISTRO_NAME" in
     export DOCKER_BUILDTAGS="exclude_graphdriver_btrfs $DOCKER_BUILDTAGS"
     ;;
 esac
+if [ "$no_libnftables" -eq 1 ]; then
+  export DOCKER_BUILDTAGS="no_libnftables $DOCKER_BUILDTAGS"
+fi
 
 set -x
 

pkg/docker-engine/verify.Dockerfile

@@ -28,6 +28,7 @@ FROM scratch AS scripts
 FROM ${DISTRO_IMAGE} AS base
 
 FROM base AS verify-deb
+RUN apt-get update && apt-get install -y libnftables1
 COPY --from=xx / /
 ARG DISTRO_RELEASE
 ARG DISTRO_ID
@@ -48,7 +49,7 @@ RUN --mount=from=bin,target=/build <<EOT
     (
       set -x
       dpkg-deb --info $package
-      dpkg -i --ignore-depends=containerd.io,docker-ce-cli,iptables --force-depends $package
+      dpkg -i --ignore-depends=containerd.io,docker-ce-cli,iptables,nftables --force-depends $package
     )
   done
   set -x
@@ -82,6 +83,14 @@ RUN --mount=from=bin,target=/build <<EOT
       rpm --install --nodeps $package
     )
   done
+  case "$DISTRO_NAME" in
+    rhel*)
+      ;;
+    *)
+      # dockerd requires libnftables.so.1
+      dnf install -y nftables
+      ;;
+  esac
   set -x
   dockerd --version
 EOT