sjat
172ae37953
base's inet-filter forward chain is policy-drop; on a Docker host that kills published-port DNAT + inter-container forwarding ON REBOOT (nftables loads default-deny before dockerd). This drop-in (loaded via base's /etc/nftables.d/*.nft include at boot) appends the container-bridge accepts so a rebooted Docker host keeps forwarding. Resolves FRICTION 2026-06-17 #1 and the GREEN half of ADR-025's acceptance test. NB nftables wildcard is br-*, not the iptables br-+. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
16 lines
785 B
YAML
16 lines
785 B
YAML
---
|
|
# Docker engine install (ADR-004). Cluster-specific daemon hardening is deferred to when
|
|
# the cluster exists.
|
|
docker_host__packages:
|
|
- docker-ce
|
|
- docker-ce-cli
|
|
- containerd.io
|
|
- docker-compose-plugin
|
|
|
|
# Container-forward nftables drop-in (FRICTION 2026-06-17 #1 / ADR-025). base's inet-filter
|
|
# forward chain is `policy drop`; on a Docker host that kills published-port DNAT + inter-
|
|
# container forwarding ON REBOOT (nftables loads default-deny before dockerd). This drop-in
|
|
# (loaded via base's /etc/nftables.d/*.nft include) appends the accepts so a rebooted Docker
|
|
# host keeps forwarding. Only meaningful where base__firewall_apply is true.
|
|
docker_host__forward_dropin: true
|
|
docker_host__nftables_dropin_dir: /etc/nftables.d # must match base__firewall_dropin_dir
|