[GH-ISSUE #451] [Enhancement] Relax Docker dependencies to enable other container engines. #226

New issue

Open

opened 2026-03-04 01:35:42 +03:00 by kerem · 2 comments

kerem commented 2026-03-04 01:35:42 +03:00

Owner

Copy link

Originally created by @MrDrMcCoy on GitHub (Oct 7, 2025).
Original GitHub issue: https://github.com/spr-networks/super/issues/451

I was very nearly successful in getting SPR running with Podman / systemd Quadlets, but ran into some issues:

1. Many of the scripts seem to be trying to make changes pertaining to the default Docker container network. Is this really needed? All of the containers are configured to use host networking, so it seems strange to me that SPR would care about the internal Docker net (which doesn't exist with Podman, and may not with other engines either).
2. It seems that every time SPR wants to restart one of its components, one of the services tries to shell out to the literal docker compose binary to try and restart the container. Why do that when the api and superd containers already bind to the Docker control socket? If the restart is initiated via the control socket, it can target the desired containers by name and not rely on brittle shell commands. Podman provides a compatible control socket, so no special handling is needed beyond not talking to the Docker CLI.
3. Docker automatically creates volume bind paths on the host if they don't exist, but Podman does not. Many of the paths requested are not defined as part of the example configs that are copied. This is as simple to fix as including the directories in the example config paths, which would as a bonus help users to know where to place additional configs.

For now, I will wipe my setup and try again with official Docker.

Originally created by @MrDrMcCoy on GitHub (Oct 7, 2025). Original GitHub issue: https://github.com/spr-networks/super/issues/451 I was very nearly successful in getting SPR running with Podman / systemd Quadlets, but ran into some issues: 1. Many of the scripts seem to be trying to make changes pertaining to the default Docker container network. Is this really needed? All of the containers are configured to use host networking, so it seems strange to me that SPR would care about the internal Docker net (which doesn't exist with Podman, and may not with other engines either). 2. It seems that every time SPR wants to restart one of its components, one of the services tries to shell out to the literal `docker compose` binary to try and restart the container. Why do that when the `api` and `superd` containers already bind to the Docker control socket? If the restart is initiated via the control socket, it can target the desired containers by name and not rely on brittle shell commands. Podman provides a compatible control socket, so no special handling is needed beyond not talking to the Docker CLI. 3. Docker automatically creates volume bind paths on the host if they don't exist, but Podman does not. Many of the paths requested are not defined as part of the example configs that are copied. This is as simple to fix as including the directories in the example config paths, which would as a bonus help users to know where to place additional configs. For now, I will wipe my setup and try again with official Docker.

kerem commented 2026-03-04 01:35:43 +03:00

Author

Owner

Copy link

@lts-rad commented on GitHub (Oct 7, 2025):

This is awesome! Feel free to make a PR even if it isnt working yet.

When I last worked on podman there was some question on how to work with docker networks as defined by compose, that was one area where podman+compose seemed lacking. I know podman has been very actively developed but have not checked in if this is resolved yet. Another path to try might be moving into systemd defined networks and services from docker compose. I would say the main value add for compose right now is building, and everything else is not really needed

Regarding 1, we use nftables rather than iptables and manage the network ourselves to block 1-hop forwarding attacks as well as have more control over containers, are you referring to this or something else?

2. definitely worth replacing this, i think some aspect of this was related to ensuring correctness if launching a container from source. the other huge reason to do this is shrinking superd & api

<!-- gh-comment-id:3376395725 --> @lts-rad commented on GitHub (Oct 7, 2025): This is awesome! Feel free to make a PR even if it isnt working yet. When I last worked on podman there was some question on how to work with docker networks as defined by compose, that was one area where podman+compose seemed lacking. I know podman has been very actively developed but have not checked in if this is resolved yet. Another path to try might be moving into systemd defined networks and services from docker compose. I would say the main value add for compose right now is building, and everything else is not really needed Regarding 1, we use nftables rather than iptables and manage the network ourselves to block 1-hop forwarding attacks as well as have more control over containers, are you referring to this or something else? 2. definitely worth replacing this, i think some aspect of this was related to ensuring correctness if launching a container from source. the other huge reason to do this is shrinking superd & api

kerem commented 2026-03-04 01:35:43 +03:00

Author

Owner

Copy link

@MrDrMcCoy commented on GitHub (Oct 7, 2025):

Indeed, the first point was about the nftables configs. Some of them specifically target the docker0 interface, which of course doesn't exist without actually running Docker. I didn't look too closely to see if the errors surrounding the attempts to create rules for the non-existent interface caused any of the other rules to not be applied. It may be worth re-visiting this to see if there is a good way to apply these rules with dynamic targeting, both to handle missing Docker interfaces and potentially additional interfaces that may exist from other configs.

<!-- gh-comment-id:3377680470 --> @MrDrMcCoy commented on GitHub (Oct 7, 2025): Indeed, the first point was about the nftables configs. Some of them specifically target the docker0 interface, which of course doesn't exist without actually running Docker. I didn't look too closely to see if the errors surrounding the attempts to create rules for the non-existent interface caused any of the other rules to not be applied. It may be worth re-visiting this to see if there is a good way to apply these rules with dynamic targeting, both to handle missing Docker interfaces and potentially additional interfaces that may exist from other configs.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dev

wifi7_support

experimental

dyn_test

dev-android-ui

dns-graph

dev-apns

v1.0.27

clearfog-v1.0.27

v1.0.26

clearfog-v1.0.26

v1.0.25

clearfog-v1.0.25

clearfog-v1.0.24

v1.0.24

v1.0.23

clearfog-v1.0.23

v1.0.22

clearfog-v1.0.22

v1.0.21

clearfog-v1.0.21

v1.0.20

clearfog-v1.0.20

v1.0.19

clearfog-v1.0.19

v1.0.18

clearfog-v1.0.18

clearfog-v1.0.17

v1.0.17

v1.0.15

clearfog-v1.0.15

v1.0.14

clearfog-v1.0.14

v1.0.13

clearfog-v1.0.13

v1.0.12

clearfog-v1.0.12

clearfog-v1.0.11

v1.0.11

clearfog-v1.0.10

v1.0.10

v1.0.9

clearfog-v1.0.9

v1.0.8

clearfog-v1.0.8

clearfog-v1.0.7

v1.0.7

v1.0.6

clearfog-v1.0.6

clearfog-v1.0.5

v1.0.5

ios-v1.0.4

v1.0.4

clearfog-v1.0.4

clearfog-v1.0.3

v1.0.3

v1.0.2

clearfog-v1.0.2

clearfog-v1.0.1

v1.0.1

v1.0.0-dev

clearfog-v1.0.0

v1.0.0

ios-v0.3.24

clearfog-v0.3.24

v0.3.24

clearfog-v0.3.23

v0.3.23

v0.3.22

clearfog-v0.3.22

clearfog-v0.3.21

v0.3.21

v0.3.20

clearfog-v0.3.20

v0.3.19

clearfog-v0.3.19

v0.3.18

clearfog-v0.3.18

clearfog-v0.3.17

v0.3.17

clearfog-v0.3.16

v0.3.16

v0.3.15

clearfog-v0.3.15

ios-v0.3.14

v0.3.14

clearfog-v0.3.14

clearfog-v0.3.13

v0.3.13

ios-v0.3.12

v0.3.12

clearfog-v0.3.12

ios-v0.3.11

clearfog-v0.3.11

v0.3.11

clearfog-v0.3.10

v0.3.10

v0.3.9

clearfog-v0.3.9

v0.3.8

clearfog-v0.3.8

clearfog-v0.3.7

v0.3.7

clearfog-v0.3.6

v0.3.6

clearfog-v0.3.5

v0.3.5

clearfog-v0.3.4

v0.3.4

v0.3.3

clearfog-v0.3.3

v0.3.2

clearfog-v0.3.2

v0.3.1

clearfog-v0.3.1

v0.3.0

clearfog-v0.3.0

clearfog-v0.2.28

v0.2.28

v0.2.27

clearfog-v0.2.27

clearfog-v0.2.26

v0.2.26

v0.2.25

clearfog-v0.2.25

v0.2.24

clearfog-v0.2.24

v0.2.23

clearfog-v0.2.23

v0.2.22

clearfog-v0.2.22

clearfog-v0.2.21

v0.2.21

v0.2.20

clearfog-v0.2.20

v0.2.19

clearfog-v0.2.19

v0.2.18

clearfog-v0.2.18

v0.2.17

v0.2.16

clearfog-v0.2.16

clearfog-v0.2.15

v0.2.15

v0.2.14

clearfog-v0.2.14

clearfog-v0.2.13

v0.2.13

clearfog-v0.2.12

v0.2.12

v0.2.11

clearfog-v0.2.11

v0.2.10

clearfog-v0.2.9

v0.2.9

clearfog-v0.2.8

v0.2.8

clearfog-v0.2.7

v0.2.7

v0.2.6

clearfog-v0.2.6

v0.2.5

v0.2.4

clearfog-v0.2.4

v0.2.3

clearfog-v0.2.3

v0.2.2

clearfog-v0.2.2

v0.2.1

clearfog-v0.2.1

v0.2.0

clearfog-v0.2.0

v0.1.33

clearfog-v0.1.33

v0.1.32

clearfog-v0.1.32

v0.1.31

clearfog-v0.1.31

v0.1.30

clearfog-v0.1.30

v0.1.29

clearfog-v0.1.29

clearfog-v0.1.28

v0.1.28

clearfog-v0.1.27

v0.1.27

v0.1.26

clearfog-v0.1.26

v0.1.25

clearfog-v0.1.25

v0.1.25-beta.6

v0.1.25-beta.5

v0.1.25-beta.4

v0.1.25-beta.3

v0.1.25-beta.2

v0.1.25-beta.1

v0.1.25-beta.0

v0.1.24

clearfog-v0.1.23

v0.1.23

clearfog-v0.1.22

v0.1.22

v0.1.21

clearfog-v0.1.21

v0.1.21-beta.1

v0.1.21-beta.0

v0.1.20

clearfog-v0.1.19

v0.1.19

clearfog-v0.1.18

v0.1.18

v0.1.17

clearfog-v0.1.17

clearfog-v0.1.16

v0.1.16-beta.3

v0.1.16-beta.2

v0.1.16-beta.1

v0.1.16-beta.0

v0.1.15

clearfog-v0.1.15

v0.1.14

v0.1.14-beta.0

v0.1.13

v0.1.12

v0.1.12-beta.7

v0.1.12-beta.6

v0.1.12-beta.5

v0.1.12-beta.4

v0.1.12-beta.3

v0.1.12-beta.2

v0.1.12-beta.1

v0.1.12-beta.0

v0.1.11

v0.1.11-beta.3

v0.1.11-beta.2

v0.1.11-beta.1

v0.1.11-beta.0

v0.1.10

v0.1.10-beta.0

v0.1.9

v0.1.9-beta.0

v0.1.8

v0.1.8-beta.0

v0.1.7

v0.1.6

v0.1.5

v0.1.4

v0.1.4-beta.15

v0.1.4-beta.14

v0.1.4-beta.13

v0.1.4-beta.12

v0.1.4-beta.11

v0.1.4-beta.10

v0.1.4-beta.9

v0.1.4-beta.8

v0.1.4-beta.7

v0.1.4-beta.6

v0.1.4-beta.5

v0.1.4-beta.4

v0.1.4-beta.3

v0.1.4-beta.2

v0.1.4-beta.1

v0.1.4-beta.0

v0.1.3

v0.1.3-beta.2

v0.1.3-beta.1

v0.1.3-beta.0

v0.1.2

v0.1.2-beta.2

v0.1.2-beta.1

v0.1.2-beta.0

v0.1.1

v0.1.1-beta.26

v0.1.1-beta.25

v0.1.1-beta.24

v0.1.1-beta.23

v0.1.1-beta.22

v0.1.1-beta.21

v0.1.1-beta.20

v0.1.1-beta.19

v0.1.1-beta.18

v0.1.1-beta.17

v0.1.1-beta.16

v0.1.1-beta.15

v0.1.1-beta.14

v0.1.1-beta.13

v0.1.1-beta.12

v0.1.1-beta.11

v0.1.1-beta.10

v0.1.1-beta.9

v0.1.1-beta.8

v0.1.1-beta.7

v0.1.1-beta.6

v0.1.1-beta.5

v0.1.1-beta.4

v0.1.1-beta.3

v0.1.1-beta.2

v0.1.1-beta.1

v0.1.1-beta.0

v0.01-beta-pi-september-fixes

v0.01-beta-pi-september

v0.01-beta-pi-2

v0.01-beta-pi

Labels

Clear labels   

blocked

  

bug

  

documentation

  

enhancement

  

fixed

  

fixed ✅

  

hardening

  

implemented

  

installer

  

multicast

  

p1

  

p2

  

pending

  

podman

  

pull-request

Mirrored from GitHub Pull Request

  

security

  

testing

  

v1

No labels

blocked

bug

documentation

enhancement

fixed

fixed ✅

hardening

implemented

installer

multicast

p1

p2

pending

podman

pull-request

security

testing

v1

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/super#226

No description provided.