Some notes on geting Docker setup for Forgejo runners on Debian.

The Forgejo and Docker docs are mostly complete, but there are a couple of pain points.

The major one is that Docker does not use nftables by default. The documentation would indicate it's not supported at all until you dig in more, but luckily that isn't the case.

It does require some modifications.

First, create /etc/docker/daemon.json with:

{
  "firewall-backend": "nftables"
}

That tells Docker to use nftables instead of iptables. Then ipv4 forwarding needs to be enabled, otherwise Docker won't start with the following error:

failed to start daemon: Error initializing network controller: error creating default "bridge" network: IPv4 forwarding is disabled: check your host's firewalling and set sysctl net.ipv4.ip_forward=1, or disable ...

First enable it for the current session:

$ sudo sysctl -w net.ipv4.ip_forward=1

Then enable it for every boot after; create /etc/sysctl.d/docker_ipv4forward.conf with:

net.ipv4.ip_foward=1

Now restart nftables and docker.

$ sudo systemctl restart nftables
$ sudo systemctl restart docker