Cory Snider

The subtlety here is that dockerd does not _depend_ on FirewallD in the traditional sense. As you have pointed out, on non-FirewallD systems we fall back to raw iptables just...

Please stop with the `FLAKY_TEST` force-pushes. I get notified every time you do, and it triggers a _full_ test re-run. Don't worry about unrelated flaky tests failing; one of the...

> Can rootless docker fall back to the v25 behavior of ignoring (but maybe warning) failures to set extended attributes? No. That way lies madness, and subtly-broken containers. There is...

> I don't believe that is the case, as I was able to successfully `pull` the image via **rootful** Docker running on the same system with the same storage driver...

I can reproduce the issue in a `docker:dind-rootless` container on Docker Desktop (mac) 4.31.0, which rules out multiple-filesystem shenanigans as the culprit. There is nothing terribly unusual about [the image](https://explore.ggcr.dev/?image=bhpiq/podman-docker-issue-test@sha256:b1193d562856b69aaa38bc2921b6b510d4c85323fd4997ca5cc35987fd49bf82&mt=application%2Fvnd.oci.image.manifest.v1%2Bjson&size=756)....

Okay, I think I understand what's happening. It actually _does_ have everything to do with the xattr being `user.overlay.*`! The overlay2 storage driver on rootless Docker before v27 (#47605) always...

Runtime features are surfaced in the Info API, keyed by the runtime name. https://github.com/moby/moby/pull/46647

The special case when running under test is much simpler to achieve with Go 1.21: https://pkg.go.dev/testing#Testing

> the only thing I'm not _super_ fond of is that it's also wrapping the Regexp; I gave it a try to continue using a `sync.OnceValue` to keep it simple....

> Overall it looks fairly stable, but I see for example that go1.21 introduced [`Regexp.MarshalText()`](https://pkg.go.dev/regexp#Regexp.MarshalText) (currently missing in the `golang.org/x/mod/internal/lazyregexp` implementation, although that implementation looks to be only a subset...