From 54503f3e0327245f9ee09b2c76175c2b0e9237b6 Mon Sep 17 00:00:00 2001
From: Eric Eastwood <contact@ericeastwood.com>
Date: Tue, 16 Dec 2025 14:45:57 -0600
Subject: [PATCH] Add support for
 `DOCKERD_ROOTLESS_ROOTLESSKIT_DISABLE_HOST_LOOPBACK`

Based on https://github.com/moby/moby/blob/8316b79e045e2b762373f0cdd87e4b1dbf22ea10/contrib/dockerd-rootless.sh#L24-L25
---
 dockerd-entrypoint.sh | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/dockerd-entrypoint.sh b/dockerd-entrypoint.sh
index 8a291dfa5..cf94e1528 100755
--- a/dockerd-entrypoint.sh
+++ b/dockerd-entrypoint.sh
@@ -1,4 +1,10 @@
 #!/bin/sh
+#
+# Recognized environment variables:
+# * DOCKERD_ROOTLESS_ROOTLESSKIT_NET=(slirp4netns|vpnkit): the rootlesskit network driver. Defaults to "vpnkit".
+# * DOCKERD_ROOTLESS_ROOTLESSKIT_MTU=NUM: the MTU value for the rootlesskit network driver. Defaults to 1500.
+# * DOCKERD_ROOTLESS_ROOTLESSKIT_DISABLE_HOST_LOOPBACK=(true|false): prohibit connections to 127.0.0.1 on the host (including via 10.0.2.2, in the case of slirp4netns). Defaults to "true".
+
 set -eu
 
 _tls_ensure_private() {
@@ -216,11 +222,18 @@ if [ "$1" = 'dockerd' ]; then
 			echo >&2 "error: attempting to run rootless dockerd but need 'user.max_user_namespaces' (/proc/sys/user/max_user_namespaces) set to a sufficiently large value"
 			exit 1
 		fi
+
+		DOCKERD_ROOTLESS_ROOTLESSKIT_DISABLE_HOST_LOOPBACK=${DOCKERD_ROOTLESS_ROOTLESSKIT_DISABLE_HOST_LOOPBACK:-true}
+		host_loopback="--disable-host-loopback"
+		if [ "$DOCKERD_ROOTLESS_ROOTLESSKIT_DISABLE_HOST_LOOPBACK" = "false" ]; then
+			host_loopback=""
+		fi
+
 		# TODO overlay support detection?
 		exec rootlesskit \
 			--net="${DOCKERD_ROOTLESS_ROOTLESSKIT_NET:-vpnkit}" \
 			--mtu="${DOCKERD_ROOTLESS_ROOTLESSKIT_MTU:-1500}" \
-			--disable-host-loopback \
+			$host_loopback \
 			--port-driver=builtin \
 			--copy-up=/etc \
 			--copy-up=/run \