Some trial-and-error and experimentation later, I don't - yet - have a fully-usable instance of docker, but I've got... something. I'll keep tinkering. You might be able to build on what I've done and beat me to the answer.
You may find Getting Docker to work First Try useful.
For this test I'm using OpenWRT 22.03.5 x86_64 ext4 inside VMware Workstation 17 Pro, with the disk expanded to 32GB and partition 2 expanded to fill the rest of the disk. That is not to suggest that this is the "correct" or "best" method, merely that it's what I did.
root@vm-openwrt:~# df -h
Filesystem Size Used Available Use% Mounted on
/dev/root 31.6G 18.6M 31.5G 0% /
tmpfs 479.4M 60.0K 479.3M 0% /tmp
/dev/sda1 15.7M 5.2M 10.2M 34% /boot
/dev/sda1 15.7M 5.2M 10.2M 34% /boot
tmpfs 512.0K 0 512.0K 0% /dev
First up, the instructions at https://openwrt.org/docs/guide-user/virtualization/docker_host are possibly incomplete or out-of-date.
There is no docker-ce package any more (if there once was). There is, however, a docker package. But installing both docker and luci-app-dockerman on their own is insufficient, and you end up with this:
In addition, you end up with an empty /etc/config/dockerd file (note the big, fat 0):
root@vm-openwrt:/etc/config# ls -al
drwxr-xr-x 2 root root 4096 Jul 18 16:51 .
drwxr-xr-x 23 root root 4096 Sep 27 2021 ..
-rw------- 1 root root 832 Jul 18 16:47 dhcp
-rw-r--r-- 1 root root 0 Jul 18 16:51 dockerd
-rw------- 1 root root 134 Apr 27 20:28 dropbear
You also need to install dockerd (and optionally docker-compose if you want to use those features).
I suspect that what once was the package docker-ce installed both the container daemon and the command-line client to manage it, functions which are now provided by the two separate packages docker and dockerd.
Be aware: if you do not remove the empty /etc/config/dockerd first then opkg will refuse to overwrite it, creating a separate /etc/config/dockerd-opkg file instead.
Assuming you have removed /etc/config/dockerd and then installed dockerd, you should end up with this:
root@vm-openwrt:/etc/config# ls -al
drwxr-xr-x 2 root root 4096 Jul 18 17:07 .
drwxr-xr-x 24 root root 4096 Jul 18 17:07 ..
-rw------- 1 root root 851 Jul 18 17:03 dhcp
-rw------- 1 root root 1550 Jan 3 2023 dockerd
-rw------- 1 root root 134 Apr 27 20:28 dropbear
root@vm-openwrt:/etc/config# cat dockerd
# The following settings require a restart of docker to take full effect, A reload will only have partial or no effect:
# log_driver
# bip
# blocked_interfaces
# extra_iptables_args
# device
config globals 'globals'
# option alt_config_file '/etc/docker/daemon.json'
option data_root '/opt/docker/'
# option log_driver 'local'
option log_level 'warn'
option iptables '1'
# list hosts 'unix:///var/run/docker.sock'
# option bip '172.18.0.1/24'
# option fixed_cidr '172.17.0.0/16'
# option fixed_cidr_v6 'fc00:1::/80'
# option ipv6 '1'
# option ip '::ffff:0.0.0.0'
# list dns '172.17.0.1'
# list registry_mirrors 'https://<my-docker-mirror-host>'
# list registry_mirrors 'https://hub.docker.com'
# Docker doesn't work well out of the box with fw4. This is because Docker relies on a compatibility layer that
# naively translates iptables rules. For the best compatibility replace the following dependencies:
# `firewall4` -> `firewall`
# `iptables-nft` -> `iptables-legacy`
# `ip6tables-nft` -> `ip6tables-legacy`
# Docker undermines the fw3 rules. By default all external source IPs are allowed to connect to the Docker host.
# See https://docs.docker.com/network/iptables/ for more details.
# firewall config changes are only additive i.e firewall will need to be restarted first to clear old changes,
# then docker restarted to load in new changes.
config firewall 'firewall'
option device 'docker0'
list blocked_interfaces 'wan'
# option extra_iptables_args '--match conntrack ! --ctstate RELATED,ESTABLISHED' # allow outbound connections
root@vm-openwrt:/etc/config#
root@vm-openwrt:/etc/config# ls -al /opt/docker
drwx--x--- 14 root root 4096 Jul 18 17:07 .
drwxr-xr-x 4 root root 4096 Jul 18 17:07 ..
drwx--x--x 4 root root 4096 Jul 18 17:07 buildkit
drwx--x--x 3 root root 4096 Jul 18 17:07 containerd
drwx--x--- 2 root root 4096 Jul 18 17:07 containers
drwx------ 3 root root 4096 Jul 18 17:07 image
drwxr-x--- 3 root root 4096 Jul 18 17:07 network
drwx--x--- 3 root root 4096 Jul 18 17:07 overlay2
drwx------ 4 root root 4096 Jul 18 17:07 plugins
drwx------ 2 root root 4096 Jul 18 17:07 runtimes
drwx------ 2 root root 4096 Jul 18 17:07 swarm
drwx------ 2 root root 4096 Jul 18 17:07 tmp
drwx------ 2 root root 4096 Jul 18 17:07 trust
drwx-----x 2 root root 4096 Jul 18 17:07 volumes
root@vm-openwrt:/etc/config#
However...
There is still more which needs to be done, and it is here that you might beat me to the answer.
Installing docker, dockerd, and luci-app-dockerman still isn't sufficient:
root@vm-openwrt:/etc/config# docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
719385e32844: Pull complete
Digest: sha256:926fac19d22aa2d60f1a276b66a20eb765fbeea2db5dbdaafeb456ad8ce81598
Status: Downloaded newer image for hello-world:latest
docker: Error response from daemon: failed to create endpoint competent_mclean on network bridge: adding interface veth6f0fb2f to bridge docker0 failed: could not find bridge docker0: route ip+net: no such network interface.
ERRO[0002] error waiting for container: context canceled
root@vm-openwrt:/etc/config#
Now, I should note here that I did not yet follow the later instructions referenced above, to install any additional virtual network-related packages, so I am not entirely surprised by the particular failure seen here. This is a "progress so far" report, not an "it's broken" report.
I suspect the answer is to find and install the correct packages (and maybe the documentation is correct for this bit), after which docker run hello-world might work...