Merge pull request #47084 from AkihiroSuda/dockerd-rootless-setuptool-nsenter

dockerd-rootless-setuptool.sh: add `nsenter` subcommand (for debugging)

contrib/dockerd-rootless-setuptool.sh

@@ -273,10 +273,18 @@ init() {
 
 # CLI subcommand: "check"
 cmd_entrypoint_check() {
+	init
 	# requirements are already checked in init()
 	INFO "Requirements are satisfied"
 }
 
+# CLI subcommand: "nsenter"
+cmd_entrypoint_nsenter() {
+	# No need to call init()
+	pid=$(cat "$XDG_RUNTIME_DIR/dockerd-rootless/child_pid")
+	exec nsenter --no-fork --wd="$(pwd)" --preserve-credentials -m -n -U -t "$pid" -- "$@"
+}
+
 show_systemd_error() {
 	n="20"
 	ERROR "Failed to start ${SYSTEMD_UNIT}. Run \`journalctl -n ${n} --no-pager --user --unit ${SYSTEMD_UNIT}\` to show the error log."
@@ -383,6 +391,7 @@ cli_ctx_rm() {
 
 # CLI subcommand: "install"
 cmd_entrypoint_install() {
+	init
 	# requirements are already checked in init()
 	if [ -z "$SYSTEMD" ]; then
 		install_nonsystemd
@@ -416,6 +425,7 @@ cmd_entrypoint_install() {
 
 # CLI subcommand: "uninstall"
 cmd_entrypoint_uninstall() {
+	init
 	# requirements are already checked in init()
 	if [ -z "$SYSTEMD" ]; then
 		INFO "systemd not detected, ${DOCKERD_ROOTLESS_SH} needs to be stopped manually:"
@@ -461,6 +471,7 @@ usage() {
 	echo
 	echo "Commands:"
 	echo "  check        Check prerequisites"
+	echo "  nsenter      Enter into RootlessKit namespaces (mostly for debugging)"
 	echo "  install      Install systemd unit (if systemd is available) and show how to manage the service"
 	echo "  uninstall    Uninstall systemd unit"
 }
@@ -508,5 +519,4 @@ if ! command -v "cmd_entrypoint_${command}" > /dev/null 2>&1; then
 fi
 
 # main
-init
-"cmd_entrypoint_${command}"
+"cmd_entrypoint_${command}" "$@"

contrib/dockerd-rootless.sh

@@ -9,6 +9,7 @@
 # * Either one of slirp4netns (>= v0.4.0), VPNKit, lxc-user-nic needs to be installed.
 #
 # Recognized environment variables:
+# * DOCKERD_ROOTLESS_ROOTLESSKIT_STATE_DIR=DIR: the rootlesskit state dir. Defaults to "$XDG_RUNTIME_DIR/dockerd-rootless".
 # * DOCKERD_ROOTLESS_ROOTLESSKIT_NET=(slirp4netns|vpnkit|pasta|lxc-user-nic): the rootlesskit network driver. Defaults to "slirp4netns" if slirp4netns (>= v0.4.0) is installed. Otherwise defaults to "vpnkit".
 # * DOCKERD_ROOTLESS_ROOTLESSKIT_MTU=NUM: the MTU value for the rootlesskit network driver. Defaults to 65520 for slirp4netns, 1500 for other drivers.
 # * DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=(builtin|slirp4netns|implicit): the rootlesskit port driver. Defaults to "builtin".
@@ -64,6 +65,7 @@ if [ -z "$rootlesskit" ]; then
 	exit 1
 fi
 
+: "${DOCKERD_ROOTLESS_ROOTLESSKIT_STATE_DIR:=$XDG_RUNTIME_DIR/dockerd-rootless}"
 : "${DOCKERD_ROOTLESS_ROOTLESSKIT_NET:=}"
 : "${DOCKERD_ROOTLESS_ROOTLESSKIT_MTU:=}"
 : "${DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER:=builtin}"
@@ -119,6 +121,7 @@ if [ -z "$_DOCKERD_ROOTLESS_CHILD" ]; then
 	#         (by either systemd-networkd or NetworkManager)
 	# * /run: copy-up is required so that we can create /run/docker (hardcoded for plugins) in our namespace
 	exec $rootlesskit \
+		--state-dir=$DOCKERD_ROOTLESS_ROOTLESSKIT_STATE_DIR \
 		--net=$net --mtu=$mtu \
 		--slirp4netns-sandbox=$DOCKERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SANDBOX \
 		--slirp4netns-seccomp=$DOCKERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SECCOMP \

testutil/daemon/daemon.go

@@ -174,7 +174,9 @@ func NewDaemon(workingDir string, ops ...Option) (*Daemon, error) {
 		if err := os.Chown(d.execRoot, uid, gid); err != nil {
 			return nil, err
 		}
-		d.rootlessXDGRuntimeDir = filepath.Join(d.Folder, "xdgrun")
+		// $XDG_RUNTIME_DIR mustn't be too long, as ${XDG_RUNTIME_DIR/dockerd-rootless
+		// contains Unix sockets
+		d.rootlessXDGRuntimeDir = filepath.Join(os.TempDir(), "xdgrun-"+id)
 		if err := os.MkdirAll(d.rootlessXDGRuntimeDir, 0o700); err != nil {
 			return nil, err
 		}