Merge pull request #38913 from AkihiroSuda/rootlesskit-docker-proxy

rootless: expose ports automatically

contrib/dockerd-rootless.sh

@@ -3,6 +3,8 @@
 #
 # Usage: dockerd-rootless.sh --experimental [DOCKERD_OPTIONS]
 # Currently, specifying --experimental is mandatory.
+# Also, to expose ports, you need to specify
+# --userland-proxy-path=/path/to/rootlesskit-docker-proxy
 #
 # External dependencies:
 # * newuidmap and newgidmap needs to be installed.
@@ -64,7 +66,7 @@ if [ -z $_DOCKERD_ROOTLESS_CHILD ]; then
 	#         (by either systemd-networkd or NetworkManager)
 	# * /run: copy-up is required so that we can create /run/docker (hardcoded for plugins) in our namespace
 	$rootlesskit \
-		--net=$net --mtu=$mtu --disable-host-loopback \
+		--net=$net --mtu=$mtu --disable-host-loopback --port-driver=builtin \
 		--copy-up=/etc --copy-up=/run \
 		$DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS \
 		$0 $@

docs/rootless.md

@@ -45,6 +45,8 @@ penguin:231072:65536
   * Apparmor
   * Checkpoint
   * Overlay network
+  * Exposing SCTP ports
+* To expose a TCP/UDP port, the host port number needs to be set to >= 1024.
 
 ## Usage
 
@@ -53,9 +55,10 @@ penguin:231072:65536
 You need to run `dockerd-rootless.sh` instead of `dockerd`.
 
 ```console
-$ dockerd-rootless.sh --experimental"
+$ dockerd-rootless.sh --experimental --userland-proxy --userland-proxy-path=$(which rootlesskit-docker-proxy)"
 ```
 As Rootless mode is experimental per se, currently you always need to run `dockerd-rootless.sh` with `--experimental`.
+Also, to expose ports, you need to set `--userland-proxy-path` to the path of `rootlesskit-docker-proxy` binary.
 
 Remarks:
 * The socket path is set to `$XDG_RUNTIME_DIR/docker.sock` by default. `$XDG_RUNTIME_DIR` is typically set to `/run/user/$UID`.
@@ -72,17 +75,6 @@ You can just use the upstream Docker client but you need to set the socket path
 $ docker -H unix://$XDG_RUNTIME_DIR/docker.sock run -d nginx
 ```
 
-### Exposing ports
-
-In addition to exposing container ports to the `dockerd` network namespace, you also need to expose the ports in the `dockerd` network namespace to the host network namespace.
-
-```console
-$ docker -H unix://$XDG_RUNTIME_DIR/docker.sock run -d -p 80:80 nginx
-$ socat -t -- TCP-LISTEN:8080,reuseaddr,fork EXEC:"nsenter -U -n -t $(cat $XDG_RUNTIME_DIR/docker.pid) socat -t -- STDIN TCP4\:127.0.0.1\:80"
-```
-
-In future, `dockerd` will be able to expose the ports automatically.
-
 ### Routing ping packets
 
 To route ping packets, you need to set up `net.ipv4.ping_group_range` properly as the root.

hack/dockerfile/install/rootlesskit.installer

@@ -1,7 +1,7 @@
 #!/bin/sh
 
-# v0.3.0-alpha.2
-ROOTLESSKIT_COMMIT=7bbbc48a6f906633a9b12783b957f4c3aa037d33
+# v0.3.0-beta.0
+ROOTLESSKIT_COMMIT=ed2671442965115b84ecf82d4831cc48747d89b8
 
 install_rootlesskit() {
 	case "$1" in
@@ -30,5 +30,7 @@ _install_rootlesskit() {
 	git clone https://github.com/rootless-containers/rootlesskit.git "$GOPATH/src/github.com/rootless-containers/rootlesskit"
 	cd "$GOPATH/src/github.com/rootless-containers/rootlesskit"
 	git checkout -q "$ROOTLESSKIT_COMMIT"
-	go build $BUILD_MODE -ldflags="$ROOTLESSKIT_LDFLAGS" -o "${PREFIX}/rootlesskit" github.com/rootless-containers/rootlesskit/cmd/rootlesskit
+	for f in rootlesskit rootlesskit-docker-proxy; do
+		go build $BUILD_MODE -ldflags="$ROOTLESSKIT_LDFLAGS" -o "${PREFIX}/$f" github.com/rootless-containers/rootlesskit/cmd/$f
+	done
 }

hack/make/.binary-setup

@@ -8,5 +8,6 @@ DOCKER_CONTAINERD_SHIM_BINARY_NAME='containerd-shim'
 DOCKER_PROXY_BINARY_NAME='docker-proxy'
 DOCKER_INIT_BINARY_NAME='docker-init'
 DOCKER_ROOTLESSKIT_BINARY_NAME='rootlesskit'
+DOCKER_ROOTLESSKIT_DOCKER_PROXY_BINARY_NAME='rootlesskit-docker-proxy'
 DOCKER_VPNKIT_BINARY_NAME='vpnkit'
 DOCKER_DAEMON_ROOTLESS_SH_BINARY_NAME='dockerd-rootless.sh'

hack/make/binary-daemon

@@ -14,7 +14,7 @@ copy_binaries() {
 		return
 	fi
 	echo "Copying nested executables into $dir"
-	for file in containerd containerd-shim ctr runc docker-init docker-proxy rootlesskit dockerd-rootless.sh; do
+	for file in containerd containerd-shim ctr runc docker-init docker-proxy rootlesskit rootlesskit-docker-proxy dockerd-rootless.sh; do
 		cp -f `which "$file"` "$dir/"
 		if [ "$hash" == "hash" ]; then
 			hash_files "$dir/$file"

hack/make/install-binary

@@ -27,6 +27,7 @@ install_binary() {
 	install_binary "${DEST}/${DOCKER_PROXY_BINARY_NAME}"
 	install_binary "${DEST}/${DOCKER_INIT_BINARY_NAME}"
 	install_binary "${DEST}/${DOCKER_ROOTLESSKIT_BINARY_NAME}"
+	install_binary "${DEST}/${DOCKER_ROOTLESSKIT_DOCKER_PROXY_BINARY_NAME}"
 	install_binary "${DEST}/${DOCKER_DAEMON_ROOTLESS_SH_BINARY_NAME}"
 	if [ -f "${DEST}/${DOCKER_VPNKIT_BINARY_NAME}" ]; then
 		install_binary "${DEST}/${DOCKER_VPNKIT_BINARY_NAME}"