diff --git a/contrib/dockerd-rootless.sh b/contrib/dockerd-rootless.sh index ca8f5d439f..bfd0117b86 100755 --- a/contrib/dockerd-rootless.sh +++ b/contrib/dockerd-rootless.sh @@ -3,6 +3,8 @@ # # Usage: dockerd-rootless.sh --experimental [DOCKERD_OPTIONS] # Currently, specifying --experimental is mandatory. +# Also, to expose ports, you need to specify +# --userland-proxy-path=/path/to/rootlesskit-docker-proxy # # External dependencies: # * newuidmap and newgidmap needs to be installed. @@ -64,7 +66,7 @@ if [ -z $_DOCKERD_ROOTLESS_CHILD ]; then # (by either systemd-networkd or NetworkManager) # * /run: copy-up is required so that we can create /run/docker (hardcoded for plugins) in our namespace $rootlesskit \ - --net=$net --mtu=$mtu --disable-host-loopback \ + --net=$net --mtu=$mtu --disable-host-loopback --port-driver=builtin \ --copy-up=/etc --copy-up=/run \ $DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS \ $0 $@ diff --git a/docs/rootless.md b/docs/rootless.md index bb0486b6e2..b84a4f3608 100644 --- a/docs/rootless.md +++ b/docs/rootless.md @@ -45,6 +45,8 @@ penguin:231072:65536 * Apparmor * Checkpoint * Overlay network + * Exposing SCTP ports +* To expose a TCP/UDP port, the host port number needs to be set to >= 1024. ## Usage @@ -53,9 +55,10 @@ penguin:231072:65536 You need to run `dockerd-rootless.sh` instead of `dockerd`. ```console -$ dockerd-rootless.sh --experimental" +$ dockerd-rootless.sh --experimental --userland-proxy --userland-proxy-path=$(which rootlesskit-docker-proxy)" ``` As Rootless mode is experimental per se, currently you always need to run `dockerd-rootless.sh` with `--experimental`. +Also, to expose ports, you need to set `--userland-proxy-path` to the path of `rootlesskit-docker-proxy` binary. Remarks: * The socket path is set to `$XDG_RUNTIME_DIR/docker.sock` by default. `$XDG_RUNTIME_DIR` is typically set to `/run/user/$UID`. @@ -72,17 +75,6 @@ You can just use the upstream Docker client but you need to set the socket path $ docker -H unix://$XDG_RUNTIME_DIR/docker.sock run -d nginx ``` -### Exposing ports - -In addition to exposing container ports to the `dockerd` network namespace, you also need to expose the ports in the `dockerd` network namespace to the host network namespace. - -```console -$ docker -H unix://$XDG_RUNTIME_DIR/docker.sock run -d -p 80:80 nginx -$ socat -t -- TCP-LISTEN:8080,reuseaddr,fork EXEC:"nsenter -U -n -t $(cat $XDG_RUNTIME_DIR/docker.pid) socat -t -- STDIN TCP4\:127.0.0.1\:80" -``` - -In future, `dockerd` will be able to expose the ports automatically. - ### Routing ping packets To route ping packets, you need to set up `net.ipv4.ping_group_range` properly as the root. diff --git a/hack/dockerfile/install/rootlesskit.installer b/hack/dockerfile/install/rootlesskit.installer index a5be54ae9b..7ee8f516d8 100755 --- a/hack/dockerfile/install/rootlesskit.installer +++ b/hack/dockerfile/install/rootlesskit.installer @@ -1,7 +1,7 @@ #!/bin/sh -# v0.3.0-alpha.2 -ROOTLESSKIT_COMMIT=7bbbc48a6f906633a9b12783b957f4c3aa037d33 +# v0.3.0-beta.0 +ROOTLESSKIT_COMMIT=ed2671442965115b84ecf82d4831cc48747d89b8 install_rootlesskit() { case "$1" in @@ -30,5 +30,7 @@ _install_rootlesskit() { git clone https://github.com/rootless-containers/rootlesskit.git "$GOPATH/src/github.com/rootless-containers/rootlesskit" cd "$GOPATH/src/github.com/rootless-containers/rootlesskit" git checkout -q "$ROOTLESSKIT_COMMIT" - go build $BUILD_MODE -ldflags="$ROOTLESSKIT_LDFLAGS" -o "${PREFIX}/rootlesskit" github.com/rootless-containers/rootlesskit/cmd/rootlesskit + for f in rootlesskit rootlesskit-docker-proxy; do + go build $BUILD_MODE -ldflags="$ROOTLESSKIT_LDFLAGS" -o "${PREFIX}/$f" github.com/rootless-containers/rootlesskit/cmd/$f + done } diff --git a/hack/make/.binary-setup b/hack/make/.binary-setup index 7faeca3efb..7a4eb8bc12 100644 --- a/hack/make/.binary-setup +++ b/hack/make/.binary-setup @@ -8,5 +8,6 @@ DOCKER_CONTAINERD_SHIM_BINARY_NAME='containerd-shim' DOCKER_PROXY_BINARY_NAME='docker-proxy' DOCKER_INIT_BINARY_NAME='docker-init' DOCKER_ROOTLESSKIT_BINARY_NAME='rootlesskit' +DOCKER_ROOTLESSKIT_DOCKER_PROXY_BINARY_NAME='rootlesskit-docker-proxy' DOCKER_VPNKIT_BINARY_NAME='vpnkit' DOCKER_DAEMON_ROOTLESS_SH_BINARY_NAME='dockerd-rootless.sh' diff --git a/hack/make/binary-daemon b/hack/make/binary-daemon index e8b4ad0de8..003bd4feef 100644 --- a/hack/make/binary-daemon +++ b/hack/make/binary-daemon @@ -14,7 +14,7 @@ copy_binaries() { return fi echo "Copying nested executables into $dir" - for file in containerd containerd-shim ctr runc docker-init docker-proxy rootlesskit dockerd-rootless.sh; do + for file in containerd containerd-shim ctr runc docker-init docker-proxy rootlesskit rootlesskit-docker-proxy dockerd-rootless.sh; do cp -f `which "$file"` "$dir/" if [ "$hash" == "hash" ]; then hash_files "$dir/$file" diff --git a/hack/make/install-binary b/hack/make/install-binary index 04c4f2fadc..39c826dd43 100644 --- a/hack/make/install-binary +++ b/hack/make/install-binary @@ -27,6 +27,7 @@ install_binary() { install_binary "${DEST}/${DOCKER_PROXY_BINARY_NAME}" install_binary "${DEST}/${DOCKER_INIT_BINARY_NAME}" install_binary "${DEST}/${DOCKER_ROOTLESSKIT_BINARY_NAME}" + install_binary "${DEST}/${DOCKER_ROOTLESSKIT_DOCKER_PROXY_BINARY_NAME}" install_binary "${DEST}/${DOCKER_DAEMON_ROOTLESS_SH_BINARY_NAME}" if [ -f "${DEST}/${DOCKER_VPNKIT_BINARY_NAME}" ]; then install_binary "${DEST}/${DOCKER_VPNKIT_BINARY_NAME}"