2019-01-10 01:50:47 +00:00
|
|
|
#!/bin/sh
|
2014-04-29 05:13:25 +00:00
|
|
|
set -e
|
2013-09-07 02:02:59 +00:00
|
|
|
|
2013-09-07 02:03:29 +00:00
|
|
|
# DinD: a wrapper script which allows docker to be run inside a docker container.
|
2014-07-24 22:19:50 +00:00
|
|
|
# Original version by Jerome Petazzoni <jerome@docker.com>
|
2023-05-29 20:37:09 +00:00
|
|
|
# See the blog post: https://www.docker.com/blog/docker-can-now-run-within-docker/
|
2013-09-07 02:03:29 +00:00
|
|
|
#
|
2016-05-25 03:38:28 +00:00
|
|
|
# This script should be executed inside a docker container in privileged mode
|
2014-03-13 17:46:02 +00:00
|
|
|
# ('docker run --privileged', introduced in docker 0.6).
|
2013-09-07 02:03:29 +00:00
|
|
|
|
|
|
|
# Usage: dind CMD [ARG...]
|
|
|
|
|
2014-05-01 21:52:29 +00:00
|
|
|
# apparmor sucks and Docker needs to know that it's in a container (c) @tianon
|
2023-11-27 13:48:51 +00:00
|
|
|
#
|
|
|
|
# Set the container env-var, so that AppArmor is enabled in the daemon and
|
|
|
|
# containerd when running docker-in-docker.
|
|
|
|
#
|
|
|
|
# see: https://github.com/containerd/containerd/blob/787943dc1027a67f3b52631e084db0d4a6be2ccc/pkg/apparmor/apparmor_linux.go#L29-L45
|
|
|
|
# see: https://github.com/moby/moby/commit/de191e86321f7d3136ff42ff75826b8107399497
|
2014-05-01 21:52:29 +00:00
|
|
|
export container=docker
|
|
|
|
|
2023-11-27 13:48:51 +00:00
|
|
|
# Allow AppArmor to work inside the container;
|
|
|
|
#
|
|
|
|
# aa-status
|
|
|
|
# apparmor filesystem is not mounted.
|
|
|
|
# apparmor module is loaded.
|
|
|
|
#
|
|
|
|
# mount -t securityfs none /sys/kernel/security
|
|
|
|
#
|
|
|
|
# aa-status
|
|
|
|
# apparmor module is loaded.
|
|
|
|
# 30 profiles are loaded.
|
|
|
|
# 30 profiles are in enforce mode.
|
|
|
|
# /snap/snapd/18357/usr/lib/snapd/snap-confine
|
|
|
|
# ...
|
|
|
|
#
|
|
|
|
# Note: https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts#sys-kernel-security
|
|
|
|
#
|
|
|
|
# ## /sys/kernel/security
|
|
|
|
#
|
|
|
|
# In /sys/kernel/security mounted the securityfs interface, which allows
|
|
|
|
# configuration of Linux Security Modules. This allows configuration of
|
|
|
|
# AppArmor policies, and so access to this may allow a container to disable
|
|
|
|
# its MAC system.
|
|
|
|
#
|
|
|
|
# Given that we're running privileged already, this should not be an issue.
|
2019-01-10 01:23:38 +00:00
|
|
|
if [ -d /sys/kernel/security ] && ! mountpoint -q /sys/kernel/security; then
|
2014-04-29 05:13:25 +00:00
|
|
|
mount -t securityfs none /sys/kernel/security || {
|
|
|
|
echo >&2 'Could not mount /sys/kernel/security.'
|
2015-10-12 05:46:14 +00:00
|
|
|
echo >&2 'AppArmor detection and --privileged mode might break.'
|
2014-04-29 05:13:25 +00:00
|
|
|
}
|
2013-10-31 21:58:43 +00:00
|
|
|
fi
|
|
|
|
|
2015-08-21 22:47:50 +00:00
|
|
|
# Mount /tmp (conditionally)
|
|
|
|
if ! mountpoint -q /tmp; then
|
|
|
|
mount -t tmpfs none /tmp
|
|
|
|
fi
|
2013-09-07 02:19:03 +00:00
|
|
|
|
2020-06-03 13:37:14 +00:00
|
|
|
# cgroup v2: enable nesting
|
|
|
|
if [ -f /sys/fs/cgroup/cgroup.controllers ]; then
|
2021-04-27 08:56:41 +00:00
|
|
|
# move the processes from the root group to the /init group,
|
2020-06-03 13:37:14 +00:00
|
|
|
# otherwise writing subtree_control fails with EBUSY.
|
2021-04-27 08:56:41 +00:00
|
|
|
# An error during moving non-existent process (i.e., "cat") is ignored.
|
2020-06-03 13:37:14 +00:00
|
|
|
mkdir -p /sys/fs/cgroup/init
|
2021-04-27 08:56:41 +00:00
|
|
|
xargs -rn1 < /sys/fs/cgroup/cgroup.procs > /sys/fs/cgroup/init/cgroup.procs || :
|
2020-06-03 13:37:14 +00:00
|
|
|
# enable controllers
|
|
|
|
sed -e 's/ / +/g' -e 's/^/+/' < /sys/fs/cgroup/cgroup.controllers \
|
|
|
|
> /sys/fs/cgroup/cgroup.subtree_control
|
|
|
|
fi
|
|
|
|
|
2022-09-21 23:03:04 +00:00
|
|
|
# Change mount propagation to shared to make the environment more similar to a
|
|
|
|
# modern Linux system, e.g. with SystemD as PID 1.
|
|
|
|
mount --make-rshared /
|
|
|
|
|
2019-01-10 01:23:38 +00:00
|
|
|
if [ $# -gt 0 ]; then
|
2014-04-29 05:13:25 +00:00
|
|
|
exec "$@"
|
|
|
|
fi
|
|
|
|
|
|
|
|
echo >&2 'ERROR: No command specified.'
|
|
|
|
echo >&2 'You probably want to run hack/make.sh, or maybe a shell?'
|