Merge pull request #42462 from AkihiroSuda/cherrypick-rootless-selinux-42334
[20.10 backport] rootless: avoid /run/xtables.lock EACCES on SELinux hosts ; disable overlay2 if running with SELinux ; fix "x509: certificate signed by unknown authority" on openSUSE Tumbleweed
This commit is contained in:
Sebastiaan van Stijn
GitHub
commit
8b224ca06c
2 changed files with 33 additions and 0 deletions
|
|
@ -84,6 +84,12 @@ if [ -z $_DOCKERD_ROOTLESS_CHILD ]; then
|
|||
echo "This script must be executed as a non-privileged user"
|
||||
exit 1
|
||||
fi
|
||||
# `selinuxenabled` always returns false in RootlessKit child, so we execute `selinuxenabled` in the parent.
|
||||
# https://github.com/rootless-containers/rootlesskit/issues/94
|
||||
if command -v selinuxenabled > /dev/null 2>&1 && selinuxenabled; then
|
||||
_DOCKERD_ROOTLESS_SELINUX=1
|
||||
export _DOCKERD_ROOTLESS_SELINUX
|
||||
fi
|
||||
# Re-exec the script via RootlessKit, so as to create unprivileged {user,mount,network} namespaces.
|
||||
#
|
||||
# --copy-up allows removing/creating files in the directories by creating tmpfs and symlinks
|
||||
|
|
@ -105,5 +111,22 @@ else
|
|||
# remove the symlinks for the existing files in the parent namespace if any,
|
||||
# so that we can create our own files in our mount namespace.
|
||||
rm -f /run/docker /run/containerd /run/xtables.lock
|
||||
|
||||
if [ -n "$_DOCKERD_ROOTLESS_SELINUX" ]; then
|
||||
# iptables requires /run in the child to be relabeled. The actual /run in the parent is unaffected.
|
||||
# https://github.com/containers/podman/blob/e6fc34b71aa9d876b1218efe90e14f8b912b0603/libpod/networking_linux.go#L396-L401
|
||||
# https://github.com/moby/moby/issues/41230
|
||||
chcon system_u:object_r:iptables_var_run_t:s0 /run
|
||||
fi
|
||||
|
||||
if [ "$(stat -c %T -f /etc)" = "tmpfs" ] && [ -L "/etc/ssl" ]; then
|
||||
# Workaround for "x509: certificate signed by unknown authority" on openSUSE Tumbleweed.
|
||||
# https://github.com/rootless-containers/rootlesskit/issues/225
|
||||
realpath_etc_ssl=$(realpath /etc/ssl)
|
||||
rm -f /etc/ssl
|
||||
mkdir /etc/ssl
|
||||
mount --rbind ${realpath_etc_ssl} /etc/ssl
|
||||
fi
|
||||
|
||||
exec dockerd $@
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -37,6 +37,16 @@ func ErrDTypeNotSupported(driver, backingFs string) error {
|
|||
// checkMultipleLowers parameter enables check for multiple lowerdirs,
|
||||
// which is required for the overlay2 driver.
|
||||
func SupportsOverlay(d string, checkMultipleLowers bool) error {
|
||||
// We can't rely on go-selinux.GetEnabled() to detect whether SELinux is enabled,
|
||||
// because RootlessKit doesn't mount /sys/fs/selinux in the child: https://github.com/rootless-containers/rootlesskit/issues/94
|
||||
// So we check $_DOCKERD_ROOTLESS_SELINUX, which is set by dockerd-rootless.sh .
|
||||
if os.Getenv("_DOCKERD_ROOTLESS_SELINUX") == "1" {
|
||||
// Kernel 5.11 introduced support for rootless overlayfs, but incompatible with SELinux,
|
||||
// so fallback to fuse-overlayfs.
|
||||
// https://github.com/moby/moby/issues/42333
|
||||
return errors.New("overlay is not supported for Rootless with SELinux")
|
||||
}
|
||||
|
||||
td, err := ioutil.TempDir(d, "check-overlayfs-support")
|
||||
if err != nil {
|
||||
return err
|
||||
|
|
|
|||
Loading…
Reference in a new issue