add dockerd-rootless-setuptool.sh

Usage: `dockerd-rootless-setuptool.sh install --force` .
See `--help` for further information.

Co-authored-by: Tianon Gravi <admwiggin@gmail.com>
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
This commit is contained in:
Akihiro Suda 2020-05-11 22:12:50 +09:00
parent 5da88705cc
commit c696b95269
5 changed files with 443 additions and 1 deletions

View file

@ -234,6 +234,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
--mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \
PREFIX=/build /tmp/install/install.sh rootlesskit
COPY ./contrib/dockerd-rootless.sh /build
COPY ./contrib/dockerd-rootless-setuptool.sh /build
FROM djs55/vpnkit:${VPNKIT_VERSION} AS vpnkit

View file

@ -0,0 +1,439 @@
#!/bin/sh
# dockerd-rootless-setuptool.sh: setup tool for dockerd-rootless.sh
# Needs to be executed as a non-root user.
#
# Typical usage: dockerd-rootless-setuptool.sh install --force
#
# Documentation: https://docs.docker.com/engine/security/rootless/
set -eu
# utility functions
INFO() {
/bin/echo -e "\e[104m\e[97m[INFO]\e[49m\e[39m $@"
}
WARNING() {
/bin/echo >&2 -e "\e[101m\e[97m[WARNING]\e[49m\e[39m $@"
}
ERROR() {
/bin/echo >&2 -e "\e[101m\e[97m[ERROR]\e[49m\e[39m $@"
}
# constants
DOCKERD_ROOTLESS_SH="dockerd-rootless.sh"
SYSTEMD_UNIT="docker.service"
# CLI opt: --force
OPT_FORCE=""
# CLI opt: --skip-iptables
OPT_SKIP_IPTABLES=""
# global vars
ARG0="$0"
DOCKERD_ROOTLESS_SH_FLAGS=""
BIN=""
SYSTEMD=""
CFG_DIR=""
XDG_RUNTIME_DIR_CREATED=""
# run checks and also initialize global vars
init() {
# OS verification: Linux only
case "$(uname)" in
Linux) ;;
*)
ERROR "Rootless Docker cannot be installed on $(uname)"
exit 1
;;
esac
# User verification: deny running as root
if [ "$(id -u)" = "0" ]; then
ERROR "Refusing to install rootless Docker as the root user"
exit 1
fi
# set BIN
if ! BIN="$(command -v "$DOCKERD_ROOTLESS_SH" 2> /dev/null)"; then
ERROR "$DOCKERD_ROOTLESS_SH needs to be present under \$PATH"
exit 1
fi
BIN=$(dirname "$BIN")
# set SYSTEMD
if systemctl --user show-environment > /dev/null 2>&1; then
SYSTEMD=1
fi
# HOME verification
if [ -z "${HOME:-}" ] || [ ! -d "$HOME" ]; then
ERROR "HOME needs to be set"
exit 1
fi
if [ ! -w "$HOME" ]; then
ERROR "HOME needs to be writable"
exit 1
fi
# set CFG_DIR
CFG_DIR="${XDG_CONFIG_HOME:-$HOME/.config}"
# Existing rootful docker verification
if [ -w /var/run/docker.sock ] && [ -z "$OPT_FORCE" ]; then
ERROR "Aborting because rootful Docker (/var/run/docker.sock) is running and accessible. Set --force to ignore."
exit 1
fi
# Validate XDG_RUNTIME_DIR and set XDG_RUNTIME_DIR_CREATED
if [ -z "${XDG_RUNTIME_DIR:-}" ] || [ ! -w "$XDG_RUNTIME_DIR" ]; then
if [ -n "$SYSTEMD" ]; then
ERROR "Aborting because systemd was detected but XDG_RUNTIME_DIR (\"$XDG_RUNTIME_DIR\") is not set, does not exist, or is not writable"
ERROR "Hint: this could happen if you changed users with 'su' or 'sudo'. To work around this:"
ERROR "- try again by first running with root privileges 'loginctl enable-linger <user>' where <user> is the unprivileged user and export XDG_RUNTIME_DIR to the value of RuntimePath as shown by 'loginctl show-user <user>'"
ERROR "- or simply log back in as the desired unprivileged user (ssh works for remote machines, machinectl shell works for local machines)"
exit 1
fi
export XDG_RUNTIME_DIR="/tmp/docker-$(id -u)"
mkdir -p "$XDG_RUNTIME_DIR"
XDG_RUNTIME_DIR_CREATED=1
fi
instructions=""
# instruction: uidmap dependency check
if ! command -v newuidmap > /dev/null 2>&1; then
if command -v apt-get > /dev/null 2>&1; then
instructions=$(
cat <<- EOI
${instructions}
# Install newuidmap & newgidmap binaries
apt-get install -y uidmap
EOI
)
elif command -v dnf > /dev/null 2>&1; then
instructions=$(
cat <<- EOI
${instructions}
# Install newuidmap & newgidmap binaries
dnf install -y shadow-utils
EOI
)
elif command -v yum > /dev/null 2>&1; then
instructions=$(
cat <<- EOI
${instructions}
# Install newuidmap & newgidmap binaries
yum install -y shadow-utils
EOI
)
else
ERROR "newuidmap binary not found. Please install with a package manager."
exit 1
fi
fi
# instruction: iptables dependency check
faced_iptables_error=""
if ! command -v iptables > /dev/null 2>&1 && [ ! -f /sbin/iptables ] && [ ! -f /usr/sbin/iptables ]; then
faced_iptables_error=1
if [ -z "$OPT_SKIP_IPTABLES" ]; then
if command -v apt-get > /dev/null 2>&1; then
instructions=$(
cat <<- EOI
${instructions}
# Install iptables
apt-get install -y iptables
EOI
)
elif command -v dnf > /dev/null 2>&1; then
instructions=$(
cat <<- EOI
${instructions}
# Install iptables
dnf install -y iptables
EOI
)
elif command -v yum > /dev/null 2>&1; then
instructions=$(
cat <<- EOI
${instructions}
# Install iptables
yum install -y iptables
EOI
)
else
ERROR "iptables binary not found. Please install with a package manager."
exit 1
fi
fi
fi
# instruction: ip_tables module dependency check
if ! grep -q ip_tables /proc/modules 2> /dev/null && ! grep -q ip_tables /lib/modules/$(uname -r)/modules.builtin 2> /dev/null; then
faced_iptables_error=1
if [ -z "$OPT_SKIP_IPTABLES" ]; then
instructions=$(
cat <<- EOI
${instructions}
# Load ip_tables module
modprobe ip_tables
EOI
)
fi
fi
# set DOCKERD_ROOTLESS_SH_FLAGS
if [ -n "$faced_iptables_error" ] && [ -n "$OPT_SKIP_IPTABLES" ]; then
DOCKERD_ROOTLESS_SH_FLAGS="${DOCKERD_ROOTLESS_SH_FLAGS} --iptables=false"
fi
# instruction: Debian and Arch require setting unprivileged_userns_clone
if [ -f /proc/sys/kernel/unprivileged_userns_clone ]; then
if [ "1" != "$(cat /proc/sys/kernel/unprivileged_userns_clone)" ]; then
instructions=$(
cat <<- EOI
${instructions}
# Set kernel.unprivileged_userns_clone
cat <<EOT > /etc/sysctl.d/50-rootless.conf
kernel.unprivileged_userns_clone = 1
EOT
sysctl --system
EOI
)
fi
fi
# instruction: RHEL/CentOS 7 requires setting max_user_namespaces
if [ -f /proc/sys/user/max_user_namespaces ]; then
if [ "0" = "$(cat /proc/sys/user/max_user_namespaces)" ]; then
instructions=$(
cat <<- EOI
${instructions}
# Set user.max_user_namespaces
cat <<EOT > /etc/sysctl.d/51-rootless.conf
user.max_user_namespaces = 28633
EOT
sysctl --system
EOI
)
fi
fi
# instructions: validate subuid/subgid files for current user
if ! grep -q "^$(id -un):\|^$(id -u):" /etc/subuid 2> /dev/null; then
instructions=$(
cat <<- EOI
${instructions}
# Add subuid entry for $(id -un)
echo "$(id -un):100000:65536" >> /etc/subuid
EOI
)
fi
if ! grep -q "^$(id -un):\|^$(id -u):" /etc/subgid 2> /dev/null; then
instructions=$(
cat <<- EOI
${instructions}
# Add subgid entry for $(id -un)
echo "$(id -un):100000:65536" >> /etc/subgid
EOI
)
fi
# fail with instructions if requirements are not satisfied.
if [ -n "$instructions" ]; then
ERROR "Missing system requirements. Run the following commands to"
ERROR "install the requirements and run this tool again."
if [ -n "$faced_iptables_error" ] && [ -z "$OPT_SKIP_IPTABLES" ]; then
ERROR "Alternatively iptables checks can be disabled with --skip-iptables ."
fi
echo
echo "########## BEGIN ##########"
echo "sudo sh -eux <<EOF"
echo "$instructions" | sed -e '/^$/d'
echo "EOF"
echo "########## END ##########"
echo
exit 1
fi
# TODO: support printing non-essential but recommended instructions:
# - sysctl: "net.ipv4.ping_group_range"
# - sysctl: "net.ipv4.ip_unprivileged_port_start"
# - external binary: slirp4netns
# - external binary: fuse-overlayfs
}
# CLI subcommand: "check"
cmd_entrypoint_check() {
# requirements are already checked in init()
INFO "Requirements are satisfied"
}
# install (systemd)
install_systemd() {
mkdir -p "${CFG_DIR}/systemd/user"
unit_file="${CFG_DIR}/systemd/user/${SYSTEMD_UNIT}"
if [ -f "${unit_file}" ]; then
WARNING "File already exists, skipping: ${unit_file}"
else
INFO "Creating ${unit_file}"
cat <<- EOT > "${unit_file}"
[Unit]
Description=Docker Application Container Engine (Rootless)
Documentation=https://docs.docker.com/engine/security/rootless/
[Service]
Environment=PATH=$BIN:/sbin:/usr/sbin:$PATH
ExecStart=$BIN/dockerd-rootless.sh $DOCKERD_ROOTLESS_SH_FLAGS
ExecReload=/bin/kill -s HUP \$MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
StartLimitBurst=3
StartLimitInterval=60s
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
TasksMax=infinity
Delegate=yes
Type=simple
[Install]
WantedBy=default.target
EOT
systemctl --user daemon-reload
fi
if ! systemctl --user --no-pager status "${SYSTEMD_UNIT}" > /dev/null 2>&1; then
INFO "starting systemd service ${SYSTEMD_UNIT}"
(
set -x
systemctl --user start "${SYSTEMD_UNIT}"
sleep 3
)
fi
(
set -x
systemctl --user --no-pager --full status "${SYSTEMD_UNIT}"
DOCKER_HOST="unix://$XDG_RUNTIME_DIR/docker.sock" $BIN/docker version
systemctl --user enable "${SYSTEMD_UNIT}"
)
INFO "Installed ${SYSTEMD_UNIT} successfully."
INFO "To control ${SYSTEMD_UNIT}, run: \`systemctl --user (start|stop|restart) ${SYSTEMD_UNIT}\`"
INFO "To run ${SYSTEMD_UNIT} on system startup, run: \`sudo loginctl enable-linger $(id -un)\`"
echo
}
# install (non-systemd)
install_nonsystemd() {
INFO "systemd not detected, ${DOCKERD_ROOTLESS_SH} needs to be started manually:"
echo
echo "PATH=$BIN:/sbin:/usr/sbin:\$PATH ${DOCKERD_ROOTLESS_SH} ${DOCKERD_ROOTLESS_SH_FLAGS}"
echo
}
# CLI subcommand: "install"
cmd_entrypoint_install() {
# requirements are already checked in init()
if [ -z "$SYSTEMD" ]; then
install_nonsystemd
else
install_systemd
fi
INFO "Make sure the following environment variables are set (or add them to ~/.bashrc):"
echo
if [ -n "$XDG_RUNTIME_DIR_CREATED" ]; then
echo "export XDG_RUNTIME_DIR=${XDG_RUNTIME_DIR}"
fi
echo "export PATH=${BIN}:\$PATH"
echo "export DOCKER_HOST=unix://${XDG_RUNTIME_DIR}/docker.sock"
echo
}
# CLI subcommand: "uninstall"
cmd_entrypoint_uninstall() {
# requirements are already checked in init()
if [ -z "$SYSTEMD" ]; then
INFO "systemd not detected, ${DOCKERD_ROOTLESS_SH} needs to be stopped manually:"
else
unit_file="${CFG_DIR}/systemd/user/${SYSTEMD_UNIT}"
(
set -x
systemctl --user stop "${SYSTEMD_UNIT}"
) || :
(
set -x
systemctl --user disable "${SYSTEMD_UNIT}"
) || :
rm -f "${unit_file}"
INFO "Uninstalled ${SYSTEMD_UNIT}"
fi
INFO "This uninstallation tool does NOT remove Docker binaries and data."
INFO "To remove data, run: \`$BIN/rootlesskit rm -rf $HOME/.local/share/docker\`"
}
# text for --help
usage() {
echo "Usage: ${ARG0} [OPTIONS] COMMAND"
echo
echo "A setup tool for Rootless Docker (${DOCKERD_ROOTLESS_SH})."
echo
echo "Documentation: https://docs.docker.com/engine/security/rootless/"
echo
echo "Options:"
echo " -f, --force Ignore rootful Docker (/var/run/docker.sock)"
echo " --skip-iptables Ignore missing iptables"
echo
echo "Commands:"
echo " check Check prerequisites"
echo " install Install systemd unit (if systemd is available) and show how to manage the service"
echo " uninstall Uninstall systemd unit"
}
# parse CLI args
if ! args="$(getopt -o hf --long help,force,skip-iptables -n "$ARG0" -- "$@")"; then
usage
exit 1
fi
eval set -- "$args"
while [ "$#" -gt 0 ]; do
arg="$1"
shift
case "$arg" in
-h | --help)
usage
exit 0
;;
-f | --force)
OPT_FORCE=1
;;
--skip-iptables)
OPT_SKIP_IPTABLES=1
;;
--)
break
;;
*)
# XXX this means we missed something in our "getopt" arguments above!
ERROR "Scripting error, unknown argument '$arg' when parsing script arguments."
exit 1
;;
esac
done
command="${1:-}"
if [ -z "$command" ]; then
ERROR "No command was specified. Run with --help to see the usage. Maybe you want to run \`$ARG0 install\`?"
exit 1
fi
if ! command -v "cmd_entrypoint_${command}" > /dev/null 2>&1; then
ERROR "Unknown command: ${command}. Run with --help to see the usage."
exit 1
fi
# main
init
"cmd_entrypoint_${command}"

View file

@ -11,3 +11,4 @@ DOCKER_ROOTLESSKIT_BINARY_NAME='rootlesskit'
DOCKER_ROOTLESSKIT_DOCKER_PROXY_BINARY_NAME='rootlesskit-docker-proxy'
DOCKER_VPNKIT_BINARY_NAME='vpnkit'
DOCKER_DAEMON_ROOTLESS_SH_BINARY_NAME='dockerd-rootless.sh'
DOCKER_DAEMON_ROOTLESS_SETUPTOOL_SH_BINARY_NAME='dockerd-rootless-setuptool.sh'

View file

@ -14,7 +14,7 @@ copy_binaries() {
return
fi
echo "Copying nested executables into $dir"
for file in containerd containerd-shim containerd-shim-runc-v2 ctr runc docker-init docker-proxy rootlesskit rootlesskit-docker-proxy dockerd-rootless.sh; do
for file in containerd containerd-shim containerd-shim-runc-v2 ctr runc docker-init docker-proxy rootlesskit rootlesskit-docker-proxy dockerd-rootless.sh dockerd-rootless-setuptool.sh; do
cp -f "$(command -v "$file")" "$dir/"
if [ "$hash" = "hash" ]; then
hash_files "$dir/$file"

View file

@ -29,6 +29,7 @@ install_binary() {
install_binary "${DEST}/${DOCKER_ROOTLESSKIT_BINARY_NAME}"
install_binary "${DEST}/${DOCKER_ROOTLESSKIT_DOCKER_PROXY_BINARY_NAME}"
install_binary "${DEST}/${DOCKER_DAEMON_ROOTLESS_SH_BINARY_NAME}"
install_binary "${DEST}/${DOCKER_DAEMON_ROOTLESS_SETUPTOOL_SH_BINARY_NAME}"
if [ -f "${DEST}/${DOCKER_VPNKIT_BINARY_NAME}" ]; then
install_binary "${DEST}/${DOCKER_VPNKIT_BINARY_NAME}"
fi