I don't think this script was really used, and now that GitHub has
issue templates, it will diverge from the template we have configured,
so better to remove it.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
openSUSE Tumbleweed was facing "x509: certificate signed by unknown authority" error,
as `/etc/ssl/ca-bundle.pem` is provided as a symlink to `../../var/lib/ca-certificates/ca-bundle.pem`,
which was not supported by `rootlesskit --copy-up=/etc` .
See rootless-containers/rootlesskit issues 225
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
The awk dependency is an issue when running check-config.sh on systems
without awk. The use of awk can be replaced with sed, which improves
portability.
The PR code review discussion iterated via grep to this final sed
version that is all Tianon Gravi's art.
Co-authored-by: Tianon Gravi <admwiggin@gmail.com>
Signed-off-by: Joakim Roubert <joakim.roubert@axis.com>
On systems that do not have bash, the current bash-based
check-config.sh won't run. Making check-config.sh a POSIX shell script
instead makes it more portable.
Signed-off-by: Joakim Roubert <joakim.roubert@axis.com>
This unit file was created when we packaged rpms without the
socket activation unit, but that's no longer the case.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Previously, running dockerd-rootless.sh on SELinux-enabled hosts
was failing with "can't open lock file /run/xtables.lock: Permission denied" error.
(issue 41230).
This commit avoids hitting the error by relabeling /run in the RootlessKit child.
The actual /run on the parent is unaffected.
e6fc34b71a/libpod/networking_linux.go (L396-L401)
Tested on Fedora 34
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Starting `dockerd-rootless.sh` checks that `$HOME` is writeable, but does not
require it to be so.
Make the check more precise, and check that it actually exists and is a
directory.
Signed-off-by: Hugo Osvaldo Barrera <hugo@barrera.io>
Inode numbers are guaranteed to be unique only within a filesystem.
As such there is an edge case where these predicates are true on a
non-btrfs filesystem.
Closes#42271
Signed-off-by: Brett Milford <brettmilford@gmail.com>
This mirrors what the non-rootless version does, and lets `systemd` understand
when the service is fully up and running.
`NotifyAccess=all` is required, since the main process is the wrapper script,
and it's the child process that emits the signal.
Signed-off-by: Hugo Osvaldo Barrera <hugo@barrera.io>
- Using "/go/" redirects for some topics, which allows us to
redirect to new locations if topics are moved around in the
documentation.
- Updated some old URLs to their new location.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
`dockerd-rootless.sh install` is a common typo of `dockerd-rootless-setuptool.sh install`.
Now `dockerd-rootless.sh install` shows human-readable error.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Points out another symbol that Docker might need. in this case Docker's
mesh network in swarm mode does not route Virtual IPs if it's unset.
From /var/logs/docker.log:
time="2021-02-19T18:15:39+01:00" level=error msg="set up rule failed, [-t mangle -A INPUT -d 10.0.1.2/32 -j MARK --set-mark 257]: (iptables failed: iptables --wait -t mang
le -A INPUT
-d 10.0.1.2/32 -j MARK --set-mark 257: iptables v1.8.7 (legacy): unknown option \"--set-mark\"\nTry `iptables -h' or 'iptables --help' for more information.\n (exit status 2))"
Bug: https://github.com/moby/libnetwork/issues/2227
Bug: https://github.com/docker/for-linux/issues/644
Bug: https://github.com/docker/for-linux/issues/525
Signed-off-by: Piotr Karbowski <piotr.karbowski@protonmail.ch>
Now `systemctl --user stop docker` completes just with in 1 or 2 seconds.
Fix issue 41944 ("Docker rootless does not exit properly if containers are running")
See systemd.kill(5) https://www.freedesktop.org/software/systemd/man/systemd.kill.html
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
This parameter was removed by kernel commit 4c145dce260137,
which made its way to kernel v5.3-rc1. Since that commit,
the functionality is built-in (i.e. it is available as long
as CONFIG_XFRM is on).
Make the check conditional.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
These config options are removed by kernel commit f382fb0bcef4,
which made its way into kernel v5.0-rc1.
Make the check conditional.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Kernel commit 2d1c498072de69e (which made its way into kernel v5.8-rc1)
removed CONFIG_MEMCG_SWAP_ENABLED Kconfig option, making swap accounting
always enabled (unless swapaccount=0 boot option is provided).
Make the check conditional.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
CONFIG_NF_NAT_NEEDED was removed in kernel commit 4806e975729f99c7,
which made its way into v5.2-rc1. The functionality is now under
NF_NAT which we already check for.
Make the check for NF_NAT_NEEDED conditional.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
CONFIG_NF_NAT_IPV4 was removed in kernel commit 3bf195ae6037e310,
which made its way into v5.1-rc1. The functionality is now under
NF_NAT which we already check for.
Make the check for NF_NAT_IPV4 conditional.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This reverts commit 0ca7456e52,
which caused the docker service to not be starting, or delayed
starting the service in certain conditions.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This reverts commit a65c65d801,
which caused the docker service to not be starting, or delayed
starting the service in certain conditions.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
relates to https://github.com/docker/for-linux/issues/678
When using the BindTo directive, Docker is permanently stopped by systemd
when containerd is temporarily killed and restarted;
Using `Requires` achieves mostly the same, but defines a weaker dependency;
https://www.freedesktop.org/software/systemd/man/systemd.unit.html#Requires=
> Requires=
>
> .. If this unit gets activated, the units listed will be activated as well.
> If one of the other units fails to activate, and an ordering dependency
> After= on the failing unit is set, this unit will not be started. Besides,
> with or without specifying After=, this unit will be stopped if one of the
> other units is explicitly stopped.
We may want to look into using `Wants=` instead of `Requires=`, because
that allows docker to continue running if containerd is restarted, quoting
the systemd documentation:
> Often, it is a better choice to use Wants= instead of Requires= in order
> to achieve a system that is more robust when dealing with failing services.
Given that docker will likely still fail if the containerd socket is not
present, startup will fail if containerd is not running, but if containerd
is restarted, the docker daemon may be able to try reconnecting.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
I don't think we still had a use for this script, and if someone
needs this, it'll still be accessible in older tags/releases.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
dockerd currently sets the oom-score-adjust itself. This functionality
was added when we did not yet run dockerd as a systemd service.
Now that we do, it's better to instead have systemd handle this.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Currently we use the `go` command to read GOARCH and use the value for
matching manifests.
This change allows:
1. Specifying the arch through `TARGETARCH`
2. Falling back to `dpkg` if `go` is not available
3. Falling back to `uname -m` if `dpkg` is not available
4. A default value (amd64) if none of these commands is available.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
I looked at fixing https://bugs.debian.org/969940, but these scripts haven't been materially changed in 2-3 years and better alternatives exist elsewhere, so we should probably just remove them instead.
Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
Add multi-user.target to the After= list in docker.service so that multi-user.target does not wait for docker.service (and consequently wait for network-online.target).
Signed-off-by: Isaiah Grace <irgkenya4@gmail.com>
In order to run tests at mips64el device.
Now official-images has supported the following images for mips64el.
buildpack-deps:stretch
buildpack-deps:buster
debian:stretch
debian:buster
But official-images does not support the following images for mips64el.
debian:jessie
buildpack-deps:jessie
Signed-off-by: wanghuaiqing <wanghuaiqing@loongson.cn>
The new shim socket path convention hardcodes `/run/containerd`:
https://github.com/containerd/containerd/pull/4343
`dockerd-rootless.sh` is updated to hide the rootful `/run/containerd`
from the mount namespace of the rootless dockerd.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
We were not really using these, and they haven't been
updated in a long time. If needed, we can add people to
the CODEOWNERS file.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These Dockerfiles haven't been maintained, and more up-to-date
versions can be found in Jess's github repository;
- chromium: 3679486e0b/chromium
- gparted: 3679486e0b/gparted
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The default port driver "builtin" might not be always preferrable as it
drops src IP information: https://github.com/containers/libpod/pull/6324
Now the port driver can be changed to "slirp4netns" via the environment
variable `DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER`.
It is still recommended to use the default "builtin" driver.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
`/tmp/docker-$(id -u)` is not a good candidate as `$XDG_RUNTIME_DIR`,
because it might be already created by another user.
The new path is `$HOME/.docker/run`.
Cherry-picked from https://github.com/docker/docker-install/pull/178
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Usage: `dockerd-rootless-setuptool.sh install --force` .
See `--help` for further information.
Co-authored-by: Tianon Gravi <admwiggin@gmail.com>
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
slirp4netns v0.3.X turned out not to work with RootlessKit >= v0.7.1:
https://github.com/rootless-containers/rootlesskit/issues/143
As slirp4netns v0.3.X reached EOL on Mar 31, 2020, RootlessKit is not
going to fix support for slirp4netns v0.3.X.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Close#40484
Note that the support for cgroup v2 isn't ready for production yet,
regardless to rootful or rootless.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
PartOf deactivates the socket whenever the service get deactivated.
The socket unit however should be active nevertheless, so that the
docker service can be started again through socket activation.
Based on the original patch in upstream moby/moby by Max Harmathy.
Co-authored-by: Max Harmathy <max.harmathy@web.de>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Commit 0f9f99500c removed the
use of SQLite for managing container links, and commit
f8119bb7a7 removed the migration
tool, and SQLite dependency.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
When slirp4netns v0.4.0+ is used, now slirp4netns is hardened using
mount namespace ("sandbox") and seccomp to mitigate potential
vulnerabilities.
bump up rootlesskit: 2fcff6ceae...791ac8cb20
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
The mkimage-yum.sh script fails to install additional
packages (passed with -p package-name), because the
package names get quoted twice.
Signed-off-by: Amit Bakshi <ambakshi@gmail.com>
Overlay networking in docker stack does not work correctly if this option is missing, docker will output the following error:
```
enabling default vlan on bridge br0 failed open /sys/class/net/br0/bridge/default_pvdi: permission denied
```
This because `default_pvdi` does not exist without this option.
Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
Signed-off-by: Simon Ausserlechner <simon.ausserlechner@siemens.com>
Killing the shell script process does not kill the forked process.
This commit switches to `exec` so that the executed process can be
easily killed.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
* reset umask to 022
* introduced PKGREQUIRED
* introduced PKGREMOVE
- to be able to remove linux etc on Parabola GNU/Linux
* updated PKGIGNORE
- cryptsetup & device-mapper removed to not break the installation
- added not required packages
* force link /etc/localtime
* install pacman-mirrorlist
Signed-off-by: Staf Wagemakers <staf@wagemakers.be>
lxc-user-nic can eliminate slirp overhead but needs /etc/lxc/lxc-usernet to be configured for the current user.
To use lxc-user-nic, $DOCKERD_ROOTLESS_ROOTLESSKIT_NET=lxc-user-nic also needs to be set.
This commit also bumps up RootlessKit from v0.3.0 to v0.4.0:
70e0502f32...e92d5e772e
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
* Use rc_ulimit for ulimit constraints
* Synchronize ulimit settings to systemd's
* Add support for reload command
* Add support for retry settings for docker stop/restart
Signed-off-by: Manuel Rüger <manuel@rueg.eu>
Now `docker run -p` ports can be exposed to the host namespace automatically when `dockerd-rootless.sh` is launched with
`--userland-proxy --userland-proxy-path $(which rootlesskit-docker-proxy)`.
This is akin to how Docker for Mac/Win works with `--userland-proxy-path=/path/to/vpnkit-expose-port`.
The port number on the host namespace needs to be set to >= 1024.
SCTP ports are currently unsupported.
RootlessKit changes: 7bbbc48a6f...ed26714429
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
Previously, tag information automatically is added from
/etc/{redhat,system}-release in image (target directory).
But I want to specify any tag informtion when using mkimage-yum.sh.
Because a Linux distribution based RHEL (It's Asianux Server) uses
SPn notation (e.g. SP3) instead of period notaion (e.g. 7.6).
Signed-off-by: Noriki Nakamura <noriki.nakamura@miraclelinux.com>
containerd is now running as a separate service, and should
no longer be started as a managed child-process of dockerd.
The dockerd service already specifies that it should be started
`After` the containerd.service, but there is still a race
condition, where containerd is started, but its socket is not yet
created.
In that situation, `dockerd` detects that the containerd socket
is missing, and will start a new instance of containerd (as a
managed child-process), which causes live-restore to fail.
This patch explicitly sets the `--containerd` daemon option.
If this option is set, `dockerd` will not start a new instance
of containerd.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Please refer to `docs/rootless.md`.
TLDR:
* Make sure `/etc/subuid` and `/etc/subgid` contain the entry for you
* `dockerd-rootless.sh --experimental`
* `docker -H unix://$XDG_RUNTIME_DIR/docker.sock run ...`
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
