Commit graph

2143 commits

Author SHA1 Message Date
Akihiro Suda
d27fe2558d
dockerd-rootless-setuptool.sh: check RootlessKit functionality
RootlessKit will print hints if something is still unsatisfied.

e.g., `kernel.apparmor_restrict_unprivileged_userns` constraint
rootless-containers/rootlesskit@33c3e7ca6c

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit b32cfc3b3a)
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-03-06 10:38:17 +01:00
Akihiro Suda
84d2229ffe
dockerd-rootless-setuptool.sh: add nsenter subcommand
Usage: `dockerd-rootless-setuptool.sh nsenter -- ip a`

Expected to be used for debugging.

Ported from nerdctl's `containerd-rootless-setuptool.sh`
https://github.com/containerd/nerdctl/blob/v1.7.2/extras/rootless/containerd-rootless-setuptool.sh#L142-L147

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-01-17 22:59:18 +09:00
Akihiro Suda
7d08d84b03
dockerd-rootless.sh: set rootlesskit --state-dir=DIR
Now the state dir is set to `${XDG_RUNTIME_DIR}/dockerd-rootless`.

This is similar to `${XDG_RUNTIME_DIR}/containerd-rootless` used in nerdctl:
https://github.com/containerd/nerdctl/blob/v1.7.2/extras/rootless/containerd-rootless.sh#L35

Prior to this commit, the state dir was unset and a random dir under `/tmp` was used.
(e.g., `/tmp/rootlesskit1869901982`)

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-01-17 22:59:18 +09:00
Akihiro Suda
e954cdc188
dockerd-rootless.sh: fix inconsistent description about "builtin" driver
The "builtin" port driver was marked as "Slow" in the row for the lxc-user-nic
network driver, while it was marked as "Fast" in other rows.

It had to be consistently marked as "Fast" regardless to the network driver.
It is still not as fast as rootful.

Follow-up to PR 47076
Fixes: b5a5ecf4a3

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-01-16 23:11:40 +09:00
Akihiro Suda
b5a5ecf4a3
dockerd-rootless.sh: add comments about pasta
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-01-16 10:56:30 +09:00
Sebastiaan van Stijn
3bfb6a9420
frozen images: update to debian:bookworm-slim
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-30 12:01:06 +01:00
Scott Moser
29977d5058 contrib/check-config: conditionally disable color output.
Redirecting check-config.sh output to a file puts control character
output into that file, which isn't helpful for reading.

Disable colorized output if either
1. NO_COLOR environment is set to "1"
2. stdout is not a terminal.

Signed-off-by: Scott Moser <smoser@brickies.net>
2023-10-30 10:59:23 -04:00
Stephan Henningsen
cf9073397c Update check-config.sh
Add IP_NF_MANGLE to "Generally Required" kernel features, since it appears to be necessary for Docker Swarm to work.

Closes https://github.com/moby/moby/issues/46636

Signed-off-by: Stephan Henningsen <stephan-henningsen@users.noreply.github.com>
2023-10-18 21:59:04 +02:00
Sebastiaan van Stijn
14c5f7bf1d
contrib: outline purpose of download-frozen-images-v2.sh
We occassionally receive contributions to this script that are outside
its intended scope. Let's add a comment to the script that outlines
what it's meant for, and a link to a GitHub ticket with alternatives.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-14 11:36:22 +02:00
Sebastiaan van Stijn
73894af9ff
contrib/apparmor: format code with gofumpt
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-24 17:59:35 +02:00
Brennan Kinney
c8930105bc fix: Normalize RLIMIT_NOFILE to sensible defaults
During review, it was decided to remove `LimitNOFILE` from `docker.service` to rely on the systemd v240 implicit default of `1024:524288`. On supported platforms with systemd prior to v240, packagers will patch the service with an explicit `LimitNOFILE=1024:524288`.

- `1024` soft limit is an implicit default, avoiding unexpected breakage. Software that needs a higher limit should request to raise the soft limit for its process.
- `524288` hard limit is an implicit default since systemd v240 and is adequate for most processes (_half of the historical limit from `fs.nr_open` of `1048576`_), while 4096 is the implicit default from the kernel (often too low). Individual containers can be started with `--ulimit` when a larger hard limit is required.
- The hard limit may not exceed `fs.nr_open` (_which a value of `infinity` will resolve to_). On most systems with systemd v240 or newer, this will resolve to an excessive size of 2^30 (over 1 billion).
- When set to `infinity` (usually as the soft limit) software may experience significantly increased resource usage, resulting in a performance regression or runtime failures that are difficult to troubleshoot.
- OpenRC current config approach lacks support for different soft/hard limits being set as it adjusts additional limits and `ulimit` does not support mixed usage of `-H` + `-S`. A soft limit of `524288` is not ideal, but 2^19 is much less overhead than 2^30, whilst a hard limit of 4096 would be problematic for Docker.

Signed-off-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2023-08-07 12:37:14 +12:00
Paweł Gronowski
e010223186
contrib/busybox: Update to FRP-5007-g82accfc19
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-06-21 14:15:05 +02:00
Bjorn Neergaard
800ea039ec
contrib/check-config: move xt_bpf check to overlay section
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-06-05 08:11:05 -06:00
Bjorn Neergaard
1910fdde81
contrib/check-config: check for xt_bpf
We omit xt_u32 as it's optional; since we will remove support for this
module in the future, it's simpler to check for xt_bpf, which will
become the new baseline.

Related issues:
* https://github.com/microsoft/WSL/issues/10029#issuecomment-1574440255
* https://github.com/docker/for-win/issues/13450#issuecomment-1574443139

Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-06-02 19:31:13 -06:00
Sebastiaan van Stijn
6e98a7f2c9
Merge pull request #45548 from tianon/sysvinit-debian
Remove Upstart and cgroups bits from Debian sysvinit script
2023-05-22 16:08:55 +02:00
Sebastiaan van Stijn
50d2c94bd6
Merge pull request #43637 from thaJeztah/remove_deprecated_storage_drivers
Remove deprecated devicemapper storage driver
2023-05-18 21:23:41 +02:00
Tianon Gravi
0d8087fbbc Remove Upstart scripts
Upstart has been EOL for 8 years and isn't used by any distributions we support any more.

Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
2023-05-17 14:20:14 -07:00
Tianon Gravi
ae737656f9 Remove Upstart and cgroups bits from Debian sysvinit script
Upstart has been EOL for 8 years and isn't used by any distributions we support any more.

Additionally, this removes the "cgroups v1" setup code because it's more reasonable now for us to expect something _else_ to have set up cgroups appropriately (especially cgroups v2).

Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
2023-05-16 15:39:33 -07:00
Bjorn Neergaard
be220af9fb
Merge pull request #44395 from jmrouet/master
Fixing dockerd-rootless-setuptools.sh when user name contains a backslash
2023-05-12 09:39:29 -06:00
Jean-Michel Rouet
2f0ba0a7e5 more robust dockerd-rootless-setuptools.sh
Fixing case where username may contain a backslash.
This case can happen for winbind/samba active directory domain users.

Signed-off-by: Jean-Michel Rouet <jean-michel.rouet@philips.com>

Use more meaningful variable name

Signed-off-by: Jean-Michel Rouet <jean-michel.rouet@philips.com>

Update contrib/dockerd-rootless-setuptool.sh

Co-authored-by: Akihiro Suda <suda.kyoto@gmail.com>
Signed-off-by: Jean-Michel Rouet <jean-michel.rouet@philips.com>

Use more meaningful variable name

Signed-off-by: Jean-Michel Rouet <jean-michel.rouet@philips.com>

Update contrib/dockerd-rootless-setuptool.sh

Co-authored-by: Akihiro Suda <suda.kyoto@gmail.com>
Signed-off-by: Jean-Michel Rouet <jean-michel.rouet@philips.com>
2023-05-12 09:22:14 +02:00
Sebastiaan van Stijn
f445ee1e6c
contrib/apparmor: remove remaining version-conditionals (< 2.9) from template
Commit 2e19a4d56b removed all other version-
conditional statements from the AppArmor template, but left this one in place.

These conditions were added in 8cf89245f5
to account for old versions of debian/ubuntu (apparmor_parser < 2.9)
that lacked some options;

> This allows us to use the apparmor profile we have in contrib/apparmor/
> and solves the problems where certain functions are not apparent on older
> versions of apparmor_parser on debian/ubuntu.

Those patches were from 2015/2016, and all currently supported distro
versions should now have more current versions than that. Looking at the
oldest supported versions;

Ubuntu 18.04 "Bionic":

    apparmor_parser --version
    AppArmor parser version 2.12
    Copyright (C) 1999-2008 Novell Inc.
    Copyright 2009-2012 Canonical Ltd.

Debian 10 "Buster"

    apparmor_parser --version
    AppArmor parser version 2.13.2
    Copyright (C) 1999-2008 Novell Inc.
    Copyright 2009-2018 Canonical Ltd.

This patch removes the remaining conditionals.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-08 13:17:59 +02:00
Sebastiaan van Stijn
dc11d2a2d8
remove deprecated devicemapper storage-driver
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-20 23:51:54 +02:00
Florian Schmaus
005150ed69 check-config.sh: do not check for RT_GROUP_SCHED
Unconditionally checking for RT_GROUP_SCHED is harmful. It is one of
the options that you want inactive unless you know that you want it
active.

Systemd recommends to disable it [1], a rationale for doing so is
provided in

    https://bugzilla.redhat.com/show_bug.cgi?id=1229700#c0.

The essence is that you can not simply enable RT_GROUP_SCHED, you also
have to assign budgets manually. If you do not assign budgets, then
your realtime scheduling will be affected.

If check-config.sh keeps recommending to enable this, without further
advice, then users will follow the recommendation and likely run into
issues.

Again, this is one of the options that you want inactive, unless you
know that you want to use it.

Related Gentoo bugs:
- https://bugs.gentoo.org/904264
- https://bugs.gentoo.org/606548

1: 39857544ee/README (L144-L150)

Signed-off-by: Florian Schmaus <flo@geekplace.eu>
2023-04-19 17:29:56 +02:00
Sebastiaan van Stijn
3903f16cd6
daemon: remove deprecated AuFS storage driver
There's still some locations refering to AuFS;

- pkg/archive: I suspect most of that code is because the whiteout-files
  are modelled after aufs (but possibly some code is only relevant to
  images created with AuFS as storage driver; to be looked into).
- contrib/apparmor/template: likely some rules can be removed
- contrib/dockerize-disk.sh: very old contribution, and unlikely used
  by anyone, but perhaps could be updated if we want to (or just removed).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-15 01:27:16 +02:00
kpcyrd
7fe0f73838 Fix argument quoting bugs in dockerd-rootless.sh
Signed-off-by: kpcyrd <git@rxv.cc>
2023-04-13 16:35:09 +02:00
Akihiro Suda
4aa2876c75
docker-rootless-setuptools.sh: improve readability of messages
Before:
```console
$ docker-rootless-setuptool.sh install
...
[INFO] Use CLI context "rootless"
Current context is now "rootless"

[INFO] Make sure the following environment variables are set (or add them to ~/.bashrc):

export PATH=/usr/local/bin:$PATH
Some applications may require the following environment variable too:
export DOCKER_HOST=unix:///run/user/1001/docker.sock
```

After:
```console
$ docker-rootless-setuptool.sh install
...
[INFO] Using CLI context "rootless"
Current context is now "rootless"

[INFO] Make sure the following environment variable(s) are set (or add them to ~/.bashrc):
export PATH=/usr/local/bin:$PATH

[INFO] Some applications may require the following environment variable too:
export DOCKER_HOST=unix:///run/user/1001/docker.sock
```

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-04-06 14:12:20 +09:00
Paweł Gronowski
a0741cacef
contrib/dockerize-disk.sh: Fix indentation
Reported by shfmt

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-03-07 15:46:48 +01:00
Sebastiaan van Stijn
2e19a4d56b
contrib/apparmor: remove version-conditionals (< 2.9) from template
These conditions were added in 8cf89245f5
to account for old versions of debian/ubuntu (apparmor_parser < 2.9)
that lacked some options;

> This allows us to use the apparmor profile we have in contrib/apparmor/
> and solves the problems where certain functions are not apparent on older
> versions of apparmor_parser on debian/ubuntu.

Those patches were from 2015/2016, and all currently supported distro
versions should now have more current versions than that. Looking at the
oldest supported versions;

Ubuntu 18.04 "Bionic":

    apparmor_parser --version
    AppArmor parser version 2.12
    Copyright (C) 1999-2008 Novell Inc.
    Copyright 2009-2012 Canonical Ltd.

Debian 10 "Buster"

    apparmor_parser --version
    AppArmor parser version 2.13.2
    Copyright (C) 1999-2008 Novell Inc.
    Copyright 2009-2018 Canonical Ltd.

This patch removes the conditionals.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-02-08 18:05:02 +01:00
CrazyMax
25dc760162
Dockerfile: variant support in frozen-images stage
using TARGETVARIANT in frozen-images stage implies changes in
`download-frozen-image-v2.sh` script to add support for variants
so we are able to build against more platforms.

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-11-17 20:57:12 +01:00
CrazyMax
4f1d1422de
integration: download busybox-w32 from GitHub Release
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-10-24 19:11:16 +02:00
Sebastiaan van Stijn
e2114731e7
contrib: make dockerd-rootless-setuptool.sh more robust
The `docker` CLI currently doesn't handle situations where the current context
(as defined in `~/.docker/config.json`) is invalid or doesn't exist. As loading
(and checking) the context happens during initialization of the CLI, this
prevents `docker context` commands from being used, which makes it complicated
to fix the situation. For example, running `docker context use <correct context>`
would fail, which makes it not possible to update the `~/.docker/config.json`,
unless doing so manually.

For example, given the following `~/.docker/config.json`:

```json
{
        "currentContext": "nosuchcontext"
}
```

All of the commands below fail:

```bash
docker context inspect rootless
Current context "nosuchcontext" is not found on the file system, please check your config file at /Users/thajeztah/.docker/config.json

docker context rm --force rootless
Current context "nosuchcontext" is not found on the file system, please check your config file at /Users/thajeztah/.docker/config.json

docker context use default
Current context "nosuchcontext" is not found on the file system, please check your config file at /Users/thajeztah/.docker/config.json
```

While these things should be fixed, this patch updates the script to switch
the context using the `--context` flag; this flag is taken into account when
initializing the CLI, so that having an invalid context configured won't
block `docker context` commands from being executed. Given that all `context`
commands are local operations, "any" context can be used (it doesn't need to
make a connection with the daemon).

With this patch, those commands can now be run (and won't fail for the wrong
reason);

```bash
 docker --context=default context inspect -f "{{.Name}}" rootless
rootless

docker --context=default context inspect -f "{{.Name}}" rootless-doesnt-exist
context "rootless-doesnt-exist" does not exist
```

One other issue may also cause things to fail during uninstall; trying to remove
a context that doesn't exist will fail (even with the `-f` / `--force` option
set);

```bash
docker --context=default context rm blablabla
Error: context "blablabla": not found
```

While this is "ok" in most circumstances, it also means that (potentially) the
current context is not reset to "default", so this patch adds an explicit
`docker context use`, as well as unsetting the `DOCKER_HOST` and `DOCKER_CONTEXT`
environment variables.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-28 15:35:04 +02:00
Yann Autissier
8ad8c6d887 fix debian sysvinit script fails to restart docker daemon when stopped
Fixes: #44130
Signed-off-by: Yann Autissier <yann.autissier@gmail.com>
2022-09-11 10:09:34 +00:00
Sebastiaan van Stijn
31fb92c609
linting: gosec: fix or suppress G112, G114 in test code
Updating test-code only; set ReadHeaderTimeout for some, or suppress the linter
error for others.

     contrib/httpserver/server.go:11:12: G114: Use of net/http serve function that has no support for setting timeouts (gosec)
        log.Panic(http.ListenAndServe(":80", nil))
                  ^
     integration/plugin/logging/cmd/close_on_start/main.go:42:12: G112: Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (gosec)
        server := http.Server{
            Addr:    l.Addr().String(),
            Handler: mux,
        }
     integration/plugin/logging/cmd/discard/main.go:17:12: G112: Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (gosec)
        server := http.Server{
            Addr:    l.Addr().String(),
            Handler: mux,
        }
     integration/plugin/logging/cmd/dummy/main.go:14:12: G112: Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (gosec)
        server := http.Server{
            Addr:    l.Addr().String(),
            Handler: http.NewServeMux(),
        }
     integration/plugin/volumes/cmd/dummy/main.go:14:12: G112: Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (gosec)
        server := http.Server{
            Addr:    l.Addr().String(),
            Handler: http.NewServeMux(),
        }
     testutil/fixtures/plugin/basic/basic.go:25:12: G112: Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (gosec)
        server := http.Server{
            Addr:    l.Addr().String(),
            Handler: http.NewServeMux(),
        }
     volume/testutils/testutils.go:170:5: G114: Use of net/http serve function that has no support for setting timeouts (gosec)
        go http.Serve(l, mux)
           ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-04 15:36:51 +02:00
CrazyMax
65fdd10d4e
ci(windows): move windows-2019 to another workflow
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-08-26 14:25:09 +02:00
Jan Breig
bb69104381 Openrc: Depend on containerd init script
Signed-off-by: Jan Breig <git@pygos.space>
2022-06-01 15:09:52 +02:00
Sebastiaan van Stijn
219374e2cd
Merge pull request #43275 from kponichtera/43274-delve-debugger
Added Delve debugger to the development container
2022-05-10 18:34:45 +02:00
Konrad Ponichtera
4573cd9c30
Improved readability of the run hack script
Signed-off-by: Konrad Ponichtera <konpon96@gmail.com>
2022-05-10 11:57:39 +02:00
Konrad Ponichtera
7d328ea1d6
Added Delve debugger to the development container (including instructions in the contribution guide).
Signed-off-by: Konrad Ponichtera <konpon96@gmail.com>
2022-04-26 20:14:06 +02:00
Cory Snider
098a44c07f Finish refactor of UID/GID usage to a new struct
Finish the refactor which was partially completed with commit
34536c498d, passing around IdentityMapping structs instead of pairs of
[]IDMap slices.

Existing code which uses []IDMap relies on zero-valued fields to be
valid, empty mappings. So in order to successfully finish the
refactoring without introducing bugs, their replacement therefore also
needs to have a useful zero value which represents an empty mapping.
Change IdentityMapping to be a pass-by-value type so that there are no
nil pointers to worry about.

The functionality provided by the deprecated NewIDMappingsFromMaps
function is required by unit tests to to construct arbitrary
IdentityMapping values. And the daemon will always need to access the
mappings to pass them to the Linux kernel. Accommodate these use cases
by exporting the struct fields instead. BuildKit currently depends on
the UIDs and GIDs methods so we cannot get rid of them yet.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-03-14 16:28:57 -04:00
cuishuang
9efa8b3500 all: fix typos
Signed-off-by: cuishuang <imcusg@gmail.com>
2022-03-01 14:26:35 +08:00
Ryan Shea
2deec80dba fix(check-config.sh): Check for existence of /etc/os-release before sourcing
Signed-off-by: Ryan Shea <sheabot03@gmail.com>
2022-02-11 11:40:32 -07:00
Sebastiaan van Stijn
8308f749f2
Merge pull request #43061 from math2001/43020-use-rootless-after-setup
docker-rootless-setuptools.sh: use context after install
2022-01-04 15:54:37 +01:00
Michael Kuehn
60f868c263
Ensure system clock was set
Single-Board Computer and embedded systems might have a clock that is extremely out of sync with reality.
Adding this target ensures docker is only started after a somewhat realistic clock was set.
More information about the time-set.target can be found here: https://www.freedesktop.org/software/systemd/man/systemd.special.html#time-sync.target

Signed-off-by: Michael Kuehn <micha@kuehn.io>
2021-12-24 16:08:53 +01:00
Mathieu PATUREL
7c17ad8735 docker-rootless-setuptools.sh: use context after install
Signed-off-by: Mathieu PATUREL <mathieu.paturel@gmail.com>
2021-12-06 17:28:34 +11:00
Chenyang Yan
a8ce4d47c3 dockerd-rootless.sh: Fix variable not double quotes cause unexpected behavior
```
$ cat test.sh

echo "orign value=$XDG_RUNTIME_DIR"

echo "1. with [ ] not quote ..."
[ -w $XDG_RUNTIME_DIR ]
echo "get 1 ret_code: $?"

echo "2. with [ ] and quote ..."
[ -w "$XDG_RUNTIME_DIR" ]
echo "get 2 ret_code: $?"

$ sh ./test.sh
orign value=
1. with [ ] not quote ...
get 1 ret_code: 0
2. with [ ] and quote ...
get 2 ret_code: 1

$ bash ./test.sh
orign value=
1. with [ ] not quote ...
get 1 ret_code: 0
2. with [ ] and quote ...
get 2 ret_code: 1
```

Signed-off-by: Chenyang Yan <memory.yancy@gmail.com>
2021-10-18 00:11:03 +08:00
Sebastiaan van Stijn
686be57d0a
Update to Go 1.17.0, and gofmt with Go 1.17
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-24 23:33:27 +02:00
Sebastiaan van Stijn
f68260ba22
Dockerfile: frozen images: update to bullseye, remove buildpack-dep
Update the frozen images to also be based on Debian bullseye. Using the "slim"
variant (which looks to have all we're currently using),  and remove the
buildpack-dep frozen image.

The buildpack-dep image is quite large, and it looks like we only use it to
compile some C binaries, which should work fine on a regular debian image;

    docker build -t debian:bullseye-slim-gcc -<<EOF
    FROM debian:bullseye-slim
    RUN apt-get update && apt-get install -y gcc libc6-dev --no-install-recommends
    EOF

    docker image ls

    REPOSITORY        TAG                 IMAGE ID       CREATED          SIZE
    debian            bullseye-slim-gcc   1851750242af   About a minute ago   255MB
    buildpack-deps    bullseye            fe8fece98de2   2 days ago           834MB

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-20 18:23:06 +02:00
Sebastiaan van Stijn
39a9d034f1
Merge pull request #41897 from gunadhya/f-Update_check_config
Updated check_config with cgroupv2 controllers
2021-07-29 13:56:25 +02:00
Tianon Gravi
a985655ac4 Move containerd.service from Requires= to Wants=
Per the systemd.unit documentation:

> If this unit gets activated, the units listed will be activated as well. If one of the other units fails to activate, and an ordering dependency After= on the failing unit is set, this unit will not be started. Besides, with or without specifying After=, this unit will be stopped if one of the other units is explicitly stopped.
>
> Often, it is a better choice to use Wants= instead of Requires= in order to achieve a system that is more robust when dealing with failing services.

This should also be generally "safe" given we added `--containerd=/run/containerd/containerd.sock` to the flags we pass to `dockerd`.

Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
Signed-off-by: Anca Iordache <anca.iordache@docker.com>
2021-07-12 10:06:35 +00:00
gunadhya
aff02dbcaf Updated check_config
Signed-off-by: gunadhya <6939749+gunadhya@users.noreply.github.com>

Added cgroupv2 controller check

Modified comment
2021-07-09 09:24:24 +05:30