Commit graph

2098 commits

Author SHA1 Message Date
Sebastiaan van Stijn
686be57d0a
Update to Go 1.17.0, and gofmt with Go 1.17
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-24 23:33:27 +02:00
Sebastiaan van Stijn
f68260ba22
Dockerfile: frozen images: update to bullseye, remove buildpack-dep
Update the frozen images to also be based on Debian bullseye. Using the "slim"
variant (which looks to have all we're currently using),  and remove the
buildpack-dep frozen image.

The buildpack-dep image is quite large, and it looks like we only use it to
compile some C binaries, which should work fine on a regular debian image;

    docker build -t debian:bullseye-slim-gcc -<<EOF
    FROM debian:bullseye-slim
    RUN apt-get update && apt-get install -y gcc libc6-dev --no-install-recommends
    EOF

    docker image ls

    REPOSITORY        TAG                 IMAGE ID       CREATED          SIZE
    debian            bullseye-slim-gcc   1851750242af   About a minute ago   255MB
    buildpack-deps    bullseye            fe8fece98de2   2 days ago           834MB

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-20 18:23:06 +02:00
Sebastiaan van Stijn
39a9d034f1
Merge pull request #41897 from gunadhya/f-Update_check_config
Updated check_config with cgroupv2 controllers
2021-07-29 13:56:25 +02:00
Tianon Gravi
a985655ac4 Move containerd.service from Requires= to Wants=
Per the systemd.unit documentation:

> If this unit gets activated, the units listed will be activated as well. If one of the other units fails to activate, and an ordering dependency After= on the failing unit is set, this unit will not be started. Besides, with or without specifying After=, this unit will be stopped if one of the other units is explicitly stopped.
>
> Often, it is a better choice to use Wants= instead of Requires= in order to achieve a system that is more robust when dealing with failing services.

This should also be generally "safe" given we added `--containerd=/run/containerd/containerd.sock` to the flags we pass to `dockerd`.

Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
Signed-off-by: Anca Iordache <anca.iordache@docker.com>
2021-07-12 10:06:35 +00:00
gunadhya
aff02dbcaf Updated check_config
Signed-off-by: gunadhya <6939749+gunadhya@users.noreply.github.com>

Added cgroupv2 controller check

Modified comment
2021-07-09 09:24:24 +05:30
Sebastiaan van Stijn
6d88407ac2
Merge pull request #42457 from AkihiroSuda/rootless-tumbleweed-etc-ssl
rootless: fix "x509: certificate signed by unknown authority" on openSUSE Tumbleweed
2021-07-06 11:53:37 +02:00
dingwei
345a180a55 there is no file named mkimage-rinse.sh in contrib floder, should delete
it

Signed-off-by: dingwei <dingwei@cmss.chinamobile.com>
2021-06-28 17:36:34 +08:00
Sebastiaan van Stijn
52744fccdd
contrib: remove report-issue.sh script
I don't think this script was really used, and now that GitHub has
issue templates, it will diverge from the template we have configured,
so better to remove it.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-23 10:17:43 +02:00
Akihiro Suda
8610d8ce4c
rootless: fix "x509: certificate signed by unknown authority" on openSUSE Tumbleweed
openSUSE Tumbleweed was facing "x509: certificate signed by unknown authority" error,
as `/etc/ssl/ca-bundle.pem` is provided as a symlink to `../../var/lib/ca-certificates/ca-bundle.pem`,
which was not supported by `rootlesskit --copy-up=/etc` .

See rootless-containers/rootlesskit issues 225

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-06-19 18:21:18 +09:00
Samuel Karp
a2343c8c4f
Merge pull request #42409 from joakimr-axis/joakimr-axis_noawk
contrib/check-config.sh: Remove awk dependency
2021-06-03 15:55:21 -07:00
Joakim Roubert
ffc6d8d3dd contrib/check-config.sh: Remove awk dependency
The awk dependency is an issue when running check-config.sh on systems
without awk. The use of awk can be replaced with sed, which improves
portability.

The PR code review discussion iterated via grep to this final sed
version that is all Tianon Gravi's art.

Co-authored-by: Tianon Gravi <admwiggin@gmail.com>
Signed-off-by: Joakim Roubert <joakim.roubert@axis.com>
2021-06-03 21:26:49 +02:00
Brian Goff
20eb137e0a
Merge pull request #42334 from AkihiroSuda/rootless-overlay2-k511-selinux
rootless: disable overlay2 if running with SELinux
2021-06-03 10:33:27 -07:00
Joakim Roubert
2865d17233 Update contrib/check-config.sh
Co-authored-by: Tianon Gravi <admwiggin@gmail.com>
Signed-off-by: Joakim Roubert <joakimr@axis.com>
2021-05-27 09:21:17 +02:00
Joakim Roubert
f1e7d02a78 Update contrib/check-config.sh
Co-authored-by: Tianon Gravi <admwiggin@gmail.com>
Signed-off-by: Joakim Roubert <joakimr@axis.com>
2021-05-27 09:21:17 +02:00
Joakim Roubert
0f77b22dbe Update contrib/check-config.sh
Co-authored-by: Tianon Gravi <admwiggin@gmail.com>
Signed-off-by: Joakim Roubert <joakimr@axis.com>
2021-05-27 09:21:17 +02:00
Joakim Roubert
1ce955ec83 contrib/check-config.sh: Make script POSIX
On systems that do not have bash, the current bash-based
check-config.sh won't run. Making check-config.sh a POSIX shell script
instead makes it more portable.

Signed-off-by: Joakim Roubert <joakim.roubert@axis.com>
2021-05-25 13:48:42 +02:00
Sebastiaan van Stijn
35c1542ec7
contrib: remove unused "rpm" variant of systemd unit
This unit file was created when we packaged rpms without the
socket activation unit, but that's no longer the case.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-12 11:58:13 +02:00
Sebastiaan van Stijn
11dd2b79b9
Merge remote-tracking branch 'packaging_tmp/master' into upstream_systemd_units
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-12 11:57:30 +02:00
Tianon Gravi
5a82cee6d4
Merge pull request #42077 from WhyNotHugo/patch-1
rootless: Set service type to `notify`
2021-05-03 10:36:03 -07:00
Akihiro Suda
cdaf82ba3f
dockerd-rootless.sh: avoid /run/xtables.lock EACCES on SELinux hosts
Previously, running dockerd-rootless.sh on SELinux-enabled hosts
was failing with "can't open lock file /run/xtables.lock: Permission denied" error.
(issue 41230).

This commit avoids hitting the error by relabeling /run in the RootlessKit child.
The actual /run on the parent is unaffected.

e6fc34b71a/libpod/networking_linux.go (L396-L401)

Tested on Fedora 34

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-04-28 18:21:21 +09:00
Akihiro Suda
e928692c69
dockerd-rootless.sh: use command -v instead of which
`which` binary is often missing

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-04-23 14:47:18 +09:00
Sebastiaan van Stijn
82ba9b47ca
Merge pull request #42310 from WhyNotHugo/patch-2
Remove needless check
2021-04-22 21:08:28 +02:00
Hugo Barrera
3980d0462d Remove needless check
Starting `dockerd-rootless.sh` checks that `$HOME` is writeable, but does not
require it to be so.
Make the check more precise, and check that it actually exists and is a
directory.

Signed-off-by: Hugo Osvaldo Barrera <hugo@barrera.io>
2021-04-20 21:30:26 +02:00
Brett Milford
a0d1a1f78c Update contrib/nuke-graph-directory.sh
Signed-off-by: Brett Milford <brettmilford@gmail.com>
2021-04-09 10:05:35 +10:00
Brett Milford
398cb1dc4f Fixes subvol delete on a non-btrfs volume
Inode numbers are guaranteed to be unique only within a filesystem.
As such there is an edge case where these predicates are true on a
non-btrfs filesystem.

Closes #42271

Signed-off-by: Brett Milford <brettmilford@gmail.com>
2021-04-08 12:09:23 +10:00
Kenta Tada
b14bf43764 check-config.sh: add SELinux and AppArmor
This commit adds the check of SELinux and AppArmor as optional features.

Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
2021-03-30 14:42:29 +09:00
Kenta Tada
1c72a68f2a check-config.sh: add SECCOMP_FILTER
The check of seccomp filter support was needed.

Ref: https://github.com/opencontainers/runc/pull/2867

Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
2021-03-23 11:16:25 +09:00
Akihiro Suda
f2f1c0fe38
dockerd-rootless-setuptool.sh: create CLI context "rootless"
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-02-26 14:43:24 +09:00
Hugo Barrera
5f6db3a077 rootless: Set service type to notify
This mirrors what the non-rootless version does, and lets `systemd` understand
when the service is fully up and running.
`NotifyAccess=all` is required, since the main process is the wrapper script,
and it's the child process that emits the signal.

Signed-off-by: Hugo Osvaldo Barrera <hugo@barrera.io>
2021-02-25 14:44:25 +01:00
Sebastiaan van Stijn
328de0b8d9
Update documentation links
- Using "/go/" redirects for some topics, which allows us to
  redirect to new locations if topics are moved around in the
  documentation.
- Updated some old URLs to their new location.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-25 12:11:50 +01:00
Sebastiaan van Stijn
33f2add9b7
Merge pull request #41960 from AkihiroSuda/rootless-typo-guard
dockerd-rootless.sh: add typo guard
2021-02-24 22:12:27 +01:00
Sebastiaan van Stijn
e8227b1f0d
Merge pull request #42034 from AkihiroSuda/prohibit-rootless-as-root
dockerd-rootless.sh: prohibit running as root
2021-02-24 22:11:20 +01:00
Akihiro Suda
8dc6c109b5
dockerd-rootless.sh: add typo guard
`dockerd-rootless.sh install` is a common typo of `dockerd-rootless-setuptool.sh install`.

Now `dockerd-rootless.sh install` shows human-readable error.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-02-24 13:54:52 +09:00
Akihiro Suda
9351e19658
dockerd-rootless.sh: prohibit running as root
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-02-24 13:21:44 +09:00
Piotr Karbowski
e8ceb97646
check-config.sh: add NETFILTER_XT_MARK
Points out another symbol that Docker might need. in this case Docker's
mesh network in swarm mode does not route Virtual IPs if it's unset.

From /var/logs/docker.log:
time="2021-02-19T18:15:39+01:00" level=error msg="set up rule failed, [-t mangle -A INPUT -d 10.0.1.2/32 -j MARK --set-mark 257]:  (iptables failed: iptables --wait -t mang
le -A INPUT
-d 10.0.1.2/32 -j MARK --set-mark 257: iptables v1.8.7 (legacy): unknown option \"--set-mark\"\nTry `iptables -h' or 'iptables --help' for more information.\n (exit status 2))"

Bug: https://github.com/moby/libnetwork/issues/2227
Bug: https://github.com/docker/for-linux/issues/644
Bug: https://github.com/docker/for-linux/issues/525
Signed-off-by: Piotr Karbowski <piotr.karbowski@protonmail.ch>
2021-02-19 20:19:36 +01:00
Akihiro Suda
05566adf71
rootless: set systemd KillMode to mixed
Now `systemctl --user stop docker` completes just with in 1 or 2 seconds.

Fix issue 41944 ("Docker rootless does not exit properly if containers are running")

See systemd.kill(5) https://www.freedesktop.org/software/systemd/man/systemd.kill.html

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-01-28 15:19:43 +09:00
Kir Kolyshkin
06d9020fac contrib/check-config.sh: fix INET_XFRM_MODE_TRANSPORT
This parameter was removed by kernel commit 4c145dce260137,
which made its way to kernel v5.3-rc1. Since that commit,
the functionality is built-in (i.e. it is available as long
as CONFIG_XFRM is on).

Make the check conditional.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-01-12 13:55:13 -08:00
Kir Kolyshkin
18e0543587 contrib/check-config.sh: fix IOSCHED_CFQ CFQ_GROUP_IOSCHED
These config options are removed by kernel commit f382fb0bcef4,
which made its way into kernel v5.0-rc1.

Make the check conditional.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-01-12 13:55:12 -08:00
Kir Kolyshkin
070f9d9dd3 contrib/check-config.sh: fix MEMCG_SWAP_ENABLED
Kernel commit 2d1c498072de69e (which made its way into kernel v5.8-rc1)
removed CONFIG_MEMCG_SWAP_ENABLED Kconfig option, making swap accounting
always enabled (unless swapaccount=0 boot option is provided).

Make the check conditional.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-01-12 13:55:12 -08:00
Kir Kolyshkin
03da41152a contrib/check-config.sh: fix NF_NAT_NEEDED
CONFIG_NF_NAT_NEEDED was removed in kernel commit 4806e975729f99c7,
which made its way into v5.2-rc1. The functionality is now under
NF_NAT which we already check for.

Make the check for NF_NAT_NEEDED conditional.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-01-12 13:55:12 -08:00
Kir Kolyshkin
eeb53c1f22 contrib/check-config.sh: fix NF_NAT_IPV4
CONFIG_NF_NAT_IPV4 was removed in kernel commit 3bf195ae6037e310,
which made its way into v5.1-rc1. The functionality is now under
NF_NAT which we already check for.

Make the check for NF_NAT_IPV4 conditional.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-01-12 13:55:12 -08:00
Kir Kolyshkin
76b59065ae contrib/check-config.sh: support for cgroupv2
Before:

> Generally Necessary:
> - cgroup hierarchy: nonexistent??
>     (see https://github.com/tianon/cgroupfs-mount)

After:

> Generally Necessary:
> - cgroup hierarchy: cgroupv2

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-01-12 13:54:54 -08:00
Sebastiaan van Stijn
5458b0e435
Revert "Add multi-user.target to After="
This reverts commit 0ca7456e52,
which caused the docker service to not be starting, or delayed
starting the service in certain conditions.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-12-10 15:04:00 +01:00
Sebastiaan van Stijn
273eae8a11 Revert "systemd: add multi-user.target to After list"
This reverts commit a65c65d801,
which caused the docker service to not be starting, or delayed
starting the service in certain conditions.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-12-10 14:53:03 +01:00
Akihiro Suda
ab09458e21
dockerd-rootless-setuptool.sh: show more helpful error messages
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-11-24 15:10:27 +09:00
Michał Kosek
009639e0f4 Do not "Bind" docker "To" containerd.
relates to https://github.com/docker/for-linux/issues/678

When using the BindTo directive, Docker is permanently stopped by systemd
when containerd is temporarily killed and restarted;

Using `Requires` achieves mostly the same, but defines a weaker dependency;

https://www.freedesktop.org/software/systemd/man/systemd.unit.html#Requires=

> Requires=
>
> .. If this unit gets activated, the units listed will be activated as well.
> If one of the other units fails to activate, and an ordering dependency
> After= on the failing unit is set, this unit will not be started. Besides,
> with or without specifying After=, this unit will be stopped if one of the
> other units is explicitly stopped.

We may want to look into using `Wants=` instead of `Requires=`, because
that allows docker to continue running if containerd is restarted, quoting
the systemd documentation:

> Often, it is a better choice to use Wants= instead of Requires= in order
> to achieve a system that is more robust when dealing with failing services.

Given that docker will likely still fail if the containerd socket is not
present, startup will fail if containerd is not running, but if containerd
is restarted, the docker daemon may be able to try reconnecting.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-11-04 14:01:17 +01:00
Sebastiaan van Stijn
93bd2c1336
contrib: remove download-frozen-image-v1 script
I don't think we still had a use for this script, and if someone
needs this, it'll still be accessible in older tags/releases.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-10-28 16:32:00 +01:00
Brian Goff
73dc6a680c
Merge pull request #41440 from tianon/rm-mkimage.sh
Remove "mkimage.sh" and associated scripts
2020-10-20 12:19:47 -07:00
Tianon Gravi
a637034ee4
Merge pull request #41156 from AkihiroSuda/rootless-new-shim-socket-path
dockerd-rootless.sh: support new containerd shim socket path convention
2020-10-15 12:37:14 -07:00
Sebastiaan van Stijn
21578530d7 systemd: set OOMScoreAdjust for dockerd
dockerd currently sets the oom-score-adjust itself. This functionality
was added when we did not yet run dockerd as a systemd service.

Now that we do, it's better to instead have systemd handle this.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-10-05 20:08:26 +02:00