Commit graph

2122 commits

Author SHA1 Message Date
Tianon Gravi
f740890881
Remove Upstart scripts
Upstart has been EOL for 8 years and isn't used by any distributions we support any more.

Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
(cherry picked from commit 0d8087fbbc)
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-07-21 12:00:40 -06:00
Tianon Gravi
0c01c0d57c
Remove Upstart and cgroups bits from Debian sysvinit script
Upstart has been EOL for 8 years and isn't used by any distributions we support any more.

Additionally, this removes the "cgroups v1" setup code because it's more reasonable now for us to expect something _else_ to have set up cgroups appropriately (especially cgroups v2).

Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
(cherry picked from commit ae737656f9)
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-07-21 12:00:28 -06:00
Bjorn Neergaard
88049124e4
contrib/check-config: move xt_bpf check to overlay section
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
(cherry picked from commit 800ea039ec)
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-06-06 16:49:26 -06:00
Bjorn Neergaard
028a8d421a
contrib/check-config: check for xt_bpf
We omit xt_u32 as it's optional; since we will remove support for this
module in the future, it's simpler to check for xt_bpf, which will
become the new baseline.

Related issues:
* https://github.com/microsoft/WSL/issues/10029#issuecomment-1574440255
* https://github.com/docker/for-win/issues/13450#issuecomment-1574443139

Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
(cherry picked from commit 1910fdde81)
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-06-06 16:49:24 -06:00
kpcyrd
3731ce10d4
Fix argument quoting bugs in dockerd-rootless.sh
Signed-off-by: kpcyrd <git@rxv.cc>
(cherry picked from commit 7fe0f73838)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-14 01:26:56 +02:00
Akihiro Suda
09fbbd5677
docker-rootless-setuptools.sh: improve readability of messages
Before:
```console
$ docker-rootless-setuptool.sh install
...
[INFO] Use CLI context "rootless"
Current context is now "rootless"

[INFO] Make sure the following environment variables are set (or add them to ~/.bashrc):

export PATH=/usr/local/bin:$PATH
Some applications may require the following environment variable too:
export DOCKER_HOST=unix:///run/user/1001/docker.sock
```

After:
```console
$ docker-rootless-setuptool.sh install
...
[INFO] Using CLI context "rootless"
Current context is now "rootless"

[INFO] Make sure the following environment variable(s) are set (or add them to ~/.bashrc):
export PATH=/usr/local/bin:$PATH

[INFO] Some applications may require the following environment variable too:
export DOCKER_HOST=unix:///run/user/1001/docker.sock
```

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 4aa2876c75)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-04-07 10:08:16 +09:00
Paweł Gronowski
42751cc892
contrib/dockerize-disk.sh: Fix indentation
Reported by shfmt

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit a0741cacef)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-14 11:58:45 +01:00
CrazyMax
3768c71d9e
Dockerfile: variant support in frozen-images stage
using TARGETVARIANT in frozen-images stage implies changes in
`download-frozen-image-v2.sh` script to add support for variants
so we are able to build against more platforms.

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
(cherry picked from commit 25dc760162)
2022-11-18 15:42:48 +01:00
CrazyMax
09a2f7a667
integration: download busybox-w32 from GitHub Release
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
(cherry picked from commit 4f1d1422de)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-24 17:04:10 -04:00
Sebastiaan van Stijn
fd0904805c
contrib: make dockerd-rootless-setuptool.sh more robust
The `docker` CLI currently doesn't handle situations where the current context
(as defined in `~/.docker/config.json`) is invalid or doesn't exist. As loading
(and checking) the context happens during initialization of the CLI, this
prevents `docker context` commands from being used, which makes it complicated
to fix the situation. For example, running `docker context use <correct context>`
would fail, which makes it not possible to update the `~/.docker/config.json`,
unless doing so manually.

For example, given the following `~/.docker/config.json`:

```json
{
        "currentContext": "nosuchcontext"
}
```

All of the commands below fail:

```bash
docker context inspect rootless
Current context "nosuchcontext" is not found on the file system, please check your config file at /Users/thajeztah/.docker/config.json

docker context rm --force rootless
Current context "nosuchcontext" is not found on the file system, please check your config file at /Users/thajeztah/.docker/config.json

docker context use default
Current context "nosuchcontext" is not found on the file system, please check your config file at /Users/thajeztah/.docker/config.json
```

While these things should be fixed, this patch updates the script to switch
the context using the `--context` flag; this flag is taken into account when
initializing the CLI, so that having an invalid context configured won't
block `docker context` commands from being executed. Given that all `context`
commands are local operations, "any" context can be used (it doesn't need to
make a connection with the daemon).

With this patch, those commands can now be run (and won't fail for the wrong
reason);

```bash
 docker --context=default context inspect -f "{{.Name}}" rootless
rootless

docker --context=default context inspect -f "{{.Name}}" rootless-doesnt-exist
context "rootless-doesnt-exist" does not exist
```

One other issue may also cause things to fail during uninstall; trying to remove
a context that doesn't exist will fail (even with the `-f` / `--force` option
set);

```bash
docker --context=default context rm blablabla
Error: context "blablabla": not found
```

While this is "ok" in most circumstances, it also means that (potentially) the
current context is not reset to "default", so this patch adds an explicit
`docker context use`, as well as unsetting the `DOCKER_HOST` and `DOCKER_CONTEXT`
environment variables.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit e2114731e7)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-29 10:03:30 +02:00
Yann Autissier
7f94f2b393
fix debian sysvinit script fails to restart docker daemon when stopped
Fixes: #44130
Signed-off-by: Yann Autissier <yann.autissier@gmail.com>
(cherry picked from commit 8ad8c6d887)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-21 16:32:57 +02:00
Sebastiaan van Stijn
2609d4e252
linting: gosec: fix or suppress G112, G114 in test code
Updating test-code only; set ReadHeaderTimeout for some, or suppress the linter
error for others.

     contrib/httpserver/server.go:11:12: G114: Use of net/http serve function that has no support for setting timeouts (gosec)
        log.Panic(http.ListenAndServe(":80", nil))
                  ^
     integration/plugin/logging/cmd/close_on_start/main.go:42:12: G112: Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (gosec)
        server := http.Server{
            Addr:    l.Addr().String(),
            Handler: mux,
        }
     integration/plugin/logging/cmd/discard/main.go:17:12: G112: Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (gosec)
        server := http.Server{
            Addr:    l.Addr().String(),
            Handler: mux,
        }
     integration/plugin/logging/cmd/dummy/main.go:14:12: G112: Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (gosec)
        server := http.Server{
            Addr:    l.Addr().String(),
            Handler: http.NewServeMux(),
        }
     integration/plugin/volumes/cmd/dummy/main.go:14:12: G112: Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (gosec)
        server := http.Server{
            Addr:    l.Addr().String(),
            Handler: http.NewServeMux(),
        }
     testutil/fixtures/plugin/basic/basic.go:25:12: G112: Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (gosec)
        server := http.Server{
            Addr:    l.Addr().String(),
            Handler: http.NewServeMux(),
        }
     volume/testutils/testutils.go:170:5: G114: Use of net/http serve function that has no support for setting timeouts (gosec)
        go http.Serve(l, mux)
           ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 31fb92c609)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-06 15:11:42 +02:00
CrazyMax
ee87eaf9ad
ci(windows): move windows-2019 to another workflow
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
(cherry picked from commit 65fdd10d4e)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-31 11:57:23 +02:00
Jan Breig
bb69104381 Openrc: Depend on containerd init script
Signed-off-by: Jan Breig <git@pygos.space>
2022-06-01 15:09:52 +02:00
Sebastiaan van Stijn
219374e2cd
Merge pull request #43275 from kponichtera/43274-delve-debugger
Added Delve debugger to the development container
2022-05-10 18:34:45 +02:00
Konrad Ponichtera
4573cd9c30
Improved readability of the run hack script
Signed-off-by: Konrad Ponichtera <konpon96@gmail.com>
2022-05-10 11:57:39 +02:00
Konrad Ponichtera
7d328ea1d6
Added Delve debugger to the development container (including instructions in the contribution guide).
Signed-off-by: Konrad Ponichtera <konpon96@gmail.com>
2022-04-26 20:14:06 +02:00
Cory Snider
098a44c07f Finish refactor of UID/GID usage to a new struct
Finish the refactor which was partially completed with commit
34536c498d, passing around IdentityMapping structs instead of pairs of
[]IDMap slices.

Existing code which uses []IDMap relies on zero-valued fields to be
valid, empty mappings. So in order to successfully finish the
refactoring without introducing bugs, their replacement therefore also
needs to have a useful zero value which represents an empty mapping.
Change IdentityMapping to be a pass-by-value type so that there are no
nil pointers to worry about.

The functionality provided by the deprecated NewIDMappingsFromMaps
function is required by unit tests to to construct arbitrary
IdentityMapping values. And the daemon will always need to access the
mappings to pass them to the Linux kernel. Accommodate these use cases
by exporting the struct fields instead. BuildKit currently depends on
the UIDs and GIDs methods so we cannot get rid of them yet.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-03-14 16:28:57 -04:00
cuishuang
9efa8b3500 all: fix typos
Signed-off-by: cuishuang <imcusg@gmail.com>
2022-03-01 14:26:35 +08:00
Ryan Shea
2deec80dba fix(check-config.sh): Check for existence of /etc/os-release before sourcing
Signed-off-by: Ryan Shea <sheabot03@gmail.com>
2022-02-11 11:40:32 -07:00
Sebastiaan van Stijn
8308f749f2
Merge pull request #43061 from math2001/43020-use-rootless-after-setup
docker-rootless-setuptools.sh: use context after install
2022-01-04 15:54:37 +01:00
Michael Kuehn
60f868c263
Ensure system clock was set
Single-Board Computer and embedded systems might have a clock that is extremely out of sync with reality.
Adding this target ensures docker is only started after a somewhat realistic clock was set.
More information about the time-set.target can be found here: https://www.freedesktop.org/software/systemd/man/systemd.special.html#time-sync.target

Signed-off-by: Michael Kuehn <micha@kuehn.io>
2021-12-24 16:08:53 +01:00
Mathieu PATUREL
7c17ad8735 docker-rootless-setuptools.sh: use context after install
Signed-off-by: Mathieu PATUREL <mathieu.paturel@gmail.com>
2021-12-06 17:28:34 +11:00
Chenyang Yan
a8ce4d47c3 dockerd-rootless.sh: Fix variable not double quotes cause unexpected behavior
```
$ cat test.sh

echo "orign value=$XDG_RUNTIME_DIR"

echo "1. with [ ] not quote ..."
[ -w $XDG_RUNTIME_DIR ]
echo "get 1 ret_code: $?"

echo "2. with [ ] and quote ..."
[ -w "$XDG_RUNTIME_DIR" ]
echo "get 2 ret_code: $?"

$ sh ./test.sh
orign value=
1. with [ ] not quote ...
get 1 ret_code: 0
2. with [ ] and quote ...
get 2 ret_code: 1

$ bash ./test.sh
orign value=
1. with [ ] not quote ...
get 1 ret_code: 0
2. with [ ] and quote ...
get 2 ret_code: 1
```

Signed-off-by: Chenyang Yan <memory.yancy@gmail.com>
2021-10-18 00:11:03 +08:00
Sebastiaan van Stijn
686be57d0a
Update to Go 1.17.0, and gofmt with Go 1.17
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-24 23:33:27 +02:00
Sebastiaan van Stijn
f68260ba22
Dockerfile: frozen images: update to bullseye, remove buildpack-dep
Update the frozen images to also be based on Debian bullseye. Using the "slim"
variant (which looks to have all we're currently using),  and remove the
buildpack-dep frozen image.

The buildpack-dep image is quite large, and it looks like we only use it to
compile some C binaries, which should work fine on a regular debian image;

    docker build -t debian:bullseye-slim-gcc -<<EOF
    FROM debian:bullseye-slim
    RUN apt-get update && apt-get install -y gcc libc6-dev --no-install-recommends
    EOF

    docker image ls

    REPOSITORY        TAG                 IMAGE ID       CREATED          SIZE
    debian            bullseye-slim-gcc   1851750242af   About a minute ago   255MB
    buildpack-deps    bullseye            fe8fece98de2   2 days ago           834MB

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-20 18:23:06 +02:00
Sebastiaan van Stijn
39a9d034f1
Merge pull request #41897 from gunadhya/f-Update_check_config
Updated check_config with cgroupv2 controllers
2021-07-29 13:56:25 +02:00
Tianon Gravi
a985655ac4 Move containerd.service from Requires= to Wants=
Per the systemd.unit documentation:

> If this unit gets activated, the units listed will be activated as well. If one of the other units fails to activate, and an ordering dependency After= on the failing unit is set, this unit will not be started. Besides, with or without specifying After=, this unit will be stopped if one of the other units is explicitly stopped.
>
> Often, it is a better choice to use Wants= instead of Requires= in order to achieve a system that is more robust when dealing with failing services.

This should also be generally "safe" given we added `--containerd=/run/containerd/containerd.sock` to the flags we pass to `dockerd`.

Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
Signed-off-by: Anca Iordache <anca.iordache@docker.com>
2021-07-12 10:06:35 +00:00
gunadhya
aff02dbcaf Updated check_config
Signed-off-by: gunadhya <6939749+gunadhya@users.noreply.github.com>

Added cgroupv2 controller check

Modified comment
2021-07-09 09:24:24 +05:30
Sebastiaan van Stijn
6d88407ac2
Merge pull request #42457 from AkihiroSuda/rootless-tumbleweed-etc-ssl
rootless: fix "x509: certificate signed by unknown authority" on openSUSE Tumbleweed
2021-07-06 11:53:37 +02:00
dingwei
345a180a55 there is no file named mkimage-rinse.sh in contrib floder, should delete
it

Signed-off-by: dingwei <dingwei@cmss.chinamobile.com>
2021-06-28 17:36:34 +08:00
Sebastiaan van Stijn
52744fccdd
contrib: remove report-issue.sh script
I don't think this script was really used, and now that GitHub has
issue templates, it will diverge from the template we have configured,
so better to remove it.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-23 10:17:43 +02:00
Akihiro Suda
8610d8ce4c
rootless: fix "x509: certificate signed by unknown authority" on openSUSE Tumbleweed
openSUSE Tumbleweed was facing "x509: certificate signed by unknown authority" error,
as `/etc/ssl/ca-bundle.pem` is provided as a symlink to `../../var/lib/ca-certificates/ca-bundle.pem`,
which was not supported by `rootlesskit --copy-up=/etc` .

See rootless-containers/rootlesskit issues 225

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-06-19 18:21:18 +09:00
Samuel Karp
a2343c8c4f
Merge pull request #42409 from joakimr-axis/joakimr-axis_noawk
contrib/check-config.sh: Remove awk dependency
2021-06-03 15:55:21 -07:00
Joakim Roubert
ffc6d8d3dd contrib/check-config.sh: Remove awk dependency
The awk dependency is an issue when running check-config.sh on systems
without awk. The use of awk can be replaced with sed, which improves
portability.

The PR code review discussion iterated via grep to this final sed
version that is all Tianon Gravi's art.

Co-authored-by: Tianon Gravi <admwiggin@gmail.com>
Signed-off-by: Joakim Roubert <joakim.roubert@axis.com>
2021-06-03 21:26:49 +02:00
Brian Goff
20eb137e0a
Merge pull request #42334 from AkihiroSuda/rootless-overlay2-k511-selinux
rootless: disable overlay2 if running with SELinux
2021-06-03 10:33:27 -07:00
Joakim Roubert
2865d17233 Update contrib/check-config.sh
Co-authored-by: Tianon Gravi <admwiggin@gmail.com>
Signed-off-by: Joakim Roubert <joakimr@axis.com>
2021-05-27 09:21:17 +02:00
Joakim Roubert
f1e7d02a78 Update contrib/check-config.sh
Co-authored-by: Tianon Gravi <admwiggin@gmail.com>
Signed-off-by: Joakim Roubert <joakimr@axis.com>
2021-05-27 09:21:17 +02:00
Joakim Roubert
0f77b22dbe Update contrib/check-config.sh
Co-authored-by: Tianon Gravi <admwiggin@gmail.com>
Signed-off-by: Joakim Roubert <joakimr@axis.com>
2021-05-27 09:21:17 +02:00
Joakim Roubert
1ce955ec83 contrib/check-config.sh: Make script POSIX
On systems that do not have bash, the current bash-based
check-config.sh won't run. Making check-config.sh a POSIX shell script
instead makes it more portable.

Signed-off-by: Joakim Roubert <joakim.roubert@axis.com>
2021-05-25 13:48:42 +02:00
Sebastiaan van Stijn
35c1542ec7
contrib: remove unused "rpm" variant of systemd unit
This unit file was created when we packaged rpms without the
socket activation unit, but that's no longer the case.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-12 11:58:13 +02:00
Sebastiaan van Stijn
11dd2b79b9
Merge remote-tracking branch 'packaging_tmp/master' into upstream_systemd_units
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-12 11:57:30 +02:00
Tianon Gravi
5a82cee6d4
Merge pull request #42077 from WhyNotHugo/patch-1
rootless: Set service type to `notify`
2021-05-03 10:36:03 -07:00
Akihiro Suda
cdaf82ba3f
dockerd-rootless.sh: avoid /run/xtables.lock EACCES on SELinux hosts
Previously, running dockerd-rootless.sh on SELinux-enabled hosts
was failing with "can't open lock file /run/xtables.lock: Permission denied" error.
(issue 41230).

This commit avoids hitting the error by relabeling /run in the RootlessKit child.
The actual /run on the parent is unaffected.

e6fc34b71a/libpod/networking_linux.go (L396-L401)

Tested on Fedora 34

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-04-28 18:21:21 +09:00
Akihiro Suda
e928692c69
dockerd-rootless.sh: use command -v instead of which
`which` binary is often missing

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-04-23 14:47:18 +09:00
Sebastiaan van Stijn
82ba9b47ca
Merge pull request #42310 from WhyNotHugo/patch-2
Remove needless check
2021-04-22 21:08:28 +02:00
Hugo Barrera
3980d0462d Remove needless check
Starting `dockerd-rootless.sh` checks that `$HOME` is writeable, but does not
require it to be so.
Make the check more precise, and check that it actually exists and is a
directory.

Signed-off-by: Hugo Osvaldo Barrera <hugo@barrera.io>
2021-04-20 21:30:26 +02:00
Brett Milford
a0d1a1f78c Update contrib/nuke-graph-directory.sh
Signed-off-by: Brett Milford <brettmilford@gmail.com>
2021-04-09 10:05:35 +10:00
Brett Milford
398cb1dc4f Fixes subvol delete on a non-btrfs volume
Inode numbers are guaranteed to be unique only within a filesystem.
As such there is an edge case where these predicates are true on a
non-btrfs filesystem.

Closes #42271

Signed-off-by: Brett Milford <brettmilford@gmail.com>
2021-04-08 12:09:23 +10:00
Kenta Tada
b14bf43764 check-config.sh: add SELinux and AppArmor
This commit adds the check of SELinux and AppArmor as optional features.

Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
2021-03-30 14:42:29 +09:00