Commit graph

12 commits

Author SHA1 Message Date
Akihiro Suda
8493fb18ae
dockerd: fix rootless detection (alternative to #39024)
The `--rootless` flag had a couple of issues:
* #38702: euid=0, $USER="root" but no access to cgroup ("rootful" Docker in rootless Docker)
* #39009: euid=0 but $USER="docker" (rootful boot2docker)

To fix #38702, XDG dirs are ignored as in rootful Docker, unless the
dockerd is directly running under RootlessKit namespaces.

RootlessKit detection is implemented by checking whether `$ROOTLESSKIT_STATE_DIR` is set.

To fix #39009, the non-robust `$USER` check is now completely removed.

The entire logic can be illustrated as follows:

```
withRootlessKit := getenv("ROOTLESSKIT_STATE_DIR")
rootlessMode := withRootlessKit || cliFlag("--rootless")
honorXDG := withRootlessKit
useRootlessKitDockerProxy := withRootlessKit
removeCgroupSpec := rootlessMode
adjustOOMScoreAdj := rootlessMode
```

Close #39024
Fix #38702 #39009

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 3518383ed9)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-05-13 15:31:31 -07:00
Akihiro Suda
ec87479b7e allow running dockerd in an unprivileged user namespace (rootless mode)
Please refer to `docs/rootless.md`.

TLDR:
 * Make sure `/etc/subuid` and `/etc/subgid` contain the entry for you
 * `dockerd-rootless.sh --experimental`
 * `docker -H unix://$XDG_RUNTIME_DIR/docker.sock run ...`

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2019-02-04 00:24:27 +09:00
Daniel Nephin
4f0d95fa6e Add canonical import comment
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2018-02-05 16:51:57 -05:00
Vincent Demeester
de5c80b4f3
Remove Docker from some functions
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2017-10-25 14:39:51 +02:00
Vincent Demeester
6129e6ce3e Merge pull request #29697 from yuexiao-wang/fix-docker-daemon
Update docker daemon to dockerd
2017-01-04 11:55:38 +01:00
yuexiao-wang
62cc802f61 Update docker daemon to dockerd
Signed-off-by: yuexiao-wang <wang.yuexiao@zte.com.cn>
2016-12-27 17:32:15 +08:00
Vincent Demeester
c424be21b7
Clean some stuff from runconfig that are cli only…
… or could be in `opts` package. Having `runconfig/opts` and `opts`
doesn't really make sense and make it difficult to know where to put
some code.

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2016-12-24 13:16:00 +01:00
yuexiao-wang
113cae5ba2 Change tls to TLS
Signed-off-by: yuexiao-wang <wang.yuexiao@zte.com.cn>
2016-12-20 22:08:07 +08:00
Tonis Tiigi
0a4a0d9800 Fix opts tests after default port fix
The code for default port was already there but
it didn’t work because split function errored out
before. This should be the desired behavior that
matches daemon listen address with swarm listen
address.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2016-06-21 17:14:55 -07:00
Tonis Tiigi
fb3eb1c27e Unify swarm init and update options
Add api side validation and defaults for init and
join requests.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2016-06-21 16:34:32 -07:00
John Starks
0906195fbb Windows: Add support for named pipe protocol
This adds an npipe protocol option for Windows hosts, akin to unix
sockets for Linux hosts. This should become the default transport
for Windows, but this change does not yet do that.

It also does not add support for the client side yet since that
code is in engine-api, which will have to be revendored separately.

Signed-off-by: John Starks <jostarks@microsoft.com>
2016-02-01 19:46:30 -08:00
Daniel Nephin
9b99591054 Move ParseDockerDaemonHost to opts/ package.
This function was only being used from a single place opts/opts.go. This
change moves it from a incohesive package (parsers) to the single place it
is used.

Also made a bunch of the helper methods private because they are not used
by any external modules.

Signed-off-by: Daniel Nephin <dnephin@docker.com>
2015-12-15 20:53:17 -05:00