moby/cmd/dockerd/docker.go
Akihiro Suda 8493fb18ae
dockerd: fix rootless detection (alternative to #39024)
The `--rootless` flag had a couple of issues:
* #38702: euid=0, $USER="root" but no access to cgroup ("rootful" Docker in rootless Docker)
* #39009: euid=0 but $USER="docker" (rootful boot2docker)

To fix #38702, XDG dirs are ignored as in rootful Docker, unless the
dockerd is directly running under RootlessKit namespaces.

RootlessKit detection is implemented by checking whether `$ROOTLESSKIT_STATE_DIR` is set.

To fix #39009, the non-robust `$USER` check is now completely removed.

The entire logic can be illustrated as follows:

```
withRootlessKit := getenv("ROOTLESSKIT_STATE_DIR")
rootlessMode := withRootlessKit || cliFlag("--rootless")
honorXDG := withRootlessKit
useRootlessKitDockerProxy := withRootlessKit
removeCgroupSpec := rootlessMode
adjustOOMScoreAdj := rootlessMode
```

Close #39024
Fix #38702 #39009

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 3518383ed9)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-05-13 15:31:31 -07:00

100 lines
2.7 KiB
Go

package main
import (
"fmt"
"os"
"github.com/docker/docker/cli"
"github.com/docker/docker/daemon/config"
"github.com/docker/docker/dockerversion"
"github.com/docker/docker/pkg/jsonmessage"
"github.com/docker/docker/pkg/reexec"
"github.com/docker/docker/pkg/term"
"github.com/docker/docker/rootless"
"github.com/moby/buildkit/util/apicaps"
"github.com/sirupsen/logrus"
"github.com/spf13/cobra"
)
var (
honorXDG bool
)
func newDaemonCommand() (*cobra.Command, error) {
opts := newDaemonOptions(config.New())
cmd := &cobra.Command{
Use: "dockerd [OPTIONS]",
Short: "A self-sufficient runtime for containers.",
SilenceUsage: true,
SilenceErrors: true,
Args: cli.NoArgs,
RunE: func(cmd *cobra.Command, args []string) error {
opts.flags = cmd.Flags()
return runDaemon(opts)
},
DisableFlagsInUseLine: true,
Version: fmt.Sprintf("%s, build %s", dockerversion.Version, dockerversion.GitCommit),
}
cli.SetupRootCommand(cmd)
flags := cmd.Flags()
flags.BoolP("version", "v", false, "Print version information and quit")
defaultDaemonConfigFile, err := getDefaultDaemonConfigFile()
if err != nil {
return nil, err
}
flags.StringVar(&opts.configFile, "config-file", defaultDaemonConfigFile, "Daemon configuration file")
opts.InstallFlags(flags)
if err := installConfigFlags(opts.daemonConfig, flags); err != nil {
return nil, err
}
installServiceFlags(flags)
return cmd, nil
}
func init() {
if dockerversion.ProductName != "" {
apicaps.ExportedProduct = dockerversion.ProductName
}
// When running with RootlessKit, $XDG_RUNTIME_DIR, $XDG_DATA_HOME, and $XDG_CONFIG_HOME needs to be
// honored as the default dirs, because we are unlikely to have permissions to access the system-wide
// directories.
//
// Note that even running with --rootless, when not running with RootlessKit, honorXDG needs to be kept false,
// because the system-wide directories in the current mount namespace are expected to be accessible.
// ("rootful" dockerd in rootless dockerd, #38702)
honorXDG = rootless.RunningWithRootlessKit()
}
func main() {
if reexec.Init() {
return
}
// initial log formatting; this setting is updated after the daemon configuration is loaded.
logrus.SetFormatter(&logrus.TextFormatter{
TimestampFormat: jsonmessage.RFC3339NanoFixed,
FullTimestamp: true,
})
// Set terminal emulation based on platform as required.
_, stdout, stderr := term.StdStreams()
initLogging(stdout, stderr)
onError := func(err error) {
fmt.Fprintf(stderr, "%s\n", err)
os.Exit(1)
}
cmd, err := newDaemonCommand()
if err != nil {
onError(err)
}
cmd.SetOutput(stdout)
if err := cmd.Execute(); err != nil {
onError(err)
}
}