3518383ed9
The `--rootless` flag had a couple of issues: * #38702: euid=0, $USER="root" but no access to cgroup ("rootful" Docker in rootless Docker) * #39009: euid=0 but $USER="docker" (rootful boot2docker) To fix #38702, XDG dirs are ignored as in rootful Docker, unless the dockerd is directly running under RootlessKit namespaces. RootlessKit detection is implemented by checking whether `$ROOTLESSKIT_STATE_DIR` is set. To fix #39009, the non-robust `$USER` check is now completely removed. The entire logic can be illustrated as follows: ``` withRootlessKit := getenv("ROOTLESSKIT_STATE_DIR") rootlessMode := withRootlessKit || cliFlag("--rootless") honorXDG := withRootlessKit useRootlessKitDockerProxy := withRootlessKit removeCgroupSpec := rootlessMode adjustOOMScoreAdj := rootlessMode ``` Close #39024 Fix #38702 #39009 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
100 lines
2.7 KiB
Go
100 lines
2.7 KiB
Go
package main
|
|
|
|
import (
|
|
"fmt"
|
|
"os"
|
|
|
|
"github.com/docker/docker/cli"
|
|
"github.com/docker/docker/daemon/config"
|
|
"github.com/docker/docker/dockerversion"
|
|
"github.com/docker/docker/pkg/jsonmessage"
|
|
"github.com/docker/docker/pkg/reexec"
|
|
"github.com/docker/docker/pkg/term"
|
|
"github.com/docker/docker/rootless"
|
|
"github.com/moby/buildkit/util/apicaps"
|
|
"github.com/sirupsen/logrus"
|
|
"github.com/spf13/cobra"
|
|
)
|
|
|
|
var (
|
|
honorXDG bool
|
|
)
|
|
|
|
func newDaemonCommand() (*cobra.Command, error) {
|
|
opts := newDaemonOptions(config.New())
|
|
|
|
cmd := &cobra.Command{
|
|
Use: "dockerd [OPTIONS]",
|
|
Short: "A self-sufficient runtime for containers.",
|
|
SilenceUsage: true,
|
|
SilenceErrors: true,
|
|
Args: cli.NoArgs,
|
|
RunE: func(cmd *cobra.Command, args []string) error {
|
|
opts.flags = cmd.Flags()
|
|
return runDaemon(opts)
|
|
},
|
|
DisableFlagsInUseLine: true,
|
|
Version: fmt.Sprintf("%s, build %s", dockerversion.Version, dockerversion.GitCommit),
|
|
}
|
|
cli.SetupRootCommand(cmd)
|
|
|
|
flags := cmd.Flags()
|
|
flags.BoolP("version", "v", false, "Print version information and quit")
|
|
defaultDaemonConfigFile, err := getDefaultDaemonConfigFile()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
flags.StringVar(&opts.configFile, "config-file", defaultDaemonConfigFile, "Daemon configuration file")
|
|
opts.InstallFlags(flags)
|
|
if err := installConfigFlags(opts.daemonConfig, flags); err != nil {
|
|
return nil, err
|
|
}
|
|
installServiceFlags(flags)
|
|
|
|
return cmd, nil
|
|
}
|
|
|
|
func init() {
|
|
if dockerversion.ProductName != "" {
|
|
apicaps.ExportedProduct = dockerversion.ProductName
|
|
}
|
|
// When running with RootlessKit, $XDG_RUNTIME_DIR, $XDG_DATA_HOME, and $XDG_CONFIG_HOME needs to be
|
|
// honored as the default dirs, because we are unlikely to have permissions to access the system-wide
|
|
// directories.
|
|
//
|
|
// Note that even running with --rootless, when not running with RootlessKit, honorXDG needs to be kept false,
|
|
// because the system-wide directories in the current mount namespace are expected to be accessible.
|
|
// ("rootful" dockerd in rootless dockerd, #38702)
|
|
honorXDG = rootless.RunningWithRootlessKit()
|
|
}
|
|
|
|
func main() {
|
|
if reexec.Init() {
|
|
return
|
|
}
|
|
|
|
// initial log formatting; this setting is updated after the daemon configuration is loaded.
|
|
logrus.SetFormatter(&logrus.TextFormatter{
|
|
TimestampFormat: jsonmessage.RFC3339NanoFixed,
|
|
FullTimestamp: true,
|
|
})
|
|
|
|
// Set terminal emulation based on platform as required.
|
|
_, stdout, stderr := term.StdStreams()
|
|
|
|
initLogging(stdout, stderr)
|
|
|
|
onError := func(err error) {
|
|
fmt.Fprintf(stderr, "%s\n", err)
|
|
os.Exit(1)
|
|
}
|
|
|
|
cmd, err := newDaemonCommand()
|
|
if err != nil {
|
|
onError(err)
|
|
}
|
|
cmd.SetOutput(stdout)
|
|
if err := cmd.Execute(); err != nil {
|
|
onError(err)
|
|
}
|
|
}
|