8493fb18ae
The `--rootless` flag had a couple of issues:
* #38702: euid=0, $USER="root" but no access to cgroup ("rootful" Docker in rootless Docker)
* #39009: euid=0 but $USER="docker" (rootful boot2docker)
To fix #38702, XDG dirs are ignored as in rootful Docker, unless the
dockerd is directly running under RootlessKit namespaces.
RootlessKit detection is implemented by checking whether `$ROOTLESSKIT_STATE_DIR` is set.
To fix #39009, the non-robust `$USER` check is now completely removed.
The entire logic can be illustrated as follows:
```
withRootlessKit := getenv("ROOTLESSKIT_STATE_DIR")
rootlessMode := withRootlessKit || cliFlag("--rootless")
honorXDG := withRootlessKit
useRootlessKitDockerProxy := withRootlessKit
removeCgroupSpec := rootlessMode
adjustOOMScoreAdj := rootlessMode
```
Close #39024
Fix #38702 #39009
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 3518383ed9
)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
64 lines
2.3 KiB
Go
64 lines
2.3 KiB
Go
// +build linux freebsd
|
|
|
|
package main
|
|
|
|
import (
|
|
"path/filepath"
|
|
|
|
"github.com/docker/docker/api/types"
|
|
"github.com/docker/docker/daemon/config"
|
|
"github.com/docker/docker/opts"
|
|
"github.com/docker/docker/pkg/homedir"
|
|
"github.com/spf13/pflag"
|
|
)
|
|
|
|
func getDefaultPidFile() (string, error) {
|
|
if !honorXDG {
|
|
return "/var/run/docker.pid", nil
|
|
}
|
|
runtimeDir, err := homedir.GetRuntimeDir()
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
return filepath.Join(runtimeDir, "docker.pid"), nil
|
|
}
|
|
|
|
func getDefaultDataRoot() (string, error) {
|
|
if !honorXDG {
|
|
return "/var/lib/docker", nil
|
|
}
|
|
dataHome, err := homedir.GetDataHome()
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
return filepath.Join(dataHome, "docker"), nil
|
|
}
|
|
|
|
func getDefaultExecRoot() (string, error) {
|
|
if !honorXDG {
|
|
return "/var/run/docker", nil
|
|
}
|
|
runtimeDir, err := homedir.GetRuntimeDir()
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
return filepath.Join(runtimeDir, "docker"), nil
|
|
}
|
|
|
|
// installUnixConfigFlags adds command-line options to the top-level flag parser for
|
|
// the current process that are common across Unix platforms.
|
|
func installUnixConfigFlags(conf *config.Config, flags *pflag.FlagSet) {
|
|
conf.Runtimes = make(map[string]types.Runtime)
|
|
|
|
flags.StringVarP(&conf.SocketGroup, "group", "G", "docker", "Group for the unix socket")
|
|
flags.StringVar(&conf.BridgeConfig.IP, "bip", "", "Specify network bridge IP")
|
|
flags.StringVarP(&conf.BridgeConfig.Iface, "bridge", "b", "", "Attach containers to a network bridge")
|
|
flags.StringVar(&conf.BridgeConfig.FixedCIDR, "fixed-cidr", "", "IPv4 subnet for fixed IPs")
|
|
flags.Var(opts.NewIPOpt(&conf.BridgeConfig.DefaultGatewayIPv4, ""), "default-gateway", "Container default gateway IPv4 address")
|
|
flags.Var(opts.NewIPOpt(&conf.BridgeConfig.DefaultGatewayIPv6, ""), "default-gateway-v6", "Container default gateway IPv6 address")
|
|
flags.BoolVar(&conf.BridgeConfig.InterContainerCommunication, "icc", true, "Enable inter-container communication")
|
|
flags.Var(opts.NewIPOpt(&conf.BridgeConfig.DefaultIP, "0.0.0.0"), "ip", "Default IP when binding container ports")
|
|
flags.Var(opts.NewNamedRuntimeOpt("runtimes", &conf.Runtimes, config.StockRuntimeName), "add-runtime", "Register an additional OCI compatible runtime")
|
|
flags.StringVar(&conf.DefaultRuntime, "default-runtime", config.StockRuntimeName, "Default OCI runtime for containers")
|
|
|
|
}
|