3518383ed9
The `--rootless` flag had a couple of issues: * #38702: euid=0, $USER="root" but no access to cgroup ("rootful" Docker in rootless Docker) * #39009: euid=0 but $USER="docker" (rootful boot2docker) To fix #38702, XDG dirs are ignored as in rootful Docker, unless the dockerd is directly running under RootlessKit namespaces. RootlessKit detection is implemented by checking whether `$ROOTLESSKIT_STATE_DIR` is set. To fix #39009, the non-robust `$USER` check is now completely removed. The entire logic can be illustrated as follows: ``` withRootlessKit := getenv("ROOTLESSKIT_STATE_DIR") rootlessMode := withRootlessKit || cliFlag("--rootless") honorXDG := withRootlessKit useRootlessKitDockerProxy := withRootlessKit removeCgroupSpec := rootlessMode adjustOOMScoreAdj := rootlessMode ``` Close #39024 Fix #38702 #39009 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
25 lines
591 B
Go
25 lines
591 B
Go
package rootless // import "github.com/docker/docker/rootless"
|
|
|
|
import (
|
|
"os"
|
|
"sync"
|
|
)
|
|
|
|
const (
|
|
// RootlessKitDockerProxyBinary is the binary name of rootlesskit-docker-proxy
|
|
RootlessKitDockerProxyBinary = "rootlesskit-docker-proxy"
|
|
)
|
|
|
|
var (
|
|
runningWithRootlessKit bool
|
|
runningWithRootlessKitOnce sync.Once
|
|
)
|
|
|
|
// RunningWithRootlessKit returns true if running under RootlessKit namespaces.
|
|
func RunningWithRootlessKit() bool {
|
|
runningWithRootlessKitOnce.Do(func() {
|
|
u := os.Getenv("ROOTLESSKIT_STATE_DIR")
|
|
runningWithRootlessKit = u != ""
|
|
})
|
|
return runningWithRootlessKit
|
|
}
|