rootless: graduate from experimental

Close #40484

Note that the support for cgroup v2 isn't ready for production yet,
regardless to rootful or rootless.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

cmd/dockerd/daemon.go

@@ -102,20 +102,18 @@ func (cli *DaemonCli) start(opts *daemonOptions) (err error) {
 
 	if cli.Config.Experimental {
 		logrus.Warn("Running experimental build")
-		if cli.Config.IsRootless() {
+	}
-			logrus.Warn("Running in rootless mode. Cgroups, AppArmor, and CRIU are disabled.")
+
-		}
+	if cli.Config.IsRootless() {
-		if rootless.RunningWithRootlessKit() {
+		logrus.Warn("Running in rootless mode. This mode has feature limitations.")
-			logrus.Info("Running with RootlessKit integration")
+	}
-			if !cli.Config.IsRootless() {
+	if rootless.RunningWithRootlessKit() {
-				return fmt.Errorf("rootless mode needs to be enabled for running with RootlessKit")
+		logrus.Info("Running with RootlessKit integration")
-			}
+		if !cli.Config.IsRootless() {
-		}
+			return fmt.Errorf("rootless mode needs to be enabled for running with RootlessKit")
-	} else {
-		if cli.Config.IsRootless() {
-			return fmt.Errorf("rootless mode is supported only when running in experimental mode")
 		}
 	}
+
 	// return human-friendly error before creating files
 	if runtime.GOOS == "linux" && os.Geteuid() != 0 {
 		return fmt.Errorf("dockerd needs to be started with root. To see how to run dockerd in rootless mode with unprivileged user, see the documentation")

contrib/dockerd-rootless.sh

@@ -1,8 +1,7 @@
 #!/bin/sh
 # dockerd-rootless.sh executes dockerd in rootless mode.
 #
-# Usage: dockerd-rootless.sh --experimental [DOCKERD_OPTIONS]
+# Usage: dockerd-rootless.sh [DOCKERD_OPTIONS]
-# Currently, specifying --experimental is mandatory.
 #
 # External dependencies:
 # * newuidmap and newgidmap needs to be installed.
@@ -11,7 +10,7 @@
 #   slirp4netns is used by default if installed. Otherwise fallsback to VPNKit.
 #   The default value can be overridden with $DOCKERD_ROOTLESS_ROOTLESSKIT_NET=(slirp4netns|vpnkit|lxc-user-nic)
 #
-# See the documentation for the further information.
+# See the documentation for the further information: https://docs.docker.com/engine/security/rootless/
 
 set -e -x
 if ! [ -w $XDG_RUNTIME_DIR ]; then

hack/make/.integration-daemon-start

@@ -65,10 +65,6 @@ fi
 
 dockerd="dockerd"
 if [ -n "$DOCKER_ROOTLESS" ]; then
-	if [ -z "$DOCKER_EXPERIMENTAL" ]; then
-		echo >&2 '# DOCKER_ROOTLESS requires DOCKER_EXPERIMENTAL to be set'
-		exit 1
-	fi
 	if [ -z "$TEST_SKIP_INTEGRATION_CLI" ]; then
 		echo >&2 '# DOCKER_ROOTLESS requires TEST_SKIP_INTEGRATION_CLI to be set'
 		exit 1

hack/make/run

@@ -39,10 +39,6 @@ fi
 dockerd="dockerd"
 socket=/var/run/docker.sock
 if [ -n "$DOCKER_ROOTLESS" ]; then
-	if [ -z "$DOCKER_EXPERIMENTAL" ]; then
-		echo >&2 '# DOCKER_ROOTLESS requires DOCKER_EXPERIMENTAL to be set'
-		exit 1
-	fi
 	user="unprivilegeduser"
 	uid=$(id -u $user)
 	# shellcheck disable=SC2174

testutil/daemon/daemon.go

@@ -204,7 +204,7 @@ func New(t testing.TB, ops ...Option) *Daemon {
 				t.Skip("DOCKER_ROOTLESS doesn't support DOCKER_USERLANDPROXY=false")
 			}
 		}
-		ops = append(ops, WithRootlessUser("unprivilegeduser"), WithExperimental())
+		ops = append(ops, WithRootlessUser("unprivilegeduser"))
 	}
 
 	d, err := NewDaemon(dest, ops...)