registry: remove dependency on rootlesskit, add SetCertsDir()

The registry package contained code to automatically set the CertsDir() path, based on wether or not the daemon was running in rootlessmode. In doing so, it made use of the `pkg/rootless.RunningWithRootlessKit()` utility. A recent change in de6732a403 added additional functionality in the `pkg/rootless` package, introducing a dependency on `github.com/rootless-containers/rootlesskit`. Unfortunately, the extra dependency also made its way into the docker cli, which also uses the registry package. This patch introduces a new `SetCertsDir()` function, which allows the default certs-directory to be overridden, and updates the daemon to configure this location during startup. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-11-09 12:21:53 -05:00 · 2022-03-25 16:21:45 +01:00 · 2022-03-25 16:21:45 +01:00 · 85572cac14
commit 85572cac14
parent 0a3336fd7d
6 changed files with 50 additions and 23 deletions
--- a/cmd/dockerd/config_unix.go
+++ b/cmd/dockerd/config_unix.go
@ -5,10 +5,13 @@ package main

 import (
 	"os/exec"
+	"path/filepath"

 	"github.com/containerd/cgroups"
 	"github.com/docker/docker/daemon/config"
 	"github.com/docker/docker/opts"
+	"github.com/docker/docker/pkg/homedir"
+	"github.com/docker/docker/registry"
 	"github.com/docker/docker/rootless"
 	units "github.com/docker/go-units"
 	"github.com/pkg/errors"
@ -49,6 +52,11 @@ func installConfigFlags(conf *config.Config, flags *pflag.FlagSet) error {
 		if err != nil {
 			return errors.Wrapf(err, "running with RootlessKit, but %s not installed", rootless.RootlessKitDockerProxyBinary)
 		}
+
+		configHome, err := homedir.GetConfigHome()
+		if err == nil {
+			registry.SetCertsDir(filepath.Join(configHome, "docker/certs.d"))
+		}
 	}
 	flags.StringVar(&conf.BridgeConfig.UserlandProxyPath, "userland-proxy-path", defaultUserlandProxyPath, "Path to the userland proxy binary")
 	flags.StringVar(&conf.CgroupParent, "cgroup-parent", "", "Set parent cgroup for all containers")
@ -74,3 +82,14 @@ func installConfigFlags(conf *config.Config, flags *pflag.FlagSet) error {
 	flags.StringVar(&conf.CgroupNamespaceMode, "default-cgroupns-mode", string(defaultCgroupNamespaceMode), `Default mode for containers cgroup namespace ("host" | "private")`)
 	return nil
 }
+
+// configureCertsDir configures registry.CertsDir() depending on if the daemon
+// is running in rootless mode or not.
+func configureCertsDir() {
+	if rootless.RunningWithRootlessKit() {
+		configHome, err := homedir.GetConfigHome()
+		if err == nil {
+			registry.SetCertsDir(filepath.Join(configHome, "docker/certs.d"))
+		}
+	}
+}
--- a/cmd/dockerd/config_windows.go
+++ b/cmd/dockerd/config_windows.go
@ -33,3 +33,7 @@ func installConfigFlags(conf *config.Config, flags *pflag.FlagSet) error {
 	flags.StringVarP(&conf.SocketGroup, "group", "G", "", "Users or groups that can access the named pipe")
 	return nil
 }
+
+// configureCertsDir configures registry.CertsDir() depending on if the daemon
+// is running in rootless mode or not. On Windows, it is a no-op.
+func configureCertsDir() {}
--- a/cmd/dockerd/docker.go
+++ b/cmd/dockerd/docker.go
@ -45,6 +45,7 @@ func newDaemonCommand() (*cobra.Command, error) {
 		return nil, err
 	}
 	flags.StringVar(&opts.configFile, "config-file", defaultDaemonConfigFile, "Daemon configuration file")
+	configureCertsDir()
 	opts.InstallFlags(flags)
 	if err := installConfigFlags(opts.daemonConfig, flags); err != nil {
 		return nil, err
--- a/registry/config.go
+++ b/registry/config.go
@ -59,8 +59,26 @@ var (

 	// for mocking in unit tests
 	lookupIP = net.LookupIP
+
+	// certsDir is used to override defaultCertsDir.
+	certsDir string
 )

+// SetCertsDir allows the default certs directory to be changed. This function
+// is used at daemon startup to set the correct location when running in
+// rootless mode.
+func SetCertsDir(path string) {
+	certsDir = path
+}
+
+// CertsDir is the directory where certificates are stored.
+func CertsDir() string {
+	if certsDir != "" {
+		return certsDir
+	}
+	return defaultCertsDir
+}
+
 // newServiceConfig returns a new instance of ServiceConfig
 func newServiceConfig(options ServiceOptions) (*serviceConfig, error) {
 	config := &serviceConfig{}
--- a/registry/config_unix.go
+++ b/registry/config_unix.go
@ -3,25 +3,10 @@

 package registry // import "github.com/docker/docker/registry"

-import (
-	"path/filepath"
-
-	"github.com/docker/docker/pkg/homedir"
-	"github.com/docker/docker/rootless"
-)
-
-// CertsDir is the directory where certificates are stored
-func CertsDir() string {
-	d := "/etc/docker/certs.d"
-
-	if rootless.RunningWithRootlessKit() {
-		configHome, err := homedir.GetConfigHome()
-		if err == nil {
-			d = filepath.Join(configHome, "docker/certs.d")
-		}
-	}
-	return d
-}
+// defaultCertsDir is the platform-specific default directory where certificates
+// are stored. On Linux, it may be overridden through certsDir, for example, when
+// running in rootless mode.
+const defaultCertsDir = "/etc/docker/certs.d"

 // cleanPath is used to ensure that a directory name is valid on the target
 // platform. It will be passed in something *similar* to a URL such as
--- a/registry/config_windows.go
+++ b/registry/config_windows.go
@ -6,10 +6,10 @@ import (
 	"strings"
 )

-// CertsDir is the directory where certificates are stored
-func CertsDir() string {
-	return os.Getenv("programdata") + `\docker\certs.d`
-}
+// defaultCertsDir is the platform-specific default directory where certificates
+// are stored. On Linux, it may be overridden through certsDir, for example, when
+// running in rootless mode.
+var defaultCertsDir = os.Getenv("programdata") + `\docker\certs.d`

 // cleanPath is used to ensure that a directory name is valid on the target
 // platform. It will be passed in something *similar* to a URL such as