registry: remove dependency on rootlesskit, add `SetCertsDir()`

The registry package contained code to automatically set the CertsDir() path, based on wether or not the daemon was running in rootlessmode. In doing so, it made use of the `pkg/rootless.RunningWithRootlessKit()` utility. A recent change in de6732a403 added additional functionality in the `pkg/rootless` package, introducing a dependency on `github.com/rootless-containers/rootlesskit`. Unfortunately, the extra dependency also made its way into the docker cli, which also uses the registry package. This patch introduces a new `SetCertsDir()` function, which allows the default certs-directory to be overridden, and updates the daemon to configure this location during startup. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-25 16:21:45 +01:00 · 2022-03-25 16:21:45 +01:00 · 85572cac14
parent 0a3336fd7d
commit 85572cac14
6 changed files with 50 additions and 23 deletions
--- a/cmd/dockerd/config_unix.go
+++ b/cmd/dockerd/config_unix.go
@ -5,10 +5,13 @@ package main

 import (
 	"os/exec"
+	"path/filepath"

 	"github.com/containerd/cgroups"
 	"github.com/docker/docker/daemon/config"
 	"github.com/docker/docker/opts"
+	"github.com/docker/docker/pkg/homedir"
+	"github.com/docker/docker/registry"
 	"github.com/docker/docker/rootless"
 	units "github.com/docker/go-units"
 	"github.com/pkg/errors"
@ -49,6 +52,11 @@ func installConfigFlags(conf *config.Config, flags *pflag.FlagSet) error {
 		if err != nil {
 			return errors.Wrapf(err, "running with RootlessKit, but %s not installed", rootless.RootlessKitDockerProxyBinary)
 		}
+
+		configHome, err := homedir.GetConfigHome()
+		if err == nil {
+			registry.SetCertsDir(filepath.Join(configHome, "docker/certs.d"))
+		}
 	}
 	flags.StringVar(&conf.BridgeConfig.UserlandProxyPath, "userland-proxy-path", defaultUserlandProxyPath, "Path to the userland proxy binary")
 	flags.StringVar(&conf.CgroupParent, "cgroup-parent", "", "Set parent cgroup for all containers")
@ -74,3 +82,14 @@ func installConfigFlags(conf *config.Config, flags *pflag.FlagSet) error {
 	flags.StringVar(&conf.CgroupNamespaceMode, "default-cgroupns-mode", string(defaultCgroupNamespaceMode), `Default mode for containers cgroup namespace ("host" | "private")`)
 	return nil
 }
+
+// configureCertsDir configures registry.CertsDir() depending on if the daemon
+// is running in rootless mode or not.
+func configureCertsDir() {
+	if rootless.RunningWithRootlessKit() {
+		configHome, err := homedir.GetConfigHome()
+		if err == nil {
+			registry.SetCertsDir(filepath.Join(configHome, "docker/certs.d"))
+		}
+	}
+}
--- a/cmd/dockerd/config_windows.go
+++ b/cmd/dockerd/config_windows.go
@ -33,3 +33,7 @@ func installConfigFlags(conf *config.Config, flags *pflag.FlagSet) error {
 	flags.StringVarP(&conf.SocketGroup, "group", "G", "", "Users or groups that can access the named pipe")
 	return nil
 }
+
+// configureCertsDir configures registry.CertsDir() depending on if the daemon
+// is running in rootless mode or not. On Windows, it is a no-op.
+func configureCertsDir() {}
--- a/cmd/dockerd/docker.go
+++ b/cmd/dockerd/docker.go
@ -45,6 +45,7 @@ func newDaemonCommand() (*cobra.Command, error) {
 		return nil, err
 	}
 	flags.StringVar(&opts.configFile, "config-file", defaultDaemonConfigFile, "Daemon configuration file")
+	configureCertsDir()
 	opts.InstallFlags(flags)
 	if err := installConfigFlags(opts.daemonConfig, flags); err != nil {
 		return nil, err
--- a/registry/config.go
+++ b/registry/config.go
@ -59,8 +59,26 @@ var (

 	// for mocking in unit tests
 	lookupIP = net.LookupIP
+
+	// certsDir is used to override defaultCertsDir.
+	certsDir string
 )

+// SetCertsDir allows the default certs directory to be changed. This function
+// is used at daemon startup to set the correct location when running in
+// rootless mode.
+func SetCertsDir(path string) {
+	certsDir = path
+}
+
+// CertsDir is the directory where certificates are stored.
+func CertsDir() string {
+	if certsDir != "" {
+		return certsDir
+	}
+	return defaultCertsDir
+}
+
 // newServiceConfig returns a new instance of ServiceConfig
 func newServiceConfig(options ServiceOptions) (*serviceConfig, error) {
 	config := &serviceConfig{}
--- a/registry/config_unix.go
+++ b/registry/config_unix.go
@ -3,25 +3,10 @@

 package registry // import "github.com/docker/docker/registry"

-import (
-	"path/filepath"
-
-	"github.com/docker/docker/pkg/homedir"
-	"github.com/docker/docker/rootless"
-)
-
-// CertsDir is the directory where certificates are stored
-func CertsDir() string {
-	d := "/etc/docker/certs.d"
-
-	if rootless.RunningWithRootlessKit() {
-		configHome, err := homedir.GetConfigHome()
-		if err == nil {
-			d = filepath.Join(configHome, "docker/certs.d")
-		}
-	}
-	return d
-}
+// defaultCertsDir is the platform-specific default directory where certificates
+// are stored. On Linux, it may be overridden through certsDir, for example, when
+// running in rootless mode.
+const defaultCertsDir = "/etc/docker/certs.d"

 // cleanPath is used to ensure that a directory name is valid on the target
 // platform. It will be passed in something *similar* to a URL such as
--- a/registry/config_windows.go
+++ b/registry/config_windows.go
@ -6,10 +6,10 @@ import (
 	"strings"
 )

-// CertsDir is the directory where certificates are stored
-func CertsDir() string {
-	return os.Getenv("programdata") + `\docker\certs.d`
-}
+// defaultCertsDir is the platform-specific default directory where certificates
+// are stored. On Linux, it may be overridden through certsDir, for example, when
+// running in rootless mode.
+var defaultCertsDir = os.Getenv("programdata") + `\docker\certs.d`

 // cleanPath is used to ensure that a directory name is valid on the target
 // platform. It will be passed in something *similar* to a URL such as