From 85572cac14168f9dc3fc3d9daa5eae1ba00eddf4 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 25 Mar 2022 16:21:45 +0100 Subject: [PATCH] registry: remove dependency on rootlesskit, add `SetCertsDir()` The registry package contained code to automatically set the CertsDir() path, based on wether or not the daemon was running in rootlessmode. In doing so, it made use of the `pkg/rootless.RunningWithRootlessKit()` utility. A recent change in de6732a403af49a18c754bb9de0abf18ad48e3c8 added additional functionality in the `pkg/rootless` package, introducing a dependency on `github.com/rootless-containers/rootlesskit`. Unfortunately, the extra dependency also made its way into the docker cli, which also uses the registry package. This patch introduces a new `SetCertsDir()` function, which allows the default certs-directory to be overridden, and updates the daemon to configure this location during startup. Signed-off-by: Sebastiaan van Stijn --- cmd/dockerd/config_unix.go | 19 +++++++++++++++++++ cmd/dockerd/config_windows.go | 4 ++++ cmd/dockerd/docker.go | 1 + registry/config.go | 18 ++++++++++++++++++ registry/config_unix.go | 23 ++++------------------- registry/config_windows.go | 8 ++++---- 6 files changed, 50 insertions(+), 23 deletions(-) diff --git a/cmd/dockerd/config_unix.go b/cmd/dockerd/config_unix.go index 1fcc6f5aa7..d95977b68e 100644 --- a/cmd/dockerd/config_unix.go +++ b/cmd/dockerd/config_unix.go @@ -5,10 +5,13 @@ package main import ( "os/exec" + "path/filepath" "github.com/containerd/cgroups" "github.com/docker/docker/daemon/config" "github.com/docker/docker/opts" + "github.com/docker/docker/pkg/homedir" + "github.com/docker/docker/registry" "github.com/docker/docker/rootless" units "github.com/docker/go-units" "github.com/pkg/errors" @@ -49,6 +52,11 @@ func installConfigFlags(conf *config.Config, flags *pflag.FlagSet) error { if err != nil { return errors.Wrapf(err, "running with RootlessKit, but %s not installed", rootless.RootlessKitDockerProxyBinary) } + + configHome, err := homedir.GetConfigHome() + if err == nil { + registry.SetCertsDir(filepath.Join(configHome, "docker/certs.d")) + } } flags.StringVar(&conf.BridgeConfig.UserlandProxyPath, "userland-proxy-path", defaultUserlandProxyPath, "Path to the userland proxy binary") flags.StringVar(&conf.CgroupParent, "cgroup-parent", "", "Set parent cgroup for all containers") @@ -74,3 +82,14 @@ func installConfigFlags(conf *config.Config, flags *pflag.FlagSet) error { flags.StringVar(&conf.CgroupNamespaceMode, "default-cgroupns-mode", string(defaultCgroupNamespaceMode), `Default mode for containers cgroup namespace ("host" | "private")`) return nil } + +// configureCertsDir configures registry.CertsDir() depending on if the daemon +// is running in rootless mode or not. +func configureCertsDir() { + if rootless.RunningWithRootlessKit() { + configHome, err := homedir.GetConfigHome() + if err == nil { + registry.SetCertsDir(filepath.Join(configHome, "docker/certs.d")) + } + } +} diff --git a/cmd/dockerd/config_windows.go b/cmd/dockerd/config_windows.go index 88b76196dc..df96861066 100644 --- a/cmd/dockerd/config_windows.go +++ b/cmd/dockerd/config_windows.go @@ -33,3 +33,7 @@ func installConfigFlags(conf *config.Config, flags *pflag.FlagSet) error { flags.StringVarP(&conf.SocketGroup, "group", "G", "", "Users or groups that can access the named pipe") return nil } + +// configureCertsDir configures registry.CertsDir() depending on if the daemon +// is running in rootless mode or not. On Windows, it is a no-op. +func configureCertsDir() {} diff --git a/cmd/dockerd/docker.go b/cmd/dockerd/docker.go index 647da5a4dc..2a198e1c87 100644 --- a/cmd/dockerd/docker.go +++ b/cmd/dockerd/docker.go @@ -45,6 +45,7 @@ func newDaemonCommand() (*cobra.Command, error) { return nil, err } flags.StringVar(&opts.configFile, "config-file", defaultDaemonConfigFile, "Daemon configuration file") + configureCertsDir() opts.InstallFlags(flags) if err := installConfigFlags(opts.daemonConfig, flags); err != nil { return nil, err diff --git a/registry/config.go b/registry/config.go index 0d92a52813..2766306ac2 100644 --- a/registry/config.go +++ b/registry/config.go @@ -59,8 +59,26 @@ var ( // for mocking in unit tests lookupIP = net.LookupIP + + // certsDir is used to override defaultCertsDir. + certsDir string ) +// SetCertsDir allows the default certs directory to be changed. This function +// is used at daemon startup to set the correct location when running in +// rootless mode. +func SetCertsDir(path string) { + certsDir = path +} + +// CertsDir is the directory where certificates are stored. +func CertsDir() string { + if certsDir != "" { + return certsDir + } + return defaultCertsDir +} + // newServiceConfig returns a new instance of ServiceConfig func newServiceConfig(options ServiceOptions) (*serviceConfig, error) { config := &serviceConfig{} diff --git a/registry/config_unix.go b/registry/config_unix.go index b5bb31cfa6..898c6b8a5b 100644 --- a/registry/config_unix.go +++ b/registry/config_unix.go @@ -3,25 +3,10 @@ package registry // import "github.com/docker/docker/registry" -import ( - "path/filepath" - - "github.com/docker/docker/pkg/homedir" - "github.com/docker/docker/rootless" -) - -// CertsDir is the directory where certificates are stored -func CertsDir() string { - d := "/etc/docker/certs.d" - - if rootless.RunningWithRootlessKit() { - configHome, err := homedir.GetConfigHome() - if err == nil { - d = filepath.Join(configHome, "docker/certs.d") - } - } - return d -} +// defaultCertsDir is the platform-specific default directory where certificates +// are stored. On Linux, it may be overridden through certsDir, for example, when +// running in rootless mode. +const defaultCertsDir = "/etc/docker/certs.d" // cleanPath is used to ensure that a directory name is valid on the target // platform. It will be passed in something *similar* to a URL such as diff --git a/registry/config_windows.go b/registry/config_windows.go index 4ae1e07abf..96f1769c69 100644 --- a/registry/config_windows.go +++ b/registry/config_windows.go @@ -6,10 +6,10 @@ import ( "strings" ) -// CertsDir is the directory where certificates are stored -func CertsDir() string { - return os.Getenv("programdata") + `\docker\certs.d` -} +// defaultCertsDir is the platform-specific default directory where certificates +// are stored. On Linux, it may be overridden through certsDir, for example, when +// running in rootless mode. +var defaultCertsDir = os.Getenv("programdata") + `\docker\certs.d` // cleanPath is used to ensure that a directory name is valid on the target // platform. It will be passed in something *similar* to a URL such as