rootless: expose ports automatically

Now `docker run -p` ports can be exposed to the host namespace automatically when `dockerd-rootless.sh` is launched with `--userland-proxy --userland-proxy-path $(which rootlesskit-docker-proxy)`. This is akin to how Docker for Mac/Win works with `--userland-proxy-path=/path/to/vpnkit-expose-port`. The port number on the host namespace needs to be set to >= 1024. SCTP ports are currently unsupported. RootlessKit changes: 7bbbc48a6f...ed26714429 Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2019-03-21 02:11:31 +09:00 · 2019-03-21 02:11:31 +09:00 · f0b405fbda
parent 6dfd5bd74f
commit f0b405fbda
6 changed files with 15 additions and 17 deletions
--- a/contrib/dockerd-rootless.sh
+++ b/contrib/dockerd-rootless.sh
@ -3,6 +3,8 @@
 #
 # Usage: dockerd-rootless.sh --experimental [DOCKERD_OPTIONS]
 # Currently, specifying --experimental is mandatory.
+# Also, to expose ports, you need to specify
+# --userland-proxy-path=/path/to/rootlesskit-docker-proxy
 #
 # External dependencies:
 # * newuidmap and newgidmap needs to be installed.
@ -64,7 +66,7 @@ if [ -z $_DOCKERD_ROOTLESS_CHILD ]; then
 	#         (by either systemd-networkd or NetworkManager)
 	# * /run: copy-up is required so that we can create /run/docker (hardcoded for plugins) in our namespace
 	$rootlesskit \
-		--net=$net --mtu=$mtu --disable-host-loopback \
+		--net=$net --mtu=$mtu --disable-host-loopback --port-driver=builtin \
 		--copy-up=/etc --copy-up=/run \
 		$DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS \
 		$0 $@
--- a/docs/rootless.md
+++ b/docs/rootless.md
@ -45,6 +45,8 @@ penguin:231072:65536
  * Apparmor
  * Checkpoint
  * Overlay network
+  * Exposing SCTP ports
+* To expose a TCP/UDP port, the host port number needs to be set to >= 1024.

 ## Usage

@ -53,9 +55,10 @@ penguin:231072:65536
 You need to run `dockerd-rootless.sh` instead of `dockerd`.

 ```console
-$ dockerd-rootless.sh --experimental"
+$ dockerd-rootless.sh --experimental --userland-proxy --userland-proxy-path=$(which rootlesskit-docker-proxy)"
 ```
 As Rootless mode is experimental per se, currently you always need to run `dockerd-rootless.sh` with `--experimental`.
+Also, to expose ports, you need to set `--userland-proxy-path` to the path of `rootlesskit-docker-proxy` binary.

 Remarks:
 * The socket path is set to `$XDG_RUNTIME_DIR/docker.sock` by default. `$XDG_RUNTIME_DIR` is typically set to `/run/user/$UID`.
@ -72,17 +75,6 @@ You can just use the upstream Docker client but you need to set the socket path
 $ docker -H unix://$XDG_RUNTIME_DIR/docker.sock run -d nginx
 ```

-### Exposing ports
-
-In addition to exposing container ports to the `dockerd` network namespace, you also need to expose the ports in the `dockerd` network namespace to the host network namespace.
-
-```console
-$ docker -H unix://$XDG_RUNTIME_DIR/docker.sock run -d -p 80:80 nginx
-$ socat -t -- TCP-LISTEN:8080,reuseaddr,fork EXEC:"nsenter -U -n -t $(cat $XDG_RUNTIME_DIR/docker.pid) socat -t -- STDIN TCP4\:127.0.0.1\:80"
-```
-
-In future, `dockerd` will be able to expose the ports automatically.
-
 ### Routing ping packets

 To route ping packets, you need to set up `net.ipv4.ping_group_range` properly as the root.
--- a/hack/dockerfile/install/rootlesskit.installer
+++ b/hack/dockerfile/install/rootlesskit.installer
@ -1,7 +1,7 @@
 #!/bin/sh

-# v0.3.0-alpha.2
-ROOTLESSKIT_COMMIT=7bbbc48a6f906633a9b12783b957f4c3aa037d33
+# v0.3.0-beta.0
+ROOTLESSKIT_COMMIT=ed2671442965115b84ecf82d4831cc48747d89b8

 install_rootlesskit() {
 	case "$1" in
@ -30,5 +30,7 @@ _install_rootlesskit() {
 	git clone https://github.com/rootless-containers/rootlesskit.git "$GOPATH/src/github.com/rootless-containers/rootlesskit"
 	cd "$GOPATH/src/github.com/rootless-containers/rootlesskit"
 	git checkout -q "$ROOTLESSKIT_COMMIT"
-	go build $BUILD_MODE -ldflags="$ROOTLESSKIT_LDFLAGS" -o "${PREFIX}/rootlesskit" github.com/rootless-containers/rootlesskit/cmd/rootlesskit
+	for f in rootlesskit rootlesskit-docker-proxy; do
+		go build $BUILD_MODE -ldflags="$ROOTLESSKIT_LDFLAGS" -o "${PREFIX}/$f" github.com/rootless-containers/rootlesskit/cmd/$f
+	done
 }
--- a/hack/make/.binary-setup
+++ b/hack/make/.binary-setup
@ -8,5 +8,6 @@ DOCKER_CONTAINERD_SHIM_BINARY_NAME='containerd-shim'
 DOCKER_PROXY_BINARY_NAME='docker-proxy'
 DOCKER_INIT_BINARY_NAME='docker-init'
 DOCKER_ROOTLESSKIT_BINARY_NAME='rootlesskit'
+DOCKER_ROOTLESSKIT_DOCKER_PROXY_BINARY_NAME='rootlesskit-docker-proxy'
 DOCKER_VPNKIT_BINARY_NAME='vpnkit'
 DOCKER_DAEMON_ROOTLESS_SH_BINARY_NAME='dockerd-rootless.sh'
--- a/hack/make/binary-daemon
+++ b/hack/make/binary-daemon
@ -14,7 +14,7 @@ copy_binaries() {
 		return
 	fi
 	echo "Copying nested executables into $dir"
-	for file in containerd containerd-shim ctr runc docker-init docker-proxy rootlesskit dockerd-rootless.sh; do
+	for file in containerd containerd-shim ctr runc docker-init docker-proxy rootlesskit rootlesskit-docker-proxy dockerd-rootless.sh; do
 		cp -f `which "$file"` "$dir/"
 		if [ "$hash" == "hash" ]; then
 			hash_files "$dir/$file"
--- a/hack/make/install-binary
+++ b/hack/make/install-binary
@ -27,6 +27,7 @@ install_binary() {
 	install_binary "${DEST}/${DOCKER_PROXY_BINARY_NAME}"
 	install_binary "${DEST}/${DOCKER_INIT_BINARY_NAME}"
 	install_binary "${DEST}/${DOCKER_ROOTLESSKIT_BINARY_NAME}"
+	install_binary "${DEST}/${DOCKER_ROOTLESSKIT_DOCKER_PROXY_BINARY_NAME}"
 	install_binary "${DEST}/${DOCKER_DAEMON_ROOTLESS_SH_BINARY_NAME}"
 	if [ -f "${DEST}/${DOCKER_VPNKIT_BINARY_NAME}" ]; then
 		install_binary "${DEST}/${DOCKER_VPNKIT_BINARY_NAME}"