diff --git a/builder/builder-next/builder.go b/builder/builder-next/builder.go index 859f80eabe..0d08d12f14 100644 --- a/builder/builder-next/builder.go +++ b/builder/builder-next/builder.go @@ -75,6 +75,7 @@ type Opt struct { DefaultCgroupParent string ResolverOpt resolver.ResolveOptionsFunc BuilderConfig config.BuilderConfig + Rootless bool } // Builder can build using BuildKit backend diff --git a/builder/builder-next/controller.go b/builder/builder-next/controller.go index 5aafba2e4a..6d1b1ecd33 100644 --- a/builder/builder-next/controller.go +++ b/builder/builder-next/controller.go @@ -107,7 +107,7 @@ func newController(rt http.RoundTripper, opt Opt) (*control.Controller, error) { return nil, err } - exec, err := newExecutor(root, opt.DefaultCgroupParent, opt.NetworkController) + exec, err := newExecutor(root, opt.DefaultCgroupParent, opt.NetworkController, opt.Rootless) if err != nil { return nil, err } diff --git a/builder/builder-next/executor_unix.go b/builder/builder-next/executor_unix.go index 3a11f85881..132b92808f 100644 --- a/builder/builder-next/executor_unix.go +++ b/builder/builder-next/executor_unix.go @@ -20,9 +20,9 @@ import ( const networkName = "bridge" -func newExecutor(root, cgroupParent string, net libnetwork.NetworkController) (executor.Executor, error) { +func newExecutor(root, cgroupParent string, net libnetwork.NetworkController, rootless bool) (executor.Executor, error) { networkProviders := map[pb.NetMode]network.Provider{ - pb.NetMode_UNSET: &bridgeProvider{NetworkController: net}, + pb.NetMode_UNSET: &bridgeProvider{NetworkController: net, Root: filepath.Join(root, "net")}, pb.NetMode_HOST: network.NewHostProvider(), pb.NetMode_NONE: network.NewNoneProvider(), } @@ -30,11 +30,13 @@ func newExecutor(root, cgroupParent string, net libnetwork.NetworkController) (e Root: filepath.Join(root, "executor"), CommandCandidates: []string{"runc"}, DefaultCgroupParent: cgroupParent, + Rootless: rootless, }, networkProviders) } type bridgeProvider struct { libnetwork.NetworkController + Root string } func (p *bridgeProvider) New() (network.Namespace, error) { @@ -70,7 +72,8 @@ func (iface *lnInterface) init(c libnetwork.NetworkController, n libnetwork.Netw return } - sbx, err := c.NewSandbox(id, libnetwork.OptionUseExternalKey()) + sbx, err := c.NewSandbox(id, libnetwork.OptionUseExternalKey(), libnetwork.OptionHostsPath(filepath.Join(iface.provider.Root, id, "hosts")), + libnetwork.OptionResolvConfPath(filepath.Join(iface.provider.Root, id, "resolv.conf"))) if err != nil { iface.err = err return @@ -88,23 +91,26 @@ func (iface *lnInterface) init(c libnetwork.NetworkController, n libnetwork.Netw func (iface *lnInterface) Set(s *specs.Spec) { <-iface.ready if iface.err != nil { + logrus.WithError(iface.err).Error("failed to set networking spec") return } // attach netns to bridge within the container namespace, using reexec in a prestart hook s.Hooks = &specs.Hooks{ Prestart: []specs.Hook{{ Path: filepath.Join("/proc", strconv.Itoa(os.Getpid()), "exe"), - Args: []string{"libnetwork-setkey", iface.sbx.ContainerID(), iface.provider.NetworkController.ID()}, + Args: []string{"libnetwork-setkey", "-exec-root=" + iface.provider.Config().Daemon.ExecRoot, iface.sbx.ContainerID(), iface.provider.NetworkController.ID()}, }}, } } func (iface *lnInterface) Close() error { <-iface.ready - go func() { - if err := iface.sbx.Delete(); err != nil { - logrus.Errorf("failed to delete builder network sandbox: %v", err) - } - }() + if iface.sbx != nil { + go func() { + if err := iface.sbx.Delete(); err != nil { + logrus.Errorf("failed to delete builder network sandbox: %v", err) + } + }() + } return iface.err } diff --git a/builder/builder-next/executor_windows.go b/builder/builder-next/executor_windows.go index f19bf18655..e2cc907160 100644 --- a/builder/builder-next/executor_windows.go +++ b/builder/builder-next/executor_windows.go @@ -10,7 +10,7 @@ import ( "github.com/moby/buildkit/executor" ) -func newExecutor(_, _ string, _ libnetwork.NetworkController) (executor.Executor, error) { +func newExecutor(_, _ string, _ libnetwork.NetworkController, _ bool) (executor.Executor, error) { return &winExecutor{}, nil } diff --git a/cmd/dockerd/daemon.go b/cmd/dockerd/daemon.go index 362d43666f..6f99207ca1 100644 --- a/cmd/dockerd/daemon.go +++ b/cmd/dockerd/daemon.go @@ -325,6 +325,7 @@ func newRouterOptions(config *config.Config, d *daemon.Daemon) (routerOptions, e DefaultCgroupParent: cgroupParent, ResolverOpt: d.NewResolveOptionsFunc(), BuilderConfig: config.Builder, + Rootless: d.Rootless(), }) if err != nil { return opts, err diff --git a/daemon/info.go b/daemon/info.go index b2e4724aee..e14fcf4bd0 100644 --- a/daemon/info.go +++ b/daemon/info.go @@ -175,7 +175,7 @@ func (daemon *Daemon) fillSecurityOptions(v *types.Info, sysInfo *sysinfo.SysInf if rootIDs := daemon.idMapping.RootPair(); rootIDs.UID != 0 || rootIDs.GID != 0 { securityOptions = append(securityOptions, "name=userns") } - if daemon.configStoreRootless() { + if daemon.Rootless() { securityOptions = append(securityOptions, "name=rootless") } v.SecurityOptions = securityOptions diff --git a/daemon/info_unix.go b/daemon/info_unix.go index 40063c0ff7..9d36402368 100644 --- a/daemon/info_unix.go +++ b/daemon/info_unix.go @@ -247,6 +247,7 @@ func parseRuncVersion(v string) (version string, commit string, err error) { return version, commit, err } -func (daemon *Daemon) configStoreRootless() bool { +// Rootless returns true if daemon is running in rootless mode +func (daemon *Daemon) Rootless() bool { return daemon.configStore.Rootless } diff --git a/daemon/info_windows.go b/daemon/info_windows.go index b8611d7f82..af0662c3e8 100644 --- a/daemon/info_windows.go +++ b/daemon/info_windows.go @@ -14,6 +14,7 @@ func (daemon *Daemon) fillPlatformVersion(v *types.Version) {} func fillDriverWarnings(v *types.Info) { } -func (daemon *Daemon) configStoreRootless() bool { +// Rootless returns true if daemon is running in rootless mode +func (daemon *Daemon) Rootless() bool { return false }