builder-next: fixes for rootless mode

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2022-11-09 12:21:53 -05:00 · 2019-02-28 00:12:55 -08:00 · 2019-02-28 00:12:55 -08:00 · f9b9d5f584
commit f9b9d5f584
parent 348d793351
8 changed files with 24 additions and 14 deletions
--- a/builder/builder-next/builder.go
+++ b/builder/builder-next/builder.go
@ -75,6 +75,7 @@ type Opt struct {
 	DefaultCgroupParent string
 	ResolverOpt         resolver.ResolveOptionsFunc
 	BuilderConfig       config.BuilderConfig
 	Rootless            bool
 }
 // Builder can build using BuildKit backend
--- a/builder/builder-next/controller.go
+++ b/builder/builder-next/controller.go
@ -107,7 +107,7 @@ func newController(rt http.RoundTripper, opt Opt) (*control.Controller, error) {
 		return nil, err
 	}
-	exec, err := newExecutor(root, opt.DefaultCgroupParent, opt.NetworkController)
+	exec, err := newExecutor(root, opt.DefaultCgroupParent, opt.NetworkController, opt.Rootless)
 	if err != nil {
 		return nil, err
 	}
--- a/builder/builder-next/executor_unix.go
+++ b/builder/builder-next/executor_unix.go
@ -20,9 +20,9 @@ import (
 const networkName = "bridge"
-func newExecutor(root, cgroupParent string, net libnetwork.NetworkController) (executor.Executor, error) {
+func newExecutor(root, cgroupParent string, net libnetwork.NetworkController, rootless bool) (executor.Executor, error) {
 	networkProviders := map[pb.NetMode]network.Provider{
-		pb.NetMode_UNSET: &bridgeProvider{NetworkController: net},
+		pb.NetMode_UNSET: &bridgeProvider{NetworkController: net, Root: filepath.Join(root, "net")},
 		pb.NetMode_HOST:  network.NewHostProvider(),
 		pb.NetMode_NONE:  network.NewNoneProvider(),
 	}
@ -30,11 +30,13 @@ func newExecutor(root, cgroupParent string, net libnetwork.NetworkController) (e
 		Root:                filepath.Join(root, "executor"),
 		CommandCandidates:   []string{"runc"},
 		DefaultCgroupParent: cgroupParent,
 		Rootless:            rootless,
 	}, networkProviders)
 }
 type bridgeProvider struct {
 	libnetwork.NetworkController
 	Root string
 }
 func (p *bridgeProvider) New() (network.Namespace, error) {
@ -70,7 +72,8 @@ func (iface *lnInterface) init(c libnetwork.NetworkController, n libnetwork.Netw
 		return
 	}
-	sbx, err := c.NewSandbox(id, libnetwork.OptionUseExternalKey())
+	sbx, err := c.NewSandbox(id, libnetwork.OptionUseExternalKey(), libnetwork.OptionHostsPath(filepath.Join(iface.provider.Root, id, "hosts")),
 		libnetwork.OptionResolvConfPath(filepath.Join(iface.provider.Root, id, "resolv.conf")))
 	if err != nil {
 		iface.err = err
 		return
@ -88,23 +91,26 @@ func (iface *lnInterface) init(c libnetwork.NetworkController, n libnetwork.Netw
 func (iface *lnInterface) Set(s *specs.Spec) {
 	<-iface.ready
 	if iface.err != nil {
 		logrus.WithError(iface.err).Error("failed to set networking spec")
 		return
 	}
 	// attach netns to bridge within the container namespace, using reexec in a prestart hook
 	s.Hooks = &specs.Hooks{
 		Prestart: []specs.Hook{{
 			Path: filepath.Join("/proc", strconv.Itoa(os.Getpid()), "exe"),
-			Args: []string{"libnetwork-setkey", iface.sbx.ContainerID(), iface.provider.NetworkController.ID()},
+			Args: []string{"libnetwork-setkey", "-exec-root=" + iface.provider.Config().Daemon.ExecRoot, iface.sbx.ContainerID(), iface.provider.NetworkController.ID()},
 		}},
 	}
 }
 func (iface *lnInterface) Close() error {
 	<-iface.ready
-	go func() {
+	if iface.sbx != nil {
-		if err := iface.sbx.Delete(); err != nil {
+		go func() {
-			logrus.Errorf("failed to delete builder network sandbox: %v", err)
+			if err := iface.sbx.Delete(); err != nil {
-		}
+				logrus.Errorf("failed to delete builder network sandbox: %v", err)
-	}()
+			}
 		}()
 	}
 	return iface.err
 }
--- a/builder/builder-next/executor_windows.go
+++ b/builder/builder-next/executor_windows.go
@ -10,7 +10,7 @@ import (
 	"github.com/moby/buildkit/executor"
 )
-func newExecutor(_, _ string, _ libnetwork.NetworkController) (executor.Executor, error) {
+func newExecutor(_, _ string, _ libnetwork.NetworkController, _ bool) (executor.Executor, error) {
 	return &winExecutor{}, nil
 }
--- a/cmd/dockerd/daemon.go
+++ b/cmd/dockerd/daemon.go
@ -325,6 +325,7 @@ func newRouterOptions(config *config.Config, d *daemon.Daemon) (routerOptions, e
 		DefaultCgroupParent: cgroupParent,
 		ResolverOpt:         d.NewResolveOptionsFunc(),
 		BuilderConfig:       config.Builder,
 		Rootless:            d.Rootless(),
 	})
 	if err != nil {
 		return opts, err
--- a/daemon/info.go
+++ b/daemon/info.go
@ -175,7 +175,7 @@ func (daemon *Daemon) fillSecurityOptions(v *types.Info, sysInfo *sysinfo.SysInf
 	if rootIDs := daemon.idMapping.RootPair(); rootIDs.UID != 0 || rootIDs.GID != 0 {
 		securityOptions = append(securityOptions, "name=userns")
 	}
-	if daemon.configStoreRootless() {
+	if daemon.Rootless() {
 		securityOptions = append(securityOptions, "name=rootless")
 	}
 	v.SecurityOptions = securityOptions
--- a/daemon/info_unix.go
+++ b/daemon/info_unix.go
@ -247,6 +247,7 @@ func parseRuncVersion(v string) (version string, commit string, err error) {
 	return version, commit, err
 }
-func (daemon *Daemon) configStoreRootless() bool {
+// Rootless returns true if daemon is running in rootless mode
 func (daemon *Daemon) Rootless() bool {
 	return daemon.configStore.Rootless
 }
--- a/daemon/info_windows.go
+++ b/daemon/info_windows.go
@ -14,6 +14,7 @@ func (daemon *Daemon) fillPlatformVersion(v *types.Version) {}
 func fillDriverWarnings(v *types.Info) {
 }
-func (daemon *Daemon) configStoreRootless() bool {
+// Rootless returns true if daemon is running in rootless mode
 func (daemon *Daemon) Rootless() bool {
 	return false
 }