moby--moby

Commit Graph

Author	SHA1	Message	Date
Akihiro Suda	c6accc67f2	bump up rootlesskit to v0.11.0 Important fix: Lock state dir for preventing automatic clean-up by systemd-tmpfiles (https://github.com/rootless-containers/rootlesskit/pull/188) Full changes:https://github.com/rootless-containers/rootlesskit/compare/v0.10.0...v0.11.0 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>	2020-11-05 16:49:32 +09:00
Akihiro Suda	5bc41368d9	bump up rootlesskit to v0.10.0 Fix port forwarder resource leak (https://github.com/rootless-containers/rootlesskit/issues/153). Changes: https://github.com/rootless-containers/rootlesskit/compare/v0.9.5...v0.10.0 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>	2020-07-28 16:33:30 +09:00
Xiaodong Liu	0c350e87a0	ldmode=pie is not supported for the mips arch reference: https://github.com/docker/cli/pull/2507 `4c99c81326` Signed-off-by: Xiaodong Liu <liuxiaodong@loongson.cn>	2020-05-21 09:23:00 +08:00
Akihiro Suda	17bb5f4b15	bump up rootlesskit to v0.9.5 Supports numeric ID in /etc/subuid and /etc/subgid . Fix #40926 Full changes: https://github.com/rootless-containers/rootlesskit/compare/v0.9.4...v0.9.5 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>	2020-05-11 10:25:00 +09:00
Akihiro Suda	f6ac841633	bump up rootlesskit to v0.9.4 Now `rootlesskit-docker-proxy` returns detailed error message on exposing privileged ports: https://github.com/rootless-containers/rootlesskit/pull/136 Full changes: https://github.com/rootless-containers/rootlesskit/compare/v0.9.2...v0.9.4 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>	2020-04-27 13:02:30 +09:00
Akihiro Suda	f310bd29bd	rootless: support forwarding signals from RootlessKit to dockerd See https://github.com/rootless-containers/rootlesskit/pull/127 RootlessKit changes: https://github.com/rootless-containers/rootlesskit/compare/v0.9.1...v0.9.2 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>	2020-03-15 12:24:23 +09:00
Akihiro Suda	1ea3a2b7f5	rootless: launch rootlesskit with --propagation=rslave The propagation was previously set to rprivate and didn't propagate mounts from the host mount namespace into the daemon's mount namespace. Further information about --propagation: https://github.com/rootless-containers/rootlesskit/tree/v0.9.1#mount-propagation RootlessKit changes: https://github.com/rootless-containers/rootlesskit/compare/v0.8.0...v0.9.1 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>	2020-03-07 21:16:29 +09:00
Akihiro Suda	3cf82748dd	run shfmt git grep --name-only '^#!' \| egrep -v '(vendor\|\.go\|Jenkinsfile)' \| xargs shfmt -w -bn -ci -sr Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>	2020-03-03 12:27:49 +09:00
Akihiro Suda	ca4b51868a	rootless: support `--exec-opt native.cgroupdriver=systemd` Support cgroup as in Rootless Podman. Requires cgroup v2 host with crun. Tested with Ubuntu 19.10 (kernel 5.3, systemd 242), crun v0.12.1. Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>	2020-02-14 15:32:31 +09:00
Akihiro Suda	658723badd	rootless: fix proxying UDP packets UDP reply packets were not proxied: https://github.com/rootless-containers/rootlesskit/issues/86 The issue was fixed in RootlessKit v0.7.1: https://github.com/rootless-containers/rootlesskit/pull/87 Full changes since v0.7.0: https://github.com/rootless-containers/rootlesskit/compare/v0.7.0...v0.7.1 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>	2019-12-18 19:33:27 +09:00
Justen Martin	095ca77f48	Use build args to override binary commits in dockerfile Signed-off-by: Justen Martin <jmart@the-coder.com>	2019-10-10 14:52:57 -05:00
Akihiro Suda	e20b7323fb	rootless: harden slirp4netns with mount namespace and seccomp When slirp4netns v0.4.0+ is used, now slirp4netns is hardened using mount namespace ("sandbox") and seccomp to mitigate potential vulnerabilities. bump up rootlesskit: `2fcff6ceae...791ac8cb20` Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>	2019-09-02 14:58:58 +09:00
Akihiro Suda	34f4729bc0	rootless: allow exposing dockerd TCP socket easily eg. $ DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS="-p 0.0.0.0:2376:2376/tcp" \ dockerd-rootless.sh --experimental \ -H tcp://0.0.0.0:2376 \ --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem This commit bumps up RootlessKit from v0.4.1 to v0.6.0: `27a0c7a248...2fcff6ceae` Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>	2019-07-11 11:09:29 +09:00
Akihiro Suda	00c92a6719	bump up rootlesskit to v0.4.1 Now the child process is killed when the parent dies (rootless-containers/rootlesskit#66) `e92d5e7...27a0c7a` Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>	2019-05-15 20:51:48 +09:00
Akihiro Suda	63a66b0eb0	rootless: optional support for lxc-user-nic SUID binary lxc-user-nic can eliminate slirp overhead but needs /etc/lxc/lxc-usernet to be configured for the current user. To use lxc-user-nic, $DOCKERD_ROOTLESS_ROOTLESSKIT_NET=lxc-user-nic also needs to be set. This commit also bumps up RootlessKit from v0.3.0 to v0.4.0: `70e0502f32...e92d5e772e` Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>	2019-04-25 23:54:30 +09:00
Akihiro Suda	c458822887	bump up rootlesskit Changes: `ed26714429...70e0502f32` Contains the fix for running RootlessKit+VPNKit instances simultaneously with multiple users: https://github.com/rootless-containers/rootlesskit/issues/56 Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>	2019-04-03 20:08:50 +09:00
Akihiro Suda	f0b405fbda	rootless: expose ports automatically Now `docker run -p` ports can be exposed to the host namespace automatically when `dockerd-rootless.sh` is launched with `--userland-proxy --userland-proxy-path $(which rootlesskit-docker-proxy)`. This is akin to how Docker for Mac/Win works with `--userland-proxy-path=/path/to/vpnkit-expose-port`. The port number on the host namespace needs to be set to >= 1024. SCTP ports are currently unsupported. RootlessKit changes: `7bbbc48a6f...ed26714429` Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>	2019-03-21 02:44:08 +09:00
Akihiro Suda	f1a87919e0	bump up rootlesskit (fix CentOS failure) Changes: `7905ee34b3...7bbbc48a6f` Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>	2019-02-14 14:27:28 +09:00
Akihiro Suda	bcc4c03092	bump up rootlesskit (fix armv7 compilation failure) https://github.com/rootless-containers/rootlesskit/issues/41 Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>	2019-02-05 23:02:32 +09:00
Akihiro Suda	ec87479b7e	allow running `dockerd` in an unprivileged user namespace (rootless mode) Please refer to `docs/rootless.md`. TLDR: * Make sure `/etc/subuid` and `/etc/subgid` contain the entry for you * `dockerd-rootless.sh --experimental` * `docker -H unix://$XDG_RUNTIME_DIR/docker.sock run ...` Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>	2019-02-04 00:24:27 +09:00

20 Commits