Akihiro Suda
c6accc67f2
bump up rootlesskit to v0.11.0
...
Important fix: Lock state dir for preventing automatic clean-up by systemd-tmpfiles
(https://github.com/rootless-containers/rootlesskit/pull/188 )
Full changes:https://github.com/rootless-containers/rootlesskit/compare/v0.10.0...v0.11.0
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-11-05 16:49:32 +09:00
Akihiro Suda
5bc41368d9
bump up rootlesskit to v0.10.0
...
Fix port forwarder resource leak (https://github.com/rootless-containers/rootlesskit/issues/153 ).
Changes: https://github.com/rootless-containers/rootlesskit/compare/v0.9.5...v0.10.0
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-07-28 16:33:30 +09:00
Xiaodong Liu
0c350e87a0
ldmode=pie is not supported for the mips arch
...
reference:
https://github.com/docker/cli/pull/2507
4c99c81326
Signed-off-by: Xiaodong Liu <liuxiaodong@loongson.cn>
2020-05-21 09:23:00 +08:00
Akihiro Suda
17bb5f4b15
bump up rootlesskit to v0.9.5
...
Supports numeric ID in /etc/subuid and /etc/subgid .
Fix #40926
Full changes: https://github.com/rootless-containers/rootlesskit/compare/v0.9.4...v0.9.5
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-05-11 10:25:00 +09:00
Akihiro Suda
f6ac841633
bump up rootlesskit to v0.9.4
...
Now `rootlesskit-docker-proxy` returns detailed error message on
exposing privileged ports: https://github.com/rootless-containers/rootlesskit/pull/136
Full changes: https://github.com/rootless-containers/rootlesskit/compare/v0.9.2...v0.9.4
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-04-27 13:02:30 +09:00
Akihiro Suda
f310bd29bd
rootless: support forwarding signals from RootlessKit to dockerd
...
See https://github.com/rootless-containers/rootlesskit/pull/127
RootlessKit changes: https://github.com/rootless-containers/rootlesskit/compare/v0.9.1...v0.9.2
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-03-15 12:24:23 +09:00
Akihiro Suda
1ea3a2b7f5
rootless: launch rootlesskit with --propagation=rslave
...
The propagation was previously set to rprivate and didn't propagate
mounts from the host mount namespace into the daemon's mount namespace.
Further information about --propagation: https://github.com/rootless-containers/rootlesskit/tree/v0.9.1#mount-propagation
RootlessKit changes: https://github.com/rootless-containers/rootlesskit/compare/v0.8.0...v0.9.1
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-03-07 21:16:29 +09:00
Akihiro Suda
3cf82748dd
run shfmt
...
git grep --name-only '^#!' | egrep -v '(vendor|\.go|Jenkinsfile)' | xargs shfmt -w -bn -ci -sr
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-03-03 12:27:49 +09:00
Akihiro Suda
ca4b51868a
rootless: support `--exec-opt native.cgroupdriver=systemd`
...
Support cgroup as in Rootless Podman.
Requires cgroup v2 host with crun.
Tested with Ubuntu 19.10 (kernel 5.3, systemd 242), crun v0.12.1.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-02-14 15:32:31 +09:00
Akihiro Suda
658723badd
rootless: fix proxying UDP packets
...
UDP reply packets were not proxied: https://github.com/rootless-containers/rootlesskit/issues/86
The issue was fixed in RootlessKit v0.7.1: https://github.com/rootless-containers/rootlesskit/pull/87
Full changes since v0.7.0: https://github.com/rootless-containers/rootlesskit/compare/v0.7.0...v0.7.1
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-12-18 19:33:27 +09:00
Justen Martin
095ca77f48
Use build args to override binary commits in dockerfile
...
Signed-off-by: Justen Martin <jmart@the-coder.com>
2019-10-10 14:52:57 -05:00
Akihiro Suda
e20b7323fb
rootless: harden slirp4netns with mount namespace and seccomp
...
When slirp4netns v0.4.0+ is used, now slirp4netns is hardened using
mount namespace ("sandbox") and seccomp to mitigate potential
vulnerabilities.
bump up rootlesskit: 2fcff6ceae...791ac8cb20
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-09-02 14:58:58 +09:00
Akihiro Suda
34f4729bc0
rootless: allow exposing dockerd TCP socket easily
...
eg.
$ DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS="-p 0.0.0.0:2376:2376/tcp" \
dockerd-rootless.sh --experimental \
-H tcp://0.0.0.0:2376 \
--tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem
This commit bumps up RootlessKit from v0.4.1 to v0.6.0:
27a0c7a248...2fcff6ceae
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-07-11 11:09:29 +09:00
Akihiro Suda
00c92a6719
bump up rootlesskit to v0.4.1
...
Now the child process is killed when the parent dies (rootless-containers/rootlesskit#66 )
e92d5e7...27a0c7a
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-05-15 20:51:48 +09:00
Akihiro Suda
63a66b0eb0
rootless: optional support for lxc-user-nic SUID binary
...
lxc-user-nic can eliminate slirp overhead but needs /etc/lxc/lxc-usernet to be configured for the current user.
To use lxc-user-nic, $DOCKERD_ROOTLESS_ROOTLESSKIT_NET=lxc-user-nic also needs to be set.
This commit also bumps up RootlessKit from v0.3.0 to v0.4.0:
70e0502f32...e92d5e772e
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-04-25 23:54:30 +09:00
Akihiro Suda
c458822887
bump up rootlesskit
...
Changes: ed26714429...70e0502f32
Contains the fix for running RootlessKit+VPNKit instances simultaneously with multiple users: https://github.com/rootless-containers/rootlesskit/issues/56
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2019-04-03 20:08:50 +09:00
Akihiro Suda
f0b405fbda
rootless: expose ports automatically
...
Now `docker run -p` ports can be exposed to the host namespace automatically when `dockerd-rootless.sh` is launched with
`--userland-proxy --userland-proxy-path $(which rootlesskit-docker-proxy)`.
This is akin to how Docker for Mac/Win works with `--userland-proxy-path=/path/to/vpnkit-expose-port`.
The port number on the host namespace needs to be set to >= 1024.
SCTP ports are currently unsupported.
RootlessKit changes: 7bbbc48a6f...ed26714429
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2019-03-21 02:44:08 +09:00
Akihiro Suda
f1a87919e0
bump up rootlesskit (fix CentOS failure)
...
Changes:
7905ee34b3...7bbbc48a6f
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2019-02-14 14:27:28 +09:00
Akihiro Suda
bcc4c03092
bump up rootlesskit (fix armv7 compilation failure)
...
https://github.com/rootless-containers/rootlesskit/issues/41
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2019-02-05 23:02:32 +09:00
Akihiro Suda
ec87479b7e
allow running `dockerd` in an unprivileged user namespace (rootless mode)
...
Please refer to `docs/rootless.md`.
TLDR:
* Make sure `/etc/subuid` and `/etc/subgid` contain the entry for you
* `dockerd-rootless.sh --experimental`
* `docker -H unix://$XDG_RUNTIME_DIR/docker.sock run ...`
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2019-02-04 00:24:27 +09:00