1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
moby--moby/rootless/specconv/specconv_linux.go
Akihiro Suda ec87479b7e allow running dockerd in an unprivileged user namespace (rootless mode)
Please refer to `docs/rootless.md`.

TLDR:
 * Make sure `/etc/subuid` and `/etc/subgid` contain the entry for you
 * `dockerd-rootless.sh --experimental`
 * `docker -H unix://$XDG_RUNTIME_DIR/docker.sock run ...`

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2019-02-04 00:24:27 +09:00

38 lines
894 B
Go

package specconv
import (
"io/ioutil"
"strconv"
"github.com/opencontainers/runtime-spec/specs-go"
)
// ToRootless converts spec to be compatible with "rootless" runc.
// * Remove cgroups (will be supported in separate PR when delegation permission is configured)
// * Fix up OOMScoreAdj
func ToRootless(spec *specs.Spec) error {
return toRootless(spec, getCurrentOOMScoreAdj())
}
func getCurrentOOMScoreAdj() int {
b, err := ioutil.ReadFile("/proc/self/oom_score_adj")
if err != nil {
return 0
}
i, err := strconv.Atoi(string(b))
if err != nil {
return 0
}
return i
}
func toRootless(spec *specs.Spec, currentOOMScoreAdj int) error {
// Remove cgroup settings.
spec.Linux.Resources = nil
spec.Linux.CgroupsPath = ""
if spec.Process.OOMScoreAdj != nil && *spec.Process.OOMScoreAdj < currentOOMScoreAdj {
*spec.Process.OOMScoreAdj = currentOOMScoreAdj
}
return nil
}