Skip to content

Commit 7e63d2a

Browse files
robmryrobmry
committed
dockerd-rootless.sh: if no slirp4netns, try pasta
Signed-off-by: Rob Murray <[email protected]>
1 parent 6bbb92d commit 7e63d2a

1 file changed

Lines changed: 38 additions & 14 deletions

File tree

contrib/dockerd-rootless.sh

Lines changed: 38 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -9,13 +9,20 @@
99
# * Either one of slirp4netns (>= v0.4.0), VPNKit, lxc-user-nic needs to be installed.
1010
#
1111
# Recognized environment variables:
12-
# * DOCKERD_ROOTLESS_ROOTLESSKIT_STATE_DIR=DIR: the rootlesskit state dir. Defaults to "$XDG_RUNTIME_DIR/dockerd-rootless".
13-
# * DOCKERD_ROOTLESS_ROOTLESSKIT_NET=(slirp4netns|vpnkit|pasta|lxc-user-nic): the rootlesskit network driver. Defaults to "slirp4netns" if slirp4netns (>= v0.4.0) is installed. Otherwise defaults to "vpnkit".
14-
# * DOCKERD_ROOTLESS_ROOTLESSKIT_MTU=NUM: the MTU value for the rootlesskit network driver. Defaults to 65520 for slirp4netns, 1500 for other drivers.
15-
# * DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=(builtin|slirp4netns|implicit): the rootlesskit port driver. Defaults to "builtin".
16-
# * DOCKERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SANDBOX=(auto|true|false): whether to protect slirp4netns with a dedicated mount namespace. Defaults to "auto".
17-
# * DOCKERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SECCOMP=(auto|true|false): whether to protect slirp4netns with seccomp. Defaults to "auto".
18-
# * DOCKERD_ROOTLESS_ROOTLESSKIT_DISABLE_HOST_LOOPBACK=(true|false): prohibit connections to 127.0.0.1 on the host (including via 10.0.2.2, in the case of slirp4netns). Defaults to "true".
12+
# * DOCKERD_ROOTLESS_ROOTLESSKIT_STATE_DIR=DIR: the rootlesskit state dir.
13+
# * Defaults to "$XDG_RUNTIME_DIR/dockerd-rootless".
14+
# * DOCKERD_ROOTLESS_ROOTLESSKIT_NET=(slirp4netns|vpnkit|pasta|lxc-user-nic): the rootlesskit network driver.
15+
# * Defaults to "slirp4netns" if slirp4netns (>= v0.4.0) is installed, else "pasta", else "vpnkit".
16+
# * DOCKERD_ROOTLESS_ROOTLESSKIT_MTU=NUM: the MTU value for the rootlesskit network driver.
17+
# * Defaults to 65520 for slirp4netns and pasta, 1500 for other rootlesskit network drivers.
18+
# * DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=(builtin|slirp4netns|implicit): the rootlesskit port driver.
19+
# * Defaults to "implicit" for "pasta", "builtin" for other rootlesskit network drivers.
20+
# * DOCKERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SANDBOX=(auto|true|false): whether to protect slirp4netns with a dedicated mount namespace.
21+
# * Defaults to "auto".
22+
# * DOCKERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SECCOMP=(auto|true|false): whether to protect slirp4netns with seccomp.
23+
# * Defaults to "auto".
24+
# * DOCKERD_ROOTLESS_ROOTLESSKIT_DISABLE_HOST_LOOPBACK=(true|false): prohibit connections to 127.0.0.1 on the host (including via 10.0.2.2, in the case of slirp4netns).
25+
# * Defaults to "true".
1926

2027
# To apply an environment variable via systemd, create ~/.config/systemd/user/docker.service.d/override.conf as follows,
2128
# and run `systemctl --user daemon-reload && systemctl --user restart docker`:
@@ -93,11 +100,12 @@ fi
93100
: "${DOCKERD_ROOTLESS_ROOTLESSKIT_STATE_DIR:=$XDG_RUNTIME_DIR/dockerd-rootless}"
94101
: "${DOCKERD_ROOTLESS_ROOTLESSKIT_NET:=}"
95102
: "${DOCKERD_ROOTLESS_ROOTLESSKIT_MTU:=}"
96-
: "${DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER:=builtin}"
103+
: "${DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER:=}"
97104
: "${DOCKERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SANDBOX:=auto}"
98105
: "${DOCKERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SECCOMP:=auto}"
99106
: "${DOCKERD_ROOTLESS_ROOTLESSKIT_DISABLE_HOST_LOOPBACK:=}"
100107
net=$DOCKERD_ROOTLESS_ROOTLESSKIT_NET
108+
port_driver=$DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER
101109
mtu=$DOCKERD_ROOTLESS_ROOTLESSKIT_MTU
102110
if [ -z "$net" ]; then
103111
if command -v slirp4netns > /dev/null 2>&1; then
@@ -108,20 +116,36 @@ if [ -z "$net" ]; then
108116
mtu=65520
109117
fi
110118
else
111-
echo "slirp4netns found but seems older than v0.4.0. Falling back to VPNKit."
119+
echo "slirp4netns found but seems older than v0.4.0. Checking for other network drivers."
120+
fi
121+
fi
122+
if [ -z "$net" ]; then
123+
if command -v pasta > /dev/null 2>&1; then
124+
net=pasta
112125
fi
113126
fi
114127
if [ -z "$net" ]; then
115128
if command -v vpnkit > /dev/null 2>&1; then
116129
net=vpnkit
117-
else
118-
echo "Either slirp4netns (>= v0.4.0) or vpnkit needs to be installed"
119-
exit 1
120130
fi
121131
fi
132+
if [ -z "$net" ]; then
133+
echo "One of slirp4netns (>= v0.4.0), pasta (passt >= 2023_12_04), or vpnkit needs to be installed"
134+
fi
122135
fi
123136
if [ -z "$mtu" ]; then
124-
mtu=1500
137+
if [ "$net" = pasta ]; then
138+
mtu=65520
139+
else
140+
mtu=1500
141+
fi
142+
fi
143+
if [ -z "$port_driver" ]; then
144+
if [ "$net" = pasta ]; then
145+
port_driver=implicit
146+
else
147+
port_driver=builtin
148+
fi
125149
fi
126150

127151
host_loopback="--disable-host-loopback"
@@ -156,7 +180,7 @@ if [ -z "$_DOCKERD_ROOTLESS_CHILD" ]; then
156180
--net=$net --mtu=$mtu \
157181
--slirp4netns-sandbox=$DOCKERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SANDBOX \
158182
--slirp4netns-seccomp=$DOCKERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SECCOMP \
159-
$host_loopback --port-driver=$DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER \
183+
$host_loopback --port-driver=$port_driver \
160184
--copy-up=/etc --copy-up=/run \
161185
--propagation=rslave \
162186
$DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS \

0 commit comments

Comments
 (0)