decompose --rootless into $DOCKER_HONOR_XDG and --exec-opt native.*#39024
decompose --rootless into $DOCKER_HONOR_XDG and --exec-opt native.*#39024AkihiroSuda wants to merge 1 commit intomoby:masterfrom
Conversation
AkihiroSuda
force-pushed
the
decompose-rootless
branch
from
6267742 to
b8cb678
Compare
AkihiroSuda
force-pushed
the
decompose-rootless
branch
from
b8cb678 to
b9a1a37
Compare
AkihiroSuda
force-pushed
the
decompose-rootless
branch
from
b9a1a37 to
77c9580
Compare
Codecov Report
@@ Coverage Diff @@
## master #39024 +/- ##
==========================================
- Coverage 37.01% 36.97% -0.04%
==========================================
Files 612 612
Lines 45390 45441 +51
==========================================
+ Hits 16799 16800 +1
- Misses 26307 26352 +45
- Partials 2284 2289 +5 |
thaJeztah
added
area/rootless
|
I applaud the desire to split these up into more explicit options, however I don't like moving even more rootless logic to a helper script. Having a mode whereby a user can just specify something like I guess this is fine to fix the bug, but would definitely like to see work around the UX for rootless. |
|
Also, wondering if we can reproduce this issue in a test. |
|
I don't understand the issue precisely and why we can't just ignore the |
|
A quick workaround for the boot2docker issue #39009 would be to just disable setting |
|
I just used `env -i` to scrub extra variables while invoking
`/etc/init.d/docker` during boot to get the release out for folks to test.
Longer-term I'd love to see a proper fix like this one instead (that
doesn't rely on the inconsistent `USER` variable). 👍
Hopefully in the next Docker beta release? 🙏
|
|
I'd definitely love to hear more about the edge cases checking USER is
supposed to help with though, because there's got to be something more
reliable we could do. 😅
|
|
@cpuguy83 @tonistiigi WDYT on #39024 (comment) ? |
AkihiroSuda
force-pushed
the
decompose-rootless
branch
from
77c9580 to
a33a6fe
Compare
|
rebased |
AkihiroSuda
force-pushed
the
decompose-rootless
branch
from
a33a6fe to
054d885
Compare
When I tried this in #38817 I still had to set |
|
The |
AkihiroSuda
added
rebuild/windowsRS5-process
and removed
rebuild/windowsRS5-process
labels
AkihiroSuda
force-pushed
the
decompose-rootless
branch
2 times, most recently
from
0c2a26d to
23caa41
Compare
|
I'd like to either get this merged or find an alternative way soon, so that we can provide almost stable package before DockerCon. |
I think we can discuss it again when these become a reality. If there is a usecase to actually choose between different drivers, exec-opt is probably a right flag. But atm we are just determining reduced featureset so that rootless mode(dockerd inside rootless container) can start. |
|
Note that
And it had been very confusing that the cgroup driver value was substantially ignored when the daemon is running in "rootless" mode. So I feel |
Yes, I had forgotten that. So shouldn't be an issue if there is a need for a special driver for cgroup2 in the future(although ideally it can still be avoided). My thinking is that if user is running rootless containers |
The --rootless monolith did not work well for several edge cases: * moby#38702: euid=0, $USER="root" but no access to cgroup ("rootful" Docker in rootless Docker) * moby#39009: euid=0 but $USER="docker" (rootful boot2docker) This commit decompose the --rootless monolith to the following environment variable and flags: * $DOCKER_HONOR_XDG: honor $XDG_RUNTIME_DIR, $XDG_DATA_HOME, and $XDG_CONFIG_HOME for detecting the default dirs * --exec-opt native.cgroupdriver=none: disable cgroups (needs --experimental to be specified together) * --exec-opt native.restrict_oom_score_adj=1: restrict oom_score_adj value (needs --experimental to be specified together) dockerd doesn't try to auto-detect these configuration but now dockerd-rootless.sh launches dockerd with "rootless flags" by default: --experimental --exec-opt native.cgroupdriver=none --exec-opt native.restrict_oom_score_adj=1 --userland-proxy --userland-proxy-path=$which rootlesskit-docker-proxy Fix moby#38702 moby#39009 Signed-off-by: Akihiro Suda <[email protected]> Signed-off-by: Akihiro Suda <[email protected]>
AkihiroSuda
force-pushed
the
decompose-rootless
branch
from
23caa41 to
9153085
Compare
Updated PR to disallow WDYT?
As user still need to use Also, the behavior of |
|
It might be good to reserve |
|
I agree with @tonistiigi, this should just be encompassed by |
Do you mean you want |
|
How about combined approach - retore For typical use case, user only needs to set |
|
Coming from a mostly naive place here... but I would say let's not set Why must the XDG dir be ignored (with --rootless) in root-in-userns case? |
The `--rootless` flag had a couple of issues: * moby#38702: euid=0, $USER="root" but no access to cgroup ("rootful" Docker in rootless Docker) * moby#39009: euid=0 but $USER="docker" (rootful boot2docker) To fix moby#38702, XDG dirs are ignored as in rootful Docker, unless the dockerd is directly running under RootlessKit namespaces. RootlessKit detection is implemented by checking whether `$ROOTLESSKIT_STATE_DIR` is set. To fix moby#39009, the non-robust `$USER` check is now completely removed. The entire logic can be illustrated as follows: ``` withRootlessKit := getenv("ROOTLESSKIT_STATE_DIR") rootlessMode := withRootlessKit || cliFlag("--rootless") honorXDG := withRootlessKit useRootlessKitDockerProxy := withRootlessKit removeCgroupSpec := rootlessMode adjustOOMScoreAdj := rootlessMode ``` Close moby#39024 Fix moby#38702 moby#39009 Signed-off-by: Akihiro Suda <[email protected]>
|
Closing per #39138
Because "rootful"-in-rootless dockerd is expected to behave almost same as rootful dockerd. |
|
But if the user set --rootless why would they expect it to behave the same as rootful? |
|
same as rootful but cgroup disabled |
…ative-to-39024 dockerd: fix rootless detection (alternative to #39024)
The `--rootless` flag had a couple of issues: * moby#38702: euid=0, $USER="root" but no access to cgroup ("rootful" Docker in rootless Docker) * moby#39009: euid=0 but $USER="docker" (rootful boot2docker) To fix moby#38702, XDG dirs are ignored as in rootful Docker, unless the dockerd is directly running under RootlessKit namespaces. RootlessKit detection is implemented by checking whether `$ROOTLESSKIT_STATE_DIR` is set. To fix moby#39009, the non-robust `$USER` check is now completely removed. The entire logic can be illustrated as follows: ``` withRootlessKit := getenv("ROOTLESSKIT_STATE_DIR") rootlessMode := withRootlessKit || cliFlag("--rootless") honorXDG := withRootlessKit useRootlessKitDockerProxy := withRootlessKit removeCgroupSpec := rootlessMode adjustOOMScoreAdj := rootlessMode ``` Close moby#39024 Fix moby#38702 moby#39009 Signed-off-by: Akihiro Suda <[email protected]> (cherry picked from commit 3518383) Signed-off-by: Sebastiaan van Stijn <[email protected]>
7 participants
- What I did
Fix #38702 #39009
- How I did it
The
--rootlessmonolith did not work well for several edge cases:This commit decompose the
--rootlessmonolith to the following environment variable and flags:$DOCKER_HONOR_XDG: honor$XDG_RUNTIME_DIR,$XDG_DATA_HOME, and$XDG_CONFIG_HOMEfor detecting the default dirs--exec-opt native.cgroupdriver=none: disable cgroups (needs--experimentalto be specified together)--exec-opt native.restrict_oom_score_adj=1: restrict oom_score_adj value (needs--experimentalto be specified together)dockerddoesn't try to auto-detect these configuration but nowdockerd-rootless.shlaunchesdockerdwith "rootless flags" by default:--experimental --exec-opt native.cgroupdriver=none --exec-opt native.restrict_oom_score_adj=1 --userland-proxy --userland-proxy-path=$which rootlesskit-docker-proxy)- How to verify it
$ dockerd-rootless.sh(Note:
Security Optionsno longer contains "rootless")- Description for the changelog
decompose --rootless into $DOCKER_HONOR_XDG and --exec-opt native.*
- A picture of a cute animal (not mandatory but encouraged)
🐧