Skip to content

dockerd: fix rootless detection (alternative to #39024)#39138

Merged
cpuguy83 merged 1 commit intomoby:masterfrom
AkihiroSuda:fix-rootless-issues-alternative-to-39024
Apr 26, 2019
Merged

dockerd: fix rootless detection (alternative to #39024)#39138
cpuguy83 merged 1 commit intomoby:masterfrom
AkihiroSuda:fix-rootless-issues-alternative-to-39024

Conversation

@AkihiroSuda
Copy link
Member

@AkihiroSuda AkihiroSuda commented Apr 25, 2019
edited
Loading

Signed-off-by: Akihiro Suda [email protected]

- What I did
Fix #38702 #39009

- How I did it

The --rootless flag had a couple of issues:

To fix #38702, XDG dirs are ignored as in rootful Docker, unless the
dockerd is directly running under RootlessKit namespaces.

RootlessKit detection is implemented by checking whether $ROOTLESSKIT_STATE_DIR is set.

To fix #39009, the non-robust $USER check is now completely removed.

The entire logic can be illustrated as follows:

withRootlessKit := getenv("ROOTLESSKIT_STATE_DIR")
rootlessMode := withRootlessKit || cliFlag("--rootless")
honorXDG := withRootlessKit
useRootlessKitDockerProxy := withRootlessKit
removeCgroupSpec := rootlessMode
adjustOOMScoreAdj := rootlessMode

Close #39024
Fix #38702 #39009

- How to verify it

  • Make sure the regular rootless mode works:
$ dockerd-rootless.sh --experimental
WARN[2019-04-25T17:17:48.240093114+09:00] Running experimental build
WARN[2019-04-25T17:17:48.240656519+09:00] Running in rootless mode. Cgroups, AppArmor, and CRIU are disabled.
INFO[2019-04-25T17:17:48.241104912+09:00] Running with RootlessKit integration
...
INFO[2019-04-25T17:17:48.991132927+09:00] API listen on /run/user/1001/docker.sock
  • Make sure "rootful" docker in rootless docker works, with the socket listening on /var/run/docker.sock in the container, not on $XDG_RUNTIME_DIR/docker.sock in the container:
$ export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/docker.sock
$ docker run -it --rm --name kinda-rootful-in-rootless --privileged -v /usr/local:/usr/local ubuntu
/ # apt update && apt install -y kmod iptables ca-certificates
/ # dockerd --experimental --rootless
WARN[2019-04-25T07:46:48.534752062Z] Running experimental build
WARN[2019-04-25T07:46:48.535769972Z] Running in rootless mode. Cgroups, AppArmor, and CRIU are disabled.
...
INFO[2019-04-25T07:46:48.909046101Z] API listen on /var/run/docker.sock
  • Make sure setting $USER to non-"root" does not break rootful Docker

- Description for the changelog

- A picture of a cute animal (not mandatory but encouraged)
https://twitter.com/hashtag/WorldPenguinDay?f=image

@AkihiroSuda
dockerd: fix rootless detection (alternative to moby#39024)
3518383 
The `--rootless` flag had a couple of issues:
* moby#38702: euid=0, $USER="root" but no access to cgroup ("rootful" Docker in rootless Docker)
* moby#39009: euid=0 but $USER="docker" (rootful boot2docker)

To fix moby#38702, XDG dirs are ignored as in rootful Docker, unless the
dockerd is directly running under RootlessKit namespaces.

RootlessKit detection is implemented by checking whether `$ROOTLESSKIT_STATE_DIR` is set.

To fix moby#39009, the non-robust `$USER` check is now completely removed.

The entire logic can be illustrated as follows:

```
withRootlessKit := getenv("ROOTLESSKIT_STATE_DIR")
rootlessMode := withRootlessKit || cliFlag("--rootless")
honorXDG := withRootlessKit
useRootlessKitDockerProxy := withRootlessKit
removeCgroupSpec := rootlessMode
adjustOOMScoreAdj := rootlessMode
```

Close moby#39024
Fix moby#38702 moby#39009

Signed-off-by: Akihiro Suda <[email protected]>
@AkihiroSuda
Copy link
Member Author

AkihiroSuda commented Apr 25, 2019

@tonistiigi @tiborvass @cpuguy83 @tianon @thaJeztah

I'd like to get this merged before DockerCon 🙏

@AkihiroSuda AkihiroSuda mentioned this pull request Apr 25, 2019
Closed
@codecov
Copy link

codecov bot commented Apr 25, 2019

Codecov Report

Merging #39138 into master will decrease coverage by <.01%.
The diff coverage is 39.13%.

@@            Coverage Diff             @@
##           master   #39138      +/-   ##
==========================================
- Coverage   37.05%   37.05%   -0.01%     
==========================================
  Files         612      612              
  Lines       45400    45411      +11     
==========================================
+ Hits        16824    16826       +2     
- Misses      26294    26302       +8     
- Partials     2282     2283       +1

@tonistiigi
Copy link
Member

tonistiigi commented Apr 25, 2019
edited
Loading

Not a functional change and only slightly different but can

withRootlessKit := getenv("ROOTLESSKIT_STATE_DIR")
rootlessMode := withRootlessKit || cliFlag("--rootless")
honorXDG := withRootlessKit
useRootlessKitDockerProxy := withRootlessKit
removeCgroupSpec := rootlessMode
adjustOOMScoreAdj := rootlessMode

be

withRootlessKit := getenv("ROOTLESSKIT_STATE_DIR")
rootlessMode := cliFlag("--rootless")
honorXDG := withRootlessKit && rootlessMode
useRootlessKitDockerProxy := withRootlessKit && rootlessMode
removeCgroupSpec := rootlessMode
adjustOOMScoreAdj := rootlessMode

edit: Basically, the difference is that --rootless is always required and withRootlessKit is extended capabilities on top of it.

@AkihiroSuda
Copy link
Member Author

AkihiroSuda commented Apr 26, 2019

That might be hard to implement, because honorXDG is used for setting up default config before parsing CLI flags such as --rootless.

@tonistiigi
Copy link
Member

tonistiigi commented Apr 26, 2019

@AkihiroSuda Ok, not that important.

@AkihiroSuda
Copy link
Member Author

AkihiroSuda commented Apr 26, 2019

@tianon @cpuguy83

PTAL?

cpuguy83
cpuguy83 reviewed Apr 26, 2019
View reviewed changes
cpuguy83
cpuguy83 approved these changes Apr 26, 2019
View reviewed changes
Copy link
Member

@cpuguy83 cpuguy83 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cpuguy83 cpuguy83 merged commit 51f27b1 into moby:master Apr 26, 2019
@dinvlad
Copy link

dinvlad commented May 10, 2019
edited
Loading

Rootful ("child") docker info reports vfs as storage driver, even on Ubuntu hosts for which rootless docker info parent reports overlay2. Is overlay/overlay2 going to be supported for the child Docker? Thanks!

@AkihiroSuda
Copy link
Member Author

AkihiroSuda commented May 10, 2019

Yes, but make sure to create volume for /home/foo/.local

@dinvlad
Copy link

dinvlad commented May 10, 2019
edited
Loading

Thanks @AkihiroSuda! We're now running the rootless container as follows:

docker run -it --rm --name kinda-rootful-in-rootless --privileged -v $HOME/bin:/opt/docker/bin:ro -v /lib/modules:/lib/modules:ro -v docker:/var/lib/docker ubuntu

Note that -v docker:/var/lib/docker creates rootless docker volume for use by rootful docker as overlay2.
Additionally, we mount host /lib/modules into the rootless container, so that we get rid of modprobe warnings (not sure if this is necessary though).

With these changes, the only "suspicious" warning we still get on startup of rootful dockerd is Not using native diff for overlay2, this may cause degraded performance for building images: failed to set opaque flag on middle layer: operation not permitted storage-driver=overlay2

@thaJeztah thaJeztah mentioned this pull request May 13, 2019
Merged
@thaJeztah thaJeztah added this to the 20.03.0 milestone Apr 2, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cpuguy83 cpuguy83 cpuguy83 approved these changes

@thaJeztah thaJeztah thaJeztah left review comments

@tonistiigi tonistiigi tonistiigi approved these changes

Assignees

No one assigned

Labels

area/rootless Rootless Mode process/cherry-picked status/1-design-review

Projects

None yet

Milestone

20.10.0

Development

Successfully merging this pull request may close these issues.

19.03.0-beta1: could not get XDG_RUNTIME_DIR (dockerd fails to start) Rootful-Docker-in-Rootless-Docker doesn't work

6 participants

@AkihiroSuda @tonistiigi @dinvlad @cpuguy83 @thaJeztah @GordonTheTurtle