rootless: allow exposing dockerd TCP socket easily#39493
Merged
tiborvass merged 1 commit intomoby:masterfrom Jul 17, 2019
Merged
rootless: allow exposing dockerd TCP socket easily#39493tiborvass merged 1 commit intomoby:masterfrom
tiborvass merged 1 commit intomoby:masterfrom
Conversation
Member
Author
eg. $ DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS="-p 0.0.0.0:2376:2376/tcp" \ dockerd-rootless.sh --experimental \ -H tcp://0.0.0.0:2376 \ --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem This commit bumps up RootlessKit from v0.4.1 to v0.6.0: rootless-containers/rootlesskit@27a0c7a...2fcff6c Signed-off-by: Akihiro Suda <[email protected]>
AkihiroSuda
force-pushed
the
rootlesskit-060
branch
from
cea050b to
34f4729
Compare
AkihiroSuda
added a commit
to AkihiroSuda/docker-library-docker
that referenced
this pull request
Jul 11, 2019
Usage: $ docker built -t dind-rootless . $ docker run -d --name dind-rootless --privileged dind-rootless $ docker exec dind-rootless docker info * The daemon runs in an unprivileged user with ID 1000 * `--privileged` is still required due to seccomp, apparmor, procfs, and sysfs stuff * `-H tcp://....` will be supported soon: moby/moby#39493 Signed-off-by: Akihiro Suda <[email protected]>
2 tasks
AkihiroSuda
added a commit
to AkihiroSuda/docker-library-docker
that referenced
this pull request
Jul 11, 2019
Usage: $ docker build -t dind-rootless . $ docker run -d --name dind-rootless --privileged dind-rootless $ docker exec dind-rootless docker info * The daemon runs in an unprivileged user with ID 1000 * `--privileged` is still required due to seccomp, apparmor, procfs, and sysfs stuff * `-H tcp://....` will be supported soon: moby/moby#39493 Signed-off-by: Akihiro Suda <[email protected]>
AkihiroSuda
added a commit
to AkihiroSuda/docker-library-docker
that referenced
this pull request
Jul 11, 2019
Usage: $ docker build -t dind-rootless . $ docker run -d --name dind-rootless --privileged dind-rootless $ docker exec dind-rootless docker info * The daemon runs in an unprivileged user with ID 1000 * `--privileged` is still required due to seccomp, apparmor, procfs, and sysfs stuff * `-H tcp://....` will be supported soon: moby/moby#39493 Signed-off-by: Akihiro Suda <[email protected]>
AkihiroSuda
added a commit
to AkihiroSuda/docker-library-docker
that referenced
this pull request
Jul 11, 2019
Usage: $ docker build -t dind-rootless . $ docker run -d --name dind-rootless --privileged dind-rootless $ docker exec dind-rootless docker info * The daemon runs in an unprivileged user with ID 1000 * `--privileged` is still required due to seccomp, apparmor, procfs, and sysfs stuff * `-H tcp://....` will be supported soon: moby/moby#39493 Signed-off-by: Akihiro Suda <[email protected]>
thaJeztah
added
rebuild/*
status/2-code-review
and removed
rebuild/windowsRS5-process
status/0-triage
labels
Codecov Report
@@ Coverage Diff @@
## master #39493 +/- ##
=========================================
Coverage ? 37.32%
=========================================
Files ? 609
Lines ? 45224
Branches ? 0
=========================================
Hits ? 16881
Misses ? 26056
Partials ? 2287 |
Member
|
ping @tonistiigi @tiborvass PTAL |
Member
Author
|
@tonistiigi @tiborvass PTAL? |
Member
|
I asked @tiborvass to review Yesterday; I think he was testing this. |
tiborvass
reviewed
Jul 17, 2019
| To expose the Docker API socket via TCP, you need to launch `dockerd-rootless.sh` with `DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS="-p 0.0.0.0:2376:2376/tcp"`. | ||
|
|
||
| ```console | ||
| $ DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS="-p 0.0.0.0:2376:2376/tcp" \ |
Contributor
There was a problem hiding this comment.
@AkihiroSuda ok I finally got around testing this and it works, but for usability, I think it would be better to set a smarter default for DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS based on what's in -H or maybe that's too smart? (It would have to grep for tcp:// in -H --host flags and DOCKER_HOST envvar).
Member
Author
There was a problem hiding this comment.
It would need to grep daemon.json as well, so too complex for shell script :P
tiborvass
approved these changes
Jul 17, 2019
Contributor
tiborvass
left a comment
tiborvass
left a comment
There was a problem hiding this comment.
Had a small comment but no need to block this PR for that.
Member
Author
|
cherry-picked as docker-archive#300 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Signed-off-by: Akihiro Suda [email protected]
- What I did
allow exposing dockerd TCP socket easily in rootless mode
- How I did it
By bumping up RootlessKit from v0.4.1 to v0.6.0:
rootless-containers/rootlesskit@27a0c7a...2fcff6c
- How to verify it
- Description for the changelog
rootless: allow exposing dockerd TCP socket easily
- A picture of a cute animal (not mandatory but encouraged)
https://pixabay.com/photos/animal-avian-bird-cold-nature-1867125/