registry: deprecate SetCertsDir

thaJeztah · thaJeztah · commit b633c4cc33bd · 2025-03-10T19:11:09.000+01:00
This function had to be called both in the daemon startup, as well as
the CLI startup. Which, in case of the cli, meant that the registry
package became a required dependency for all CLI-plugins.

Make the package itself aware of situations where it's running with
rootlessKit enabled. Altogether we should get rid of this package-level
variable, and instead store this in our configuration, and pass through
where it's used.

Signed-off-by: Sebastiaan van Stijn &lt;github@gone.nl&gt;
diff --git a/cmd/dockerd/config_unix.go b/cmd/dockerd/config_unix.go
@@ -4,13 +4,9 @@ package main
 
 import (
 	"net"
-	"path/filepath"
 
 	"github.com/docker/docker/daemon/config"
 	"github.com/docker/docker/opts"
-	"github.com/docker/docker/pkg/homedir"
-	"github.com/docker/docker/pkg/rootless"
-	"github.com/docker/docker/registry"
 	"github.com/spf13/pflag"
 )
 
@@ -59,14 +55,3 @@ func installConfigFlags(conf *config.Config, flags *pflag.FlagSet) {
 	flags.BoolVar(&conf.Rootless, "rootless", conf.Rootless, "Enable rootless mode; typically used with RootlessKit")
 	flags.StringVar(&conf.CgroupNamespaceMode, "default-cgroupns-mode", conf.CgroupNamespaceMode, `Default mode for containers cgroup namespace ("host" | "private")`)
 }
-
-// configureCertsDir configures registry.CertsDir() depending on if the daemon
-// is running in rootless mode or not.
-func configureCertsDir() {
-	if rootless.RunningWithRootlessKit() {
-		configHome, err := homedir.GetConfigHome()
-		if err == nil {
-			registry.SetCertsDir(filepath.Join(configHome, "docker/certs.d"))
-		}
-	}
-}
diff --git a/cmd/dockerd/docker.go b/cmd/dockerd/docker.go
@@ -79,7 +79,6 @@ func newDaemonCommand() (*cobra.Command, error) {
 	flags := cmd.Flags()
 	flags.BoolP("version", "v", false, "Print version information and quit")
 	flags.StringVar(&opts.configFile, "config-file", opts.configFile, "Daemon configuration file")
-	configureCertsDir()
 	opts.installFlags(flags)
 	installConfigFlags(opts.daemonConfig, flags)
 	installServiceFlags(flags)
diff --git a/registry/config.go b/registry/config.go
@@ -4,13 +4,17 @@ import (
 	"context"
 	"net"
 	"net/url"
+	"os"
+	"path/filepath"
 	"strconv"
 	"strings"
+	"sync"
 
 	"github.com/containerd/log"
 	"github.com/distribution/reference"
 	"github.com/docker/docker/api/types/registry"
 	"github.com/docker/docker/internal/lazyregexp"
+	"github.com/docker/docker/pkg/homedir"
 )
 
 // ServiceOptions holds command line options.
@@ -89,23 +93,49 @@ var (
 
 	validHostPortRegex = lazyregexp.New(`^` + reference.DomainRegexp.String() + `$`)
 
-	// certsDir is used to override defaultCertsDir.
-	certsDir string
+	// certsDir is used to override defaultCertsDir when running with rootlessKit.
+	//
+	// TODO(thaJeztah): change to a sync.OnceValue once we remove [SetCertsDir]
+	// TODO(thaJeztah): certsDir should not be a package variable, but stored in our config, and passed when needed.
+	setCertsDirOnce sync.Once
+	certsDir        string
 )
 
+func setCertsDir(dir string) string {
+	setCertsDirOnce.Do(func() {
+		if dir != "" {
+			certsDir = dir
+			return
+		}
+		if os.Getenv("ROOTLESSKIT_STATE_DIR") != "" {
+			// Configure registry.CertsDir() when running in rootless-mode
+			// This is the equivalent of [rootless.RunningWithRootlessKit],
+			// but inlining it to prevent adding that as a dependency
+			// for docker/cli.
+			//
+			// [rootless.RunningWithRootlessKit]: https://github.com/moby/moby/blob/b4bdf12daec84caaf809a639f923f7370d4926ad/pkg/rootless/rootless.go#L5-L8
+			if configHome, err := homedir.GetConfigHome(); err == nil {
+				certsDir = filepath.Join(configHome, "docker/certs.d")
+				return
+			}
+		}
+		certsDir = defaultCertsDir
+	})
+	return certsDir
+}
+
 // SetCertsDir allows the default certs directory to be changed. This function
 // is used at daemon startup to set the correct location when running in
 // rootless mode.
+//
+// Deprecated: the cert-directory is now automatically selected when running with rootlessKit, and should no longer be set manually.
 func SetCertsDir(path string) {
-	certsDir = path
+	setCertsDir(path)
 }
 
 // CertsDir is the directory where certificates are stored.
 func CertsDir() string {
-	if certsDir != "" {
-		return certsDir
-	}
-	return defaultCertsDir
+	return setCertsDir("")
 }
 
 // newServiceConfig returns a new instance of ServiceConfig
