Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

split tls-generate-certs.sh from dockerd-entrypoint.sh #168

Closed
wants to merge 1 commit into from
Closed

split tls-generate-certs.sh from dockerd-entrypoint.sh #168

wants to merge 1 commit into from

Conversation

AkihiroSuda
Copy link
Contributor

Signed-off-by: Akihiro Suda akihiro.suda.cz@hco.ntt.co.jp

so that it can be called from dind-rootless (#165) entrypoint script

@AkihiroSuda
Copy link
Contributor Author

An alternative way is to just extend the current dockerd-entrypoint.sh to support rootless

@AkihiroSuda AkihiroSuda mentioned this pull request Jul 18, 2019
Merged
@tianon
Copy link
Member

tianon commented Jul 19, 2019

I think I'd like to understand more about the goal of running rootless dockerd inside a container before committing to any adjustment here one way or another -- given that it still requires --privileged, what's gained by doing so?

@AkihiroSuda
Copy link
Contributor Author

Rootless protects the host from potential vulns of Docker, containerd, and runc

@tianon
Copy link
Member

tianon commented Jul 22, 2019

But if it's running inside a --privileged container, it still has more elevated privileges than non-root on the host, right?

@AkihiroSuda
Copy link
Contributor Author

No, it is just same as non-root on the host.

--privileged is required for disabling seccomp/apparmor so as to allow unshare(2) and other container-related syscalls, and for unmasking /proc/* and /sys/* so that nested containers can mount /proc with a new pid namespace and /sys with a new net namespace.

In other words, --privileged is required only for elevating non-root in a container to non-root on the host.

@AkihiroSuda
Copy link
Contributor Author

Or maybe it is less privileged than non-root-on-the-host, because it has fewer suid binaries (only /usr/bin/newuidmap and /usr/bin/newgidmap)

@AkihiroSuda
Copy link
Contributor Author

Also, as a side effect, splitting the script will be helpful for testing issues like #171

@AkihiroSuda
split tls-generate-certs.sh from dockerd-entrypoint.sh
590f51c 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@AkihiroSuda
Copy link
Contributor Author

rebased

@yosifkit
Copy link
Member

I'd rather not have a sprawl of many scripts and instead have one script that can do everything required for dind-related startup (root or not).

@AkihiroSuda
Copy link
Contributor Author

The standard dind tag image should contain all rootless dependencies (vpnkit and rootlesskit) as well?

@AkihiroSuda
Copy link
Contributor Author

@tonistiigi @tiborvass Do you think the rootless image should be separated from dind, or it should be just dind with --user 1000?

@tianon
Copy link
Member

tianon commented Jul 30, 2019 via email

@tianon tianon mentioned this pull request Jul 30, 2019
Merged
@AkihiroSuda
Copy link
Contributor Author

closing in favor of #174

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@AkihiroSuda @tianon @yosifkit