This repository has been archived by the owner on Oct 13, 2023. It is now read-only.
[19.03 backport] backport rootless fixes #208
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
lxc-user-nic can eliminate slirp overhead but needs /etc/lxc/lxc-usernet to be configured for the current user. To use lxc-user-nic, $DOCKERD_ROOTLESS_ROOTLESSKIT_NET=lxc-user-nic also needs to be set. This commit also bumps up RootlessKit from v0.3.0 to v0.4.0: rootless-containers/rootlesskit@70e0502...e92d5e7 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> (cherry picked from commit 63a66b0) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The `--rootless` flag had a couple of issues: * moby#38702: euid=0, $USER="root" but no access to cgroup ("rootful" Docker in rootless Docker) * moby#39009: euid=0 but $USER="docker" (rootful boot2docker) To fix moby#38702, XDG dirs are ignored as in rootful Docker, unless the dockerd is directly running under RootlessKit namespaces. RootlessKit detection is implemented by checking whether `$ROOTLESSKIT_STATE_DIR` is set. To fix moby#39009, the non-robust `$USER` check is now completely removed. The entire logic can be illustrated as follows: ``` withRootlessKit := getenv("ROOTLESSKIT_STATE_DIR") rootlessMode := withRootlessKit || cliFlag("--rootless") honorXDG := withRootlessKit useRootlessKitDockerProxy := withRootlessKit removeCgroupSpec := rootlessMode adjustOOMScoreAdj := rootlessMode ``` Close moby#39024 Fix moby#38702 moby#39009 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> (cherry picked from commit 3518383) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
|
ping @AkihiroSuda @tonistiigi |
tonistiigi
approved these changes
May 14, 2019
tiborvass
approved these changes
May 14, 2019
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
backports for 19.03 of;
fixes moby#38702
fixes moby#39009