Support systemd socket activation

[charliemirabile]

Fixes: #428

This is my first time writing go code, so go easy on me :)

I tried to break this down into a clear set of commits, so the actual logic I want to implement is easy to follow separate from the necessary refactoring I did. Happy to squash this down into one commit though if that is the etiquette around here.

[AkihiroSuda]

Thanks, how to test this?

[charliemirabile]

In order to test, systemd provides a program systemd-socket-activate that can be used to simulate starting a service with socket activation. I used the docker daemon as an example.

I needed to modify the script that is used to spawn it with rootless kit (the default provided for installing dockerd rootless) by adding the line export LISTEN_PID=$$ right above the line that actually execs dockerd exec "$dockerd" "$@" and then I could invoke it with the systemd program as follows: systemd-socket-activate -l /tmp/docker.sock /path/to/dockerd-rootless.sh -H fd://.

The systemd program will create /tmp/docker.sock and be listening on it waiting for a connection. I can then attempt to connect to it from a different terminal with docker (with DOCKER_HOST=unix:///tmp/docker.sock) or with the following curl command curl -H "Content-Type: application/json" --unix-socket /tmp/docker.sock http://localhost/_ping.

Assuming all is well you will the the daemon startup messages in the original terminal and after a short delay, you will see the expected output of the docker command or the successful ping reponse OK.

[AkihiroSuda]

Thanks, is it testable without depending on Docker?
Can we have a test script like https://github.com/rootless-containers/rootlesskit/blob/v2.0.2/hack/integration-evacuate-cgroup2.sh#L4 ?

[charliemirabile]

yes, you could write a script like this:

#!/bin/sh
read -r REQUEST
if [ "$(printf 'GET /hello HTTP/1.1\r\n')" = "$REQUEST" ]
then
    printf 'HTTP/1.1 200 OK\r\nContent-Length: 6\r\n\r\nHello\n'
else
    printf 'HTTP/1.1 400 Bad Request\r\nContent-Length: 5\r\n\r\nBad!\n'
fi

and then do systemd-socket-activate -l /tmp/test.sock socat ACCEPT-FD:3 EXEC:./test.sh,nofork and then verify that you get Hello back from curl --unix-socket /tmp/test.sock https://localhost/hello

[charliemirabile]

Ok, I have a working testing script, but I am struggling to add it to the existing integration testing framework.

diff --git a/hack/integration-systemd-socket.sh b/hack/integration-systemd-socket.sh
new file mode 100755
index 0000000..1129a72
--- /dev/null
+++ b/hack/integration-systemd-socket.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+set -e
+if [ -z "$EXECED" ]
+then
+       systemd-socket-activate -E EXECED=1 -l /tmp/activate.sock socat ACCEPT-FD:3 EXEC:"rootlesskit $0",nofork 2>/dev/null &
+       OUTPUT="$(curl --unix-socket /tmp/activate.sock http://localhost/hello 2>/dev/null)"
+       [ "$(printf 'Hello\n' )" = "$OUTPUT" ] || exit 1
+else
+       [ "$LISTEN_FDS" = "1" ] || exit 1
+       read -r REQUEST
+       if [ "$(printf 'GET /hello HTTP/1.1\r\n')" = "$REQUEST" ]
+       then
+           printf 'HTTP/1.1 200 OK\r\nContent-Length: 6\r\n\r\nHello\n'
+       else
+           printf 'HTTP/1.1 400 Bad Request\r\nContent-Length: 5\r\n\r\nBad!\n'
+       fi
+fi

I need a newer version of socat (v1.8.0 instead of v.1.7.4) which is available in ubuntu 24.04 but not 22.04. I feel like bumping the ubuntu version used in the Dockerfile across the board would probably be outside of the scope of this PR (especially because it isn't trivial to do). Is it ok for me to just add the testing script without adding it to the CI, or should I make a separate PR and try to bump the ubuntu version and then come back to this?

[AkihiroSuda]

Integration to CI can be worked out later.
https://github.com/rootless-containers/rootlesskit/blob/v2.0.2/hack/integration-evacuate-cgroup2.sh isn’t integrated to CI either, as the current Dockerfile lacks systemd

[charliemirabile]

Alright, just pushed one more commit with the script

[AkihiroSuda]

Thanks