packages/moby
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!145 Dockerd rootless: make {/etc,/var/run}/cdi available

Browse Source 
From: @dog-life 
Reviewed-by: @xu_lei_123 
Signed-off-by: @xu_lei_123
This commit is contained in:
openeuler-ci-bot 2025-04-22 14:19:46 +00:00 committed by Gitee
commit 2bda1cfbc3
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 104 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

99
1019-Dockerd-rootless-make-etc-var-run-cdi-available.patch Normal file
View File

@ -0,0 +1,99 @@
From ddc8a15eb54f0f8911e463ce2694521dc4531b0f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez=20L=C3=B3pez?=
<ereslibre@ereslibre.es>
Date: Mon, 23 Sep 2024 10:39:30 +0200
Subject: Dockerd rootless: make {/etc,/var/run}/cdi available
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When dockerd is executed with the `dockerd-rootless.sh` script, make
/etc/cdi and /var/run/cdi available to the daemon if they exist.
This makes it possible to enable the CDI integration in rootless mode.
Fixes: #47676
Signed-off-by: Rafael Fernández López <ereslibre@ereslibre.es>
(cherry picked from commit 4e30acb63ffa085e54576361814f417db8c84645)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
contrib/dockerd-rootless.sh | 48 +++++++++++++++++++++++++++++++++----
1 file changed, 44 insertions(+), 4 deletions(-)
diff --git a/contrib/dockerd-rootless.sh b/contrib/dockerd-rootless.sh
index 0baa112e2c..6c0775ec65 100755
--- a/contrib/dockerd-rootless.sh
+++ b/contrib/dockerd-rootless.sh
@@ -53,6 +53,30 @@ if ! [ -d "$HOME" ]; then
exit 1
fi
+mount_directory() {
+ if [ -z "$_DOCKERD_ROOTLESS_CHILD" ]; then
+ echo "mount_directory should be called from the child context. Otherwise data loss is at risk" >&2
+ exit 1
+ fi
+
+ DIRECTORY="$1"
+ if [ ! -d "$DIRECTORY" ]; then
+ return
+ fi
+
+ # Bind mount directory: this makes this directory visible to
+ # Dockerd, even if it is originally a symlink, given Dockerd does
+ # not always follow symlinks. Some directories might also be
+ # "copied-up", meaning that they will also be writable on the child
+ # namespace; this will be the case only if they are provided as
+ # --copy-up to the rootlesskit.
+ DIRECTORY_REALPATH=$(realpath "$DIRECTORY")
+ MOUNT_OPTIONS="${2:---bind}"
+ rm -rf "$DIRECTORY"
+ mkdir -p "$DIRECTORY"
+ mount $MOUNT_OPTIONS "$DIRECTORY_REALPATH" "$DIRECTORY"
+}
+
rootlesskit=""
for f in docker-rootlesskit rootlesskit; do
if command -v $f > /dev/null 2>&1; then
@@ -132,6 +156,25 @@ if [ -z "$_DOCKERD_ROOTLESS_CHILD" ]; then
"$0" "$@"
else
[ "$_DOCKERD_ROOTLESS_CHILD" = 1 ]
+
+ # The Container Device Interface (CDI) specs can be found by default
+ # under {/etc,/var/run}/cdi. More information at:
+ # https://github.com/cncf-tags/container-device-interface
+ #
+ # In order to use the Container Device Interface (CDI) integration,
+ # the CDI paths need to exist before the Docker daemon is started in
+ # order for it to read the CDI specification files. Otherwise, a
+ # Docker daemon restart will be required for the daemon to discover
+ # them.
+ #
+ # If another set of CDI paths (other than the default /etc/cdi and
+ # /var/run/cdi) are configured through the Docker configuration file
+ # (using "cdi-spec-dirs"), they need to be bind mounted in rootless
+ # mode; otherwise the Docker daemon won't have access to the CDI
+ # specification files.
+ mount_directory /etc/cdi
+ mount_directory /var/run/cdi
+
# remove the symlinks for the existing files in the parent namespace if any,
# so that we can create our own files in our mount namespace.
rm -f /run/docker /run/containerd /run/xtables.lock
@@ -146,10 +189,7 @@ else
if [ "$(stat -c %T -f /etc)" = "tmpfs" ] && [ -L "/etc/ssl" ]; then
# Workaround for "x509: certificate signed by unknown authority" on openSUSE Tumbleweed.
# https://github.com/rootless-containers/rootlesskit/issues/225
- realpath_etc_ssl=$(realpath /etc/ssl)
- rm -f /etc/ssl
- mkdir /etc/ssl
- mount --rbind ${realpath_etc_ssl} /etc/ssl
+ mount_directory /etc/ssl "--rbind"
fi
exec "$dockerd" "$@"
--
2.27.0

6
moby.spec
View File

@ -7,7 +7,7 @@
Name: moby Name: moby
Version: 25.0.3 Version: 25.0.3
Release: 30 Release: 31
Summary: The open-source application container engine Summary: The open-source application container engine
License: Apache-2.0 License: Apache-2.0
URL: https://www.docker.com URL: https://www.docker.com
@ -42,6 +42,7 @@ Patch1015: 1015-rootless-fix-open-etc-docker-plugins-permission-deni.patch
Patch1016: 1016-Fix-cases-where-we-are-wrapping-a-nil-error.patch Patch1016: 1016-Fix-cases-where-we-are-wrapping-a-nil-error.patch
Patch1017: 1017-libnetwork-fix-non-constant-format-string-in-call-go.patch Patch1017: 1017-libnetwork-fix-non-constant-format-string-in-call-go.patch
Patch1018: 1018-Fix-setup-user-chains-even-if-there-are-running-cont.patch Patch1018: 1018-Fix-setup-user-chains-even-if-there-are-running-cont.patch
Patch1019: 1019-Dockerd-rootless-make-etc-var-run-cdi-available.patch
# Patch 2001-2999 for tini # Patch 2001-2999 for tini
Patch2001: 2001-tini.c-a-function-declaration-without-a-prototype-is.patch Patch2001: 2001-tini.c-a-function-declaration-without-a-prototype-is.patch
Requires(meta): %{name}-engine = %{version}-%{release} Requires(meta): %{name}-engine = %{version}-%{release}
@ -233,6 +234,9 @@ fi
%systemd_postun_with_restart docker.service %systemd_postun_with_restart docker.service
%changelog %changelog
* Mon Apr 21 2025 shechenglong <shechenglong@xfusion.com> - 25.0.3-31
- Dockerd rootless: make {/etc,/var/run}/cdi available
* Sun Apr 20 2025 shechenglong <shechenglong@xfusion.com> - 25.0.3-30 * Sun Apr 20 2025 shechenglong <shechenglong@xfusion.com> - 25.0.3-30
- Fix: setup user chains even if there are running containers - Fix: setup user chains even if there are running containers