github.com/jwhonce/docker@v0.6.7-0.20190327063223-da823cf3a5a3/contrib/dockerd-rootless.sh

github.com/jwhonce/docker@v0.6.7-0.20190327063223-da823cf3a5a3/contrib/dockerd-rootless.sh (about)

     1  #!/bin/sh
     2  # dockerd-rootless.sh executes dockerd in rootless mode.
     3  #
     4  # Usage: dockerd-rootless.sh --experimental [DOCKERD_OPTIONS]
     5  # Currently, specifying --experimental is mandatory.
     6  #
     7  # External dependencies:
     8  # * newuidmap and newgidmap needs to be installed.
     9  # * /etc/subuid and /etc/subgid needs to be configured for the current user.
    10  # * Either slirp4netns (v0.3+) or VPNKit needs to be installed.
    11  #
    12  # See the documentation for the further information.
    13  
    14  set -e -x
    15  if ! [ -w $XDG_RUNTIME_DIR ]; then
    16  	echo "XDG_RUNTIME_DIR needs to be set and writable"
    17  	exit 1
    18  fi
    19  if ! [ -w $HOME ]; then
    20  	echo "HOME needs to be set and writable"
    21  	exit 1
    22  fi
    23  
    24  rootlesskit=""
    25  for f in docker-rootlesskit rootlesskit; do
    26  	if which $f >/dev/null 2>&1; then
    27  		rootlesskit=$f
    28  		break
    29  	fi
    30  done
    31  if [ -z $rootlesskit ]; then
    32  	echo "rootlesskit needs to be installed"
    33  	exit 1
    34  fi
    35  
    36  net=""
    37  mtu=""
    38  if which slirp4netns >/dev/null 2>&1; then
    39  	if slirp4netns --help | grep -- --disable-host-loopback; then
    40  		net=slirp4netns
    41  		mtu=65520
    42  	else
    43  		echo "slirp4netns does not support --disable-host-loopback. Falling back to VPNKit."
    44  	fi
    45  fi
    46  if [ -z $net ]; then
    47  	if which vpnkit >/dev/null 2>&1; then
    48  		net=vpnkit
    49  		mtu=1500
    50  	else
    51  		echo "Either slirp4netns (v0.3+) or vpnkit needs to be installed"
    52  		exit 1
    53  	fi
    54  fi
    55  
    56  if [ -z $_DOCKERD_ROOTLESS_CHILD ]; then
    57  	_DOCKERD_ROOTLESS_CHILD=1
    58  	export _DOCKERD_ROOTLESS_CHILD
    59  	# Re-exec the script via RootlessKit, so as to create unprivileged {user,mount,network} namespaces.
    60  	#
    61  	# --copy-up allows removing/creating files in the directories by creating tmpfs and symlinks
    62  	# * /etc: copy-up is required so as to prevent `/etc/resolv.conf` in the
    63  	#         namespace from being unexpectedly unmounted when `/etc/resolv.conf` is recreated on the host
    64  	#         (by either systemd-networkd or NetworkManager)
    65  	# * /run: copy-up is required so that we can create /run/docker (hardcoded for plugins) in our namespace
    66  	$rootlesskit \
    67  		--net=$net --mtu=$mtu --disable-host-loopback \
    68  		--copy-up=/etc --copy-up=/run \
    69  		$DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS \
    70  		$0 $@
    71  else
    72  	[ $_DOCKERD_ROOTLESS_CHILD = 1 ]
    73  	# remove the symlinks for the existing files in the parent namespace if any,
    74  	# so that we can create our own files in our mount namespace.
    75  	rm -f /run/docker /run/xtables.lock
    76  	dockerd $@
    77  fi