github.com/moby/docker@v26.1.3+incompatible/hack/dind

github.com/moby/docker@v26.1.3+incompatible/hack/dind (about)

     1  #!/bin/sh
     2  set -e
     3  
     4  # DinD: a wrapper script which allows docker to be run inside a docker container.
     5  # Original version by Jerome Petazzoni <jerome@docker.com>
     6  # See the blog post: https://www.docker.com/blog/docker-can-now-run-within-docker/
     7  #
     8  # This script should be executed inside a docker container in privileged mode
     9  # ('docker run --privileged', introduced in docker 0.6).
    10  
    11  # Usage: dind CMD [ARG...]
    12  
    13  # apparmor sucks and Docker needs to know that it's in a container (c) @tianon
    14  #
    15  # Set the container env-var, so that AppArmor is enabled in the daemon and
    16  # containerd when running docker-in-docker.
    17  #
    18  # see: https://github.com/containerd/containerd/blob/787943dc1027a67f3b52631e084db0d4a6be2ccc/pkg/apparmor/apparmor_linux.go#L29-L45
    19  # see: https://github.com/moby/moby/commit/de191e86321f7d3136ff42ff75826b8107399497
    20  export container=docker
    21  
    22  # Allow AppArmor to work inside the container;
    23  #
    24  #     aa-status
    25  #     apparmor filesystem is not mounted.
    26  #     apparmor module is loaded.
    27  #
    28  #     mount -t securityfs none /sys/kernel/security
    29  #
    30  #     aa-status
    31  #     apparmor module is loaded.
    32  #     30 profiles are loaded.
    33  #     30 profiles are in enforce mode.
    34  #       /snap/snapd/18357/usr/lib/snapd/snap-confine
    35  #       ...
    36  #
    37  # Note: https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts#sys-kernel-security
    38  #
    39  #     ## /sys/kernel/security
    40  #
    41  #     In /sys/kernel/security mounted the securityfs interface, which allows
    42  #     configuration of Linux Security Modules. This allows configuration of
    43  #     AppArmor policies, and so access to this may allow a container to disable
    44  #     its MAC system.
    45  #
    46  # Given that we're running privileged already, this should not be an issue.
    47  if [ -d /sys/kernel/security ] && ! mountpoint -q /sys/kernel/security; then
    48  	mount -t securityfs none /sys/kernel/security || {
    49  		echo >&2 'Could not mount /sys/kernel/security.'
    50  		echo >&2 'AppArmor detection and --privileged mode might break.'
    51  	}
    52  fi
    53  
    54  # Mount /tmp (conditionally)
    55  if ! mountpoint -q /tmp; then
    56  	mount -t tmpfs none /tmp
    57  fi
    58  
    59  # cgroup v2: enable nesting
    60  if [ -f /sys/fs/cgroup/cgroup.controllers ]; then
    61  	# move the processes from the root group to the /init group,
    62  	# otherwise writing subtree_control fails with EBUSY.
    63  	# An error during moving non-existent process (i.e., "cat") is ignored.
    64  	mkdir -p /sys/fs/cgroup/init
    65  	xargs -rn1 < /sys/fs/cgroup/cgroup.procs > /sys/fs/cgroup/init/cgroup.procs || :
    66  	# enable controllers
    67  	sed -e 's/ / +/g' -e 's/^/+/' < /sys/fs/cgroup/cgroup.controllers \
    68  		> /sys/fs/cgroup/cgroup.subtree_control
    69  fi
    70  
    71  # Change mount propagation to shared to make the environment more similar to a
    72  # modern Linux system, e.g. with SystemD as PID 1.
    73  mount --make-rshared /
    74  
    75  if [ $# -gt 0 ]; then
    76  	exec "$@"
    77  fi
    78  
    79  echo >&2 'ERROR: No command specified.'
    80  echo >&2 'You probably want to run hack/make.sh, or maybe a shell?'