github.com/moby/docker@v26.1.3+incompatible/hack/dind-systemd (about) 1 #!/bin/bash 2 set -e 3 4 # Set the container env-var, so that AppArmor is enabled in the daemon and 5 # containerd when running docker-in-docker. 6 # 7 # see: https://github.com/containerd/containerd/blob/787943dc1027a67f3b52631e084db0d4a6be2ccc/pkg/apparmor/apparmor_linux.go#L29-L45 8 # see: https://github.com/moby/moby/commit/de191e86321f7d3136ff42ff75826b8107399497 9 container=docker 10 export container 11 12 if [ $# -eq 0 ]; then 13 echo >&2 'ERROR: No command specified. You probably want to run `journalctl -f`, or maybe `bash`?' 14 exit 1 15 fi 16 17 if [ ! -t 0 ]; then 18 echo >&2 'ERROR: TTY needs to be enabled (`docker run -t ...`).' 19 exit 1 20 fi 21 22 # Change mount propagation to shared, which SystemD PID 1 would normally do 23 # itself when started by the kernel. SystemD skips that when it detects it is 24 # running in a container. 25 mount --make-rshared / 26 27 # Allow AppArmor to work inside the container; 28 # 29 # aa-status 30 # apparmor filesystem is not mounted. 31 # apparmor module is loaded. 32 # 33 # mount -t securityfs none /sys/kernel/security 34 # 35 # aa-status 36 # apparmor module is loaded. 37 # 30 profiles are loaded. 38 # 30 profiles are in enforce mode. 39 # /snap/snapd/18357/usr/lib/snapd/snap-confine 40 # ... 41 # 42 # Note: https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts#sys-kernel-security 43 # 44 # ## /sys/kernel/security 45 # 46 # In /sys/kernel/security mounted the securityfs interface, which allows 47 # configuration of Linux Security Modules. This allows configuration of 48 # AppArmor policies, and so access to this may allow a container to disable 49 # its MAC system. 50 # 51 # Given that we're running privileged already, this should not be an issue. 52 if [ -d /sys/kernel/security ] && ! mountpoint -q /sys/kernel/security; then 53 mount -t securityfs none /sys/kernel/security || { 54 echo >&2 'Could not mount /sys/kernel/security.' 55 echo >&2 'AppArmor detection and --privileged mode might break.' 56 } 57 fi 58 59 env > /etc/docker-entrypoint-env 60 61 cat > /etc/systemd/system/docker-entrypoint.target << EOF 62 [Unit] 63 Description=the target for docker-entrypoint.service 64 Requires=docker-entrypoint.service systemd-logind.service systemd-user-sessions.service 65 EOF 66 67 quoted_args="$(printf " %q" "${@}")" 68 echo "${quoted_args}" > /etc/docker-entrypoint-cmd 69 70 cat > /etc/systemd/system/docker-entrypoint.service << EOF 71 [Unit] 72 Description=docker-entrypoint.service 73 74 [Service] 75 ExecStart=/bin/bash -exc "source /etc/docker-entrypoint-cmd" 76 # EXIT_STATUS is either an exit code integer or a signal name string, see systemd.exec(5) 77 ExecStopPost=/bin/bash -ec "if echo \${EXIT_STATUS} | grep [A-Z] > /dev/null; then echo >&2 \"got signal \${EXIT_STATUS}\"; systemctl exit \$(( 128 + \$( kill -l \${EXIT_STATUS} ) )); else systemctl exit \${EXIT_STATUS}; fi" 78 StandardInput=tty-force 79 StandardOutput=inherit 80 StandardError=inherit 81 WorkingDirectory=$(pwd) 82 EnvironmentFile=/etc/docker-entrypoint-env 83 84 [Install] 85 WantedBy=multi-user.target 86 EOF 87 88 systemctl mask systemd-firstboot.service systemd-udevd.service 89 systemctl unmask systemd-logind 90 systemctl enable docker-entrypoint.service 91 92 systemd= 93 if [ -x /lib/systemd/systemd ]; then 94 systemd=/lib/systemd/systemd 95 elif [ -x /usr/lib/systemd/systemd ]; then 96 systemd=/usr/lib/systemd/systemd 97 elif [ -x /sbin/init ]; then 98 systemd=/sbin/init 99 else 100 echo >&2 'ERROR: systemd is not installed' 101 exit 1 102 fi 103 systemd_args="--show-status=false --unit=docker-entrypoint.target" 104 echo "$0: starting $systemd $systemd_args" 105 exec $systemd $systemd_args