github.com/rish1988/moby@v25.0.2+incompatible/hack/dind (about) 1 #!/bin/sh 2 set -e 3 4 # DinD: a wrapper script which allows docker to be run inside a docker container. 5 # Original version by Jerome Petazzoni <jerome@docker.com> 6 # See the blog post: https://www.docker.com/blog/docker-can-now-run-within-docker/ 7 # 8 # This script should be executed inside a docker container in privileged mode 9 # ('docker run --privileged', introduced in docker 0.6). 10 11 # Usage: dind CMD [ARG...] 12 13 # apparmor sucks and Docker needs to know that it's in a container (c) @tianon 14 # 15 # Set the container env-var, so that AppArmor is enabled in the daemon and 16 # containerd when running docker-in-docker. 17 # 18 # see: https://github.com/containerd/containerd/blob/787943dc1027a67f3b52631e084db0d4a6be2ccc/pkg/apparmor/apparmor_linux.go#L29-L45 19 # see: https://github.com/moby/moby/commit/de191e86321f7d3136ff42ff75826b8107399497 20 export container=docker 21 22 # Allow AppArmor to work inside the container; 23 # 24 # aa-status 25 # apparmor filesystem is not mounted. 26 # apparmor module is loaded. 27 # 28 # mount -t securityfs none /sys/kernel/security 29 # 30 # aa-status 31 # apparmor module is loaded. 32 # 30 profiles are loaded. 33 # 30 profiles are in enforce mode. 34 # /snap/snapd/18357/usr/lib/snapd/snap-confine 35 # ... 36 # 37 # Note: https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts#sys-kernel-security 38 # 39 # ## /sys/kernel/security 40 # 41 # In /sys/kernel/security mounted the securityfs interface, which allows 42 # configuration of Linux Security Modules. This allows configuration of 43 # AppArmor policies, and so access to this may allow a container to disable 44 # its MAC system. 45 # 46 # Given that we're running privileged already, this should not be an issue. 47 if [ -d /sys/kernel/security ] && ! mountpoint -q /sys/kernel/security; then 48 mount -t securityfs none /sys/kernel/security || { 49 echo >&2 'Could not mount /sys/kernel/security.' 50 echo >&2 'AppArmor detection and --privileged mode might break.' 51 } 52 fi 53 54 # Mount /tmp (conditionally) 55 if ! mountpoint -q /tmp; then 56 mount -t tmpfs none /tmp 57 fi 58 59 # cgroup v2: enable nesting 60 if [ -f /sys/fs/cgroup/cgroup.controllers ]; then 61 # move the processes from the root group to the /init group, 62 # otherwise writing subtree_control fails with EBUSY. 63 # An error during moving non-existent process (i.e., "cat") is ignored. 64 mkdir -p /sys/fs/cgroup/init 65 xargs -rn1 < /sys/fs/cgroup/cgroup.procs > /sys/fs/cgroup/init/cgroup.procs || : 66 # enable controllers 67 sed -e 's/ / +/g' -e 's/^/+/' < /sys/fs/cgroup/cgroup.controllers \ 68 > /sys/fs/cgroup/cgroup.subtree_control 69 fi 70 71 # Change mount propagation to shared to make the environment more similar to a 72 # modern Linux system, e.g. with SystemD as PID 1. 73 mount --make-rshared / 74 75 if [ $# -gt 0 ]; then 76 exec "$@" 77 fi 78 79 echo >&2 'ERROR: No command specified.' 80 echo >&2 'You probably want to run hack/make.sh, or maybe a shell?'