diff --git a/.github/workflows/.test.yml b/.github/workflows/.test.yml index 597d21e45d..48845714a4 100644 --- a/.github/workflows/.test.yml +++ b/.github/workflows/.test.yml @@ -41,6 +41,25 @@ jobs: - name: Set up runner uses: ./.github/actions/setup-runner + - + name: Prepare + run: | + CACHE_DEV_SCOPE=dev + if [[ "${{ matrix.mode }}" == *"rootless"* ]]; then + # In rootless mode, tests will run in the host's namspace not the rootlesskit + # namespace. So, probably no different to non-rootless unit tests and can be + # removed from the test matrix. + echo "DOCKER_ROOTLESS=1" >> $GITHUB_ENV + fi + if [[ "${{ matrix.mode }}" == *"firewalld"* ]]; then + echo "FIREWALLD=true" >> $GITHUB_ENV + CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}firewalld" + fi + if [[ "${{ matrix.mode }}" == *"systemd"* ]]; then + echo "SYSTEMD=true" >> $GITHUB_ENV + CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}systemd" + fi + echo "CACHE_DEV_SCOPE=${CACHE_DEV_SCOPE}" >> $GITHUB_ENV - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 @@ -204,6 +223,7 @@ jobs: - "" - rootless - systemd + - firewalld #- rootless-systemd FIXME: https://github.com/moby/moby/issues/44084 exclude: - os: ubuntu-24.04 # FIXME: https://github.com/moby/moby/pull/49579#issuecomment-2698622223 @@ -229,6 +249,10 @@ jobs: echo "SYSTEMD=true" >> $GITHUB_ENV CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}systemd" fi + if [[ "${{ matrix.mode }}" == *"firewalld"* ]]; then + echo "FIREWALLD=true" >> $GITHUB_ENV + CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}firewalld" + fi echo "CACHE_DEV_SCOPE=${CACHE_DEV_SCOPE}" >> $GITHUB_ENV - name: Set up Docker Buildx @@ -372,6 +396,15 @@ jobs: - name: Set up tracing uses: ./.github/actions/setup-tracing + - + name: Prepare + run: | + CACHE_DEV_SCOPE=dev + if [[ "${{ matrix.mode }}" == *"firewalld"* ]]; then + echo "FIREWALLD=true" >> $GITHUB_ENV + CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}firewalld" + fi + echo "CACHE_DEV_SCOPE=${CACHE_DEV_SCOPE}" >> $GITHUB_ENV - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 diff --git a/Dockerfile b/Dockerfile index 1ce2bb063f..a577ad0e75 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,6 +16,7 @@ ARG BUILDX_VERSION=0.12.1 ARG COMPOSE_VERSION=v2.24.5 ARG SYSTEMD="false" +ARG FIREWALLD="false" ARG DOCKER_STATIC=1 # REGISTRY_VERSION specifies the version of the registry to download from @@ -500,7 +501,16 @@ RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \ systemd-sysv ENTRYPOINT ["hack/dind-systemd"] -FROM dev-systemd-${SYSTEMD} AS dev-base +FROM dev-systemd-${SYSTEMD} AS dev-firewalld-false + +FROM dev-systemd-true AS dev-firewalld-true +RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \ + --mount=type=cache,sharing=locked,id=moby-dev-aptcache,target=/var/cache/apt \ + apt-get update && apt-get install -y --no-install-recommends \ + firewalld +RUN sed -i 's/FirewallBackend=nftables/FirewallBackend=iptables/' /etc/firewalld/firewalld.conf + +FROM dev-firewalld-${FIREWALLD} AS dev-base RUN groupadd -r docker RUN useradd --create-home --gid docker unprivilegeduser \ && mkdir -p /home/unprivilegeduser/.local/share/docker \ diff --git a/Makefile b/Makefile index d871d772d7..1242f38b49 100644 --- a/Makefile +++ b/Makefile @@ -56,6 +56,7 @@ DOCKER_ENVS := \ -e DOCKER_USERLANDPROXY \ -e DOCKERD_ARGS \ -e DELVE_PORT \ + -e FIREWALLD \ -e GITHUB_ACTIONS \ -e TEST_FORCE_VALIDATE \ -e TEST_INTEGRATION_DIR \ @@ -149,6 +150,9 @@ DOCKER_BUILD_ARGS += --build-arg=DOCKERCLI_INTEGRATION_REPOSITORY ifdef DOCKER_SYSTEMD DOCKER_BUILD_ARGS += --build-arg=SYSTEMD=true endif +ifdef FIREWALLD +DOCKER_BUILD_ARGS += --build-arg=FIREWALLD=true +endif BUILD_OPTS := ${DOCKER_BUILD_ARGS} ${DOCKER_BUILD_OPTS} BUILD_CMD := $(BUILDX) build diff --git a/docker-bake.hcl b/docker-bake.hcl index f822ec758b..0bf5292931 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -172,11 +172,16 @@ variable "SYSTEMD" { default = "false" } +variable "FIREWALLD" { + default = "false" +} + target "dev" { inherits = ["_common"] target = "dev" args = { SYSTEMD = SYSTEMD + FIREWALLD = FIREWALLD } tags = ["docker-dev"] output = ["type=docker"] diff --git a/hack/dind-systemd b/hack/dind-systemd index ff45b7560f..1515bda059 100755 --- a/hack/dind-systemd +++ b/hack/dind-systemd @@ -56,12 +56,27 @@ if [ -d /sys/kernel/security ] && ! mountpoint -q /sys/kernel/security; then } fi +# Allow connections coming from the host (through eth0). This is needed to +# access the daemon port (independently of which port is used), or run a +# 'remote' Delve session, etc... +if [ "${FIREWALLD:-}" = "true" ]; then + cat > /etc/firewalld/zones/trusted.xml << EOF + + + Trusted + All network connections are accepted. + + + +EOF +fi + env > /etc/docker-entrypoint-env cat > /etc/systemd/system/docker-entrypoint.target << EOF [Unit] Description=the target for docker-entrypoint.service -Requires=docker-entrypoint.service systemd-logind.service systemd-user-sessions.service +Requires=docker-entrypoint.service systemd-logind.service systemd-user-sessions.service $([ "${FIREWALLD:-}" = "true" ] && echo firewalld.service) EOF quoted_args="$(printf " %q" "${@}")"