When DOCKERD_ROOTLESS_ROOTLESSKIT_MTU is not set, and ...
- DOCKERD_ROOTLESS_ROOTLESSKIT_NET is not set and slirp4netns
is selected, MTU defaults to 65520.
- DOCKERD_ROOTLESS_ROOTLESSKIT_NET=slirp4netns, MTU defaults
to 1500.
Change the logic so that, however slirp4netns is selected, MTU
defaults to 65520.
Signed-off-by: Rob Murray <rob.murray@docker.com>
When running the docker daemon with `--selinux-enabled`, access to the docker
socket is prevented by SELinux. To access the socket, the container must be
started with `--privileged`, with SELinux disabled (`--security-opt label=disable`),
or with (e.g.) `--security-opt label=type:container_runtime_t`, which gives
it access to files restricted to the runtime ( `dockerd` daemon) itself.
While having access to the docker socket grants full `root` permissions on
the host (e.g. through starting a privileged container using the socket),
it may be preferable to restrict the container to just the socket.
This patch adds a `docker_client.process` SELinux CIL policy module that
defines a container domain (process type). It inherits the base container
template and grants the permissions needed to use the docker socket.
Without this (and the daemon running with `--selinux-enabled`);
docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock docker:cli -H unix:///var/run/docker.sock version
Client:
Version: 28.4.0
API version: 1.51
Go version: go1.24.7
Git commit: d8eb465
Built: Wed Sep 3 20:56:28 2025
OS/Arch: linux/amd64
Context: default
permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.51/version": dial unix /var/run/docker.sock: connect: permission denied
With this:
semodule -i /usr/share/udica/templates/base_container.cil
semodule -i ./contrib/selinux/docker_client.cil
docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock --security-opt label=type:docker_client.process docker:cli -H unix:///var/run/docker.sock version
Client:
Version: 28.4.0
API version: 1.51
Go version: go1.24.7
Git commit: d8eb465
Built: Wed Sep 3 20:56:28 2025
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 28.4.0
API version: 1.51 (minimum version 1.24)
Go version: go1.24.7
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This reverts commit dbb47f63ab, which
added these rules to hide loopback devices from udisks. These rules
were for devicemapper, which we no longer support, and use hard-coded
paths, making them not practical for other purposes.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
It's 12 lines of code total; we may as well write it as part of building;
it looks to be the only place this is used, so we can remove the contrib
directory, which should not be used by anyone.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Passing the Auth to the redirected location was fixed in curl 7.58:
https://curl.se/changes.html#7_58_0 so we no longer need the extra
handling and can just use `-L` to let curl handle redirects.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Correctly parse HTTP response that doesn't contain an HTTP version with a decimal place:
```
< HTTP/2 307
```
The previous version would only match strings like `HTTP/2.0 307`.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
This file was added in 962f347923, at which
time there already were doubts about it being useful. For Go, `gofmt`
already dictates formatting (and proper editors would integrat with
that). For other languages, most editors would already have a config,
and our CI validates formatting for various files.
Give that the file was never updated since it was added, it's fair
to say that it's unmaintained. Let's remove.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This script was added in 6860c101ad
to allow testing a custom daemon in Docker Desktop, but has not
been maintained since, and likely no longer functional, so let's
remove.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The Dockerfile syntax is now maintained as part of BuildKit in the
https://github.com/moby/buildkit repository, but our contrib still
had syntax highlighting files for various editors;
- The TextMate (`.tmbundle`) syntax was last update 9 months ago
in c2029cb257, but this was a stale
pull request from 2018, so at least 7 Years behind on updates to
the syntax.
- The vim syntax is now integrated in upstream, and our copy was
remove 6 Years ago in 5511f45767.
- The Nano syntax was added 10 Years ago in 76bc44fb91,
and received an update 9 Years ago in 4cb71f8082,
and received no contributions since.
- The kate syntax was already unmaintained, and removed 9 Years ago
in a2f695d7fa.
I think it's fair to state that these are unmaintained and severely outdated.
I _do_ think it would be good to have maintained versions of such files,
as it can improve the experience for users. However, this would be more
suitable for the BuildKit project, and I'm not sure if the current copies
of these files are a good starting point (if needed, they can still be
obtained from git history).
This patch removes the files.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
CONFIG_MEMCG_SWAP has been deprecated since kernel v5.8-rc1 (commit 2d1c498) and removed since kernel v6.1-rc1 (commit e55b9f9).
Since kernel v5.8-rc1, swap tracking has been an integral part of memory control. CONFIG_MEMCG_SWAP becomes invisible to user and simply means CONFIG_MEMCG && CONFIG_SWAP.
Disable the check for kernel v5.8+.
Signed-off-by: 纯真 <38834411+chunzhennn@users.noreply.github.com>
This was added in bf6d52bba1, but don't
think it was ever used; at least it's severely outdated, so let's
remove it.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Contribute a Wireshark plugin for decrypting and dissecting
hashicorp/memberlist messages. And contribue a plugin for dissecting the
NetworkDB messages transported as memberlist User messages.
Add a feature to NetworkDB to log the encryption keys to a file for the
Wireshark memberlist plugin to consume, configured using an environment
variable.
Signed-off-by: Cory Snider <csnider@mirantis.com>
These scripts have not been actively maintained for several Years, are
un-tested, and there may be better alternatives / implementations to
use for this purpose. A search on GitHub only showed a single active
use of one of these scripts; let's remove them, as there are no plans
to maintain (and test) these scripts.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These were originally added in 7b9ecb9700.
The `StartLimitBurst` and `StartLimitInterval` options used to be
options for `[Service]`, but were moved to the `[Unit]` in systemd 229,
and systemd 230 respectively. The `StartLimitInterval` was renamed to
`StartLimitIntervalSec`, which either takes a number (using "seconds" as
default unit) or an optional unit;
- 6bf0f408e4
- f0367da7d1
We kept these deprecated options to provide compatibility with older distros
that not yet had systemd 230, but all distros we support are now on versions
of systemd that support the new options;
docker run --rm registry.access.redhat.com/ubi8/ubi systemctl --version
systemd 239 (239-82.el8_10.5)
+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=legacy
docker run -it --rm debian:
apt-get update && apt-get install -y systemd
...
systemctl --version
systemd 247 (247.3-7+deb11u6)
+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +ZSTD +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=unified
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Part of https://github.com/docker/docker-ce-packaging/issues/1186
Adds the required systemd-sysusers configuration to the
moby/moby repo. This will be used by downstream package
maintainers (RPM, DEB etc) as a replacement to the
`groupadd` postinstall commands.
It's generally recommended to use sysusers since it is
more of a declarative method of defining these service
accounts and groups.
This configuration file specifies a group ("g") named
"docker" should be created with an automatic GID
allocation ("-").
Signed-off-by: Robert Sturla <robertsturla@outlook.com>
Fix a logical error in the rootless setup tool where the iptables error
handling was incorrectly placed. The code was setting
`faced_iptables_error=1` even when iptables was available, causing
unnecessary error messages and setup suggestions.
This patch correctly moves the error handling into the `else` branch so
that we only report iptables errors when the command is actually
unavailable.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
CentOS 10 uses iptables-nft by default, and doesn't have
kernel module ip_tables - so dockerd-rootless-setuptool.sh
reports that the module is missing. It suggests installing
it (which isn't needed), or using --skip-iptables (which
disables iptables in daemon config).
So, unless "iptables --version" command reports "legacy",
check for kernel module "nf_tables" instead of "ip_tables".
Signed-off-by: Rob Murray <rob.murray@docker.com>
This reverts commit ccdfac5328.
Since commit 76417bf, the kernel ip_set module (and friends) are
not required.
Signed-off-by: Rob Murray <rob.murray@docker.com>
When dockerd is executed with the `dockerd-rootless.sh` script, make
/etc/cdi and /var/run/cdi available to the daemon if they exist.
This makes it possible to enable the CDI integration in rootless mode.
Fixes: #47676
Signed-off-by: Rafael Fernández López <ereslibre@ereslibre.es>
On systems using systemd to autostart Docker on boot, containers might encounter a problem where they will not have any DNS access until the container is restarted manually. This PR fixes this issue by requiring that the Docker engine service starts after nss-lookup.target. This target is reached when DNS resolution is available. See https://wiki.archlinux.org/title/Systemd#Running_services_after_the_network_is_up (paragraph "If a service needs to perform DNS queries...")
Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com>
If matched escape character like \" before enter " in begin statement, text editor return invalid Highlighting.
So included escape character outside of begin statement and did some refactoring.
Signed-off-by: Myeongjooon Kim kimmj8409@gmail.com
Signed-off-by: Myeongjoon Kim <kimmj8409@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Now `dockerd-rootless-setuptool.sh install --force` ignores errors
from `rootlesskit`.
This might be useful when installing Rootless Docker into a container
image with `RUN` instructions.
Fix issue 48678
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Shortened to minimum code because OCI v1 is essentially equivalent to
Docker v2.2 format. Also fixed formatting issue with jq where it wouldn't
accept newline character in chained jq commands.
Co-authored-by: Tianon Gravi <admwiggin@gmail.com>
Signed-off-by: Jimbo Jones <jjjimbo137@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
`dockerd-rootless-setuptool.sh check` now skips the smoke test for
running RootlessKit.
Fix docker/docker-install issue 417
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
This check was added in 2355151556 to handle
non-standard behavior in CentOS/RHEL 7;
> Add check for RHEL7/CentOS7 experimental userns disabled
>
> Add a check in `check-config.sh` to see if we are running on a RHEL7 or
> CentOS7 system, which may report that CONFIG_USERNS is OK/enabled, but
> user namespaces still won't work because of the experimental feature
> flag added by Redhat.
>
> This will add a warning if it is actually disabled and notes what has to
> be added to the grub/boot command line to enable it.
Now that CentOS/RHEL 7 reached EOL, we can remove this special case.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
