This was added in bf6d52bba1, but don't
think it was ever used; at least it's severely outdated, so let's
remove it.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Contribute a Wireshark plugin for decrypting and dissecting
hashicorp/memberlist messages. And contribue a plugin for dissecting the
NetworkDB messages transported as memberlist User messages.
Add a feature to NetworkDB to log the encryption keys to a file for the
Wireshark memberlist plugin to consume, configured using an environment
variable.
Signed-off-by: Cory Snider <csnider@mirantis.com>
These scripts have not been actively maintained for several Years, are
un-tested, and there may be better alternatives / implementations to
use for this purpose. A search on GitHub only showed a single active
use of one of these scripts; let's remove them, as there are no plans
to maintain (and test) these scripts.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These were originally added in 7b9ecb9700.
The `StartLimitBurst` and `StartLimitInterval` options used to be
options for `[Service]`, but were moved to the `[Unit]` in systemd 229,
and systemd 230 respectively. The `StartLimitInterval` was renamed to
`StartLimitIntervalSec`, which either takes a number (using "seconds" as
default unit) or an optional unit;
- 6bf0f408e4
- f0367da7d1
We kept these deprecated options to provide compatibility with older distros
that not yet had systemd 230, but all distros we support are now on versions
of systemd that support the new options;
docker run --rm registry.access.redhat.com/ubi8/ubi systemctl --version
systemd 239 (239-82.el8_10.5)
+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=legacy
docker run -it --rm debian:
apt-get update && apt-get install -y systemd
...
systemctl --version
systemd 247 (247.3-7+deb11u6)
+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +ZSTD +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=unified
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Part of https://github.com/docker/docker-ce-packaging/issues/1186
Adds the required systemd-sysusers configuration to the
moby/moby repo. This will be used by downstream package
maintainers (RPM, DEB etc) as a replacement to the
`groupadd` postinstall commands.
It's generally recommended to use sysusers since it is
more of a declarative method of defining these service
accounts and groups.
This configuration file specifies a group ("g") named
"docker" should be created with an automatic GID
allocation ("-").
Signed-off-by: Robert Sturla <robertsturla@outlook.com>
Fix a logical error in the rootless setup tool where the iptables error
handling was incorrectly placed. The code was setting
`faced_iptables_error=1` even when iptables was available, causing
unnecessary error messages and setup suggestions.
This patch correctly moves the error handling into the `else` branch so
that we only report iptables errors when the command is actually
unavailable.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
CentOS 10 uses iptables-nft by default, and doesn't have
kernel module ip_tables - so dockerd-rootless-setuptool.sh
reports that the module is missing. It suggests installing
it (which isn't needed), or using --skip-iptables (which
disables iptables in daemon config).
So, unless "iptables --version" command reports "legacy",
check for kernel module "nf_tables" instead of "ip_tables".
Signed-off-by: Rob Murray <rob.murray@docker.com>
This reverts commit ccdfac5328.
Since commit 76417bf, the kernel ip_set module (and friends) are
not required.
Signed-off-by: Rob Murray <rob.murray@docker.com>
When dockerd is executed with the `dockerd-rootless.sh` script, make
/etc/cdi and /var/run/cdi available to the daemon if they exist.
This makes it possible to enable the CDI integration in rootless mode.
Fixes: #47676
Signed-off-by: Rafael Fernández López <ereslibre@ereslibre.es>
On systems using systemd to autostart Docker on boot, containers might encounter a problem where they will not have any DNS access until the container is restarted manually. This PR fixes this issue by requiring that the Docker engine service starts after nss-lookup.target. This target is reached when DNS resolution is available. See https://wiki.archlinux.org/title/Systemd#Running_services_after_the_network_is_up (paragraph "If a service needs to perform DNS queries...")
Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com>
If matched escape character like \" before enter " in begin statement, text editor return invalid Highlighting.
So included escape character outside of begin statement and did some refactoring.
Signed-off-by: Myeongjooon Kim kimmj8409@gmail.com
Signed-off-by: Myeongjoon Kim <kimmj8409@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Now `dockerd-rootless-setuptool.sh install --force` ignores errors
from `rootlesskit`.
This might be useful when installing Rootless Docker into a container
image with `RUN` instructions.
Fix issue 48678
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Shortened to minimum code because OCI v1 is essentially equivalent to
Docker v2.2 format. Also fixed formatting issue with jq where it wouldn't
accept newline character in chained jq commands.
Co-authored-by: Tianon Gravi <admwiggin@gmail.com>
Signed-off-by: Jimbo Jones <jjjimbo137@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
`dockerd-rootless-setuptool.sh check` now skips the smoke test for
running RootlessKit.
Fix docker/docker-install issue 417
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
This check was added in 2355151556 to handle
non-standard behavior in CentOS/RHEL 7;
> Add check for RHEL7/CentOS7 experimental userns disabled
>
> Add a check in `check-config.sh` to see if we are running on a RHEL7 or
> CentOS7 system, which may report that CONFIG_USERNS is OK/enabled, but
> user namespaces still won't work because of the experimental feature
> flag added by Redhat.
>
> This will add a warning if it is actually disabled and notes what has to
> be added to the grub/boot command line to enable it.
Now that CentOS/RHEL 7 reached EOL, we can remove this special case.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This should allow to enable host loopback by setting
DOCKERD_ROOTLESS_ROOTLESSKIT_DISABLE_HOST_LOOPBACK to false,
defaults true.
Signed-off-by: serhii.n <serhii.n@thescimus.com>
The "builtin" port driver was marked as "Slow" in the row for the lxc-user-nic
network driver, while it was marked as "Fast" in other rows.
It had to be consistently marked as "Fast" regardless to the network driver.
It is still not as fast as rootful.
Follow-up to PR 47076
Fixes: b5a5ecf4a3
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Redirecting check-config.sh output to a file puts control character
output into that file, which isn't helpful for reading.
Disable colorized output if either
1. NO_COLOR environment is set to "1"
2. stdout is not a terminal.
Signed-off-by: Scott Moser <smoser@brickies.net>
We occassionally receive contributions to this script that are outside
its intended scope. Let's add a comment to the script that outlines
what it's meant for, and a link to a GitHub ticket with alternatives.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
During review, it was decided to remove `LimitNOFILE` from `docker.service` to rely on the systemd v240 implicit default of `1024:524288`. On supported platforms with systemd prior to v240, packagers will patch the service with an explicit `LimitNOFILE=1024:524288`.
- `1024` soft limit is an implicit default, avoiding unexpected breakage. Software that needs a higher limit should request to raise the soft limit for its process.
- `524288` hard limit is an implicit default since systemd v240 and is adequate for most processes (_half of the historical limit from `fs.nr_open` of `1048576`_), while 4096 is the implicit default from the kernel (often too low). Individual containers can be started with `--ulimit` when a larger hard limit is required.
- The hard limit may not exceed `fs.nr_open` (_which a value of `infinity` will resolve to_). On most systems with systemd v240 or newer, this will resolve to an excessive size of 2^30 (over 1 billion).
- When set to `infinity` (usually as the soft limit) software may experience significantly increased resource usage, resulting in a performance regression or runtime failures that are difficult to troubleshoot.
- OpenRC current config approach lacks support for different soft/hard limits being set as it adjusts additional limits and `ulimit` does not support mixed usage of `-H` + `-S`. A soft limit of `524288` is not ideal, but 2^19 is much less overhead than 2^30, whilst a hard limit of 4096 would be problematic for Docker.
Signed-off-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
Upstart has been EOL for 8 years and isn't used by any distributions we support any more.
Additionally, this removes the "cgroups v1" setup code because it's more reasonable now for us to expect something _else_ to have set up cgroups appropriately (especially cgroups v2).
Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
