Browse code
dockerd-rootless.sh: allow specifying DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER
The default port driver "builtin" might not be always preferrable as it
drops src IP information: https://github.com/containers/libpod/pull/6324
Now the port driver can be changed to "slirp4netns" via the environment
variable `DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER`.
It is still recommended to use the default "builtin" driver.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Akihiro Suda authored on 2020/06/24 15:43:45Showing 1 changed files
| ... | ... |
@@ -7,8 +7,13 @@ |
| 7 | 7 |
# * newuidmap and newgidmap needs to be installed. |
| 8 | 8 |
# * /etc/subuid and /etc/subgid needs to be configured for the current user. |
| 9 | 9 |
# * Either one of slirp4netns (>= v0.4.0), VPNKit, lxc-user-nic needs to be installed. |
| 10 |
-# slirp4netns is used by default if installed. Otherwise fallsback to VPNKit. |
|
| 11 |
-# The default value can be overridden with $DOCKERD_ROOTLESS_ROOTLESSKIT_NET=(slirp4netns|vpnkit|lxc-user-nic) |
|
| 10 |
+# |
|
| 11 |
+# Recognized environment variables: |
|
| 12 |
+# * DOCKERD_ROOTLESS_ROOTLESSKIT_NET=(slirp4netns|vpnkit|lxc-user-nic): the rootlesskit network driver. Defaults to "slirp4netns" if slirp4netns (>= v0.4.0) is installed. Otherwise defaults to "vpnkit". |
|
| 13 |
+# * DOCKERD_ROOTLESS_ROOTLESSKIT_MTU=NUM: the MTU value for the rootlesskit network driver. Defaults to 65520 for slirp4netns, 1500 for other drivers. |
|
| 14 |
+# * DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=(builtin|slirp4netns): the rootlesskit port driver. Defaults to "builtin". |
|
| 15 |
+# * DOCKERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SANDBOX=(auto|true|false): whether to protect slirp4netns with a dedicated mount namespace. Defaults to "auto". |
|
| 16 |
+# * DOCKERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SECCOMP=(auto|true|false): whether to protect slirp4netns with seccomp. Defaults to "auto". |
|
| 12 | 17 |
# |
| 13 | 18 |
# See the documentation for the further information: https://docs.docker.com/engine/security/rootless/ |
| 14 | 19 |
|
| ... | ... |
@@ -36,6 +41,7 @@ fi |
| 36 | 36 |
|
| 37 | 37 |
: "${DOCKERD_ROOTLESS_ROOTLESSKIT_NET:=}"
|
| 38 | 38 |
: "${DOCKERD_ROOTLESS_ROOTLESSKIT_MTU:=}"
|
| 39 |
+: "${DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER:=builtin}"
|
|
| 39 | 40 |
: "${DOCKERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SANDBOX:=auto}"
|
| 40 | 41 |
: "${DOCKERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SECCOMP:=auto}"
|
| 41 | 42 |
net=$DOCKERD_ROOTLESS_ROOTLESSKIT_NET |
| ... | ... |
@@ -79,7 +85,7 @@ if [ -z $_DOCKERD_ROOTLESS_CHILD ]; then |
| 79 | 79 |
--net=$net --mtu=$mtu \ |
| 80 | 80 |
--slirp4netns-sandbox=$DOCKERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SANDBOX \ |
| 81 | 81 |
--slirp4netns-seccomp=$DOCKERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SECCOMP \ |
| 82 |
- --disable-host-loopback --port-driver=builtin \ |
|
| 82 |
+ --disable-host-loopback --port-driver=$DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER \ |
|
| 83 | 83 |
--copy-up=/etc --copy-up=/run \ |
| 84 | 84 |
--propagation=rslave \ |
| 85 | 85 |
$DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS \ |