Browse code
rootless: expose ports automatically
Now `docker run -p` ports can be exposed to the host namespace automatically when `dockerd-rootless.sh` is launched with
`--userland-proxy --userland-proxy-path $(which rootlesskit-docker-proxy)`.
This is akin to how Docker for Mac/Win works with `--userland-proxy-path=/path/to/vpnkit-expose-port`.
The port number on the host namespace needs to be set to >= 1024.
SCTP ports are currently unsupported.
RootlessKit changes: https://github.com/rootless-containers/rootlesskit/compare/7bbbc48a6f906633a9b12783b957f4c3aa037d33...ed2671442965115b84ecf82d4831cc48747d89b8
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
Akihiro Suda authored on 2019/03/21 02:11:31Showing 6 changed files
- contrib/dockerd-rootless.sh
- docs/rootless.md
- hack/dockerfile/install/rootlesskit.installer
- hack/make/.binary-setup
- hack/make/binary-daemon
- hack/make/install-binary
| ... | ... |
@@ -3,6 +3,8 @@ |
| 3 | 3 |
# |
| 4 | 4 |
# Usage: dockerd-rootless.sh --experimental [DOCKERD_OPTIONS] |
| 5 | 5 |
# Currently, specifying --experimental is mandatory. |
| 6 |
+# Also, to expose ports, you need to specify |
|
| 7 |
+# --userland-proxy-path=/path/to/rootlesskit-docker-proxy |
|
| 6 | 8 |
# |
| 7 | 9 |
# External dependencies: |
| 8 | 10 |
# * newuidmap and newgidmap needs to be installed. |
| ... | ... |
@@ -64,7 +66,7 @@ if [ -z $_DOCKERD_ROOTLESS_CHILD ]; then |
| 64 | 64 |
# (by either systemd-networkd or NetworkManager) |
| 65 | 65 |
# * /run: copy-up is required so that we can create /run/docker (hardcoded for plugins) in our namespace |
| 66 | 66 |
$rootlesskit \ |
| 67 |
- --net=$net --mtu=$mtu --disable-host-loopback \ |
|
| 67 |
+ --net=$net --mtu=$mtu --disable-host-loopback --port-driver=builtin \ |
|
| 68 | 68 |
--copy-up=/etc --copy-up=/run \ |
| 69 | 69 |
$DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS \ |
| 70 | 70 |
$0 $@ |
| ... | ... |
@@ -45,6 +45,8 @@ penguin:231072:65536 |
| 45 | 45 |
* Apparmor |
| 46 | 46 |
* Checkpoint |
| 47 | 47 |
* Overlay network |
| 48 |
+ * Exposing SCTP ports |
|
| 49 |
+* To expose a TCP/UDP port, the host port number needs to be set to >= 1024. |
|
| 48 | 50 |
|
| 49 | 51 |
## Usage |
| 50 | 52 |
|
| ... | ... |
@@ -53,9 +55,10 @@ penguin:231072:65536 |
| 53 | 53 |
You need to run `dockerd-rootless.sh` instead of `dockerd`. |
| 54 | 54 |
|
| 55 | 55 |
```console |
| 56 |
-$ dockerd-rootless.sh --experimental" |
|
| 56 |
+$ dockerd-rootless.sh --experimental --userland-proxy --userland-proxy-path=$(which rootlesskit-docker-proxy)" |
|
| 57 | 57 |
``` |
| 58 | 58 |
As Rootless mode is experimental per se, currently you always need to run `dockerd-rootless.sh` with `--experimental`. |
| 59 |
+Also, to expose ports, you need to set `--userland-proxy-path` to the path of `rootlesskit-docker-proxy` binary. |
|
| 59 | 60 |
|
| 60 | 61 |
Remarks: |
| 61 | 62 |
* The socket path is set to `$XDG_RUNTIME_DIR/docker.sock` by default. `$XDG_RUNTIME_DIR` is typically set to `/run/user/$UID`. |
| ... | ... |
@@ -72,17 +75,6 @@ You can just use the upstream Docker client but you need to set the socket path |
| 72 | 72 |
$ docker -H unix://$XDG_RUNTIME_DIR/docker.sock run -d nginx |
| 73 | 73 |
``` |
| 74 | 74 |
|
| 75 |
-### Exposing ports |
|
| 76 |
- |
|
| 77 |
-In addition to exposing container ports to the `dockerd` network namespace, you also need to expose the ports in the `dockerd` network namespace to the host network namespace. |
|
| 78 |
- |
|
| 79 |
-```console |
|
| 80 |
-$ docker -H unix://$XDG_RUNTIME_DIR/docker.sock run -d -p 80:80 nginx |
|
| 81 |
-$ socat -t -- TCP-LISTEN:8080,reuseaddr,fork EXEC:"nsenter -U -n -t $(cat $XDG_RUNTIME_DIR/docker.pid) socat -t -- STDIN TCP4\:127.0.0.1\:80" |
|
| 82 |
-``` |
|
| 83 |
- |
|
| 84 |
-In future, `dockerd` will be able to expose the ports automatically. |
|
| 85 |
- |
|
| 86 | 75 |
### Routing ping packets |
| 87 | 76 |
|
| 88 | 77 |
To route ping packets, you need to set up `net.ipv4.ping_group_range` properly as the root. |
| ... | ... |
@@ -1,7 +1,7 @@ |
| 1 | 1 |
#!/bin/sh |
| 2 | 2 |
|
| 3 |
-# v0.3.0-alpha.2 |
|
| 4 |
-ROOTLESSKIT_COMMIT=7bbbc48a6f906633a9b12783b957f4c3aa037d33 |
|
| 3 |
+# v0.3.0-beta.0 |
|
| 4 |
+ROOTLESSKIT_COMMIT=ed2671442965115b84ecf82d4831cc48747d89b8 |
|
| 5 | 5 |
|
| 6 | 6 |
install_rootlesskit() {
|
| 7 | 7 |
case "$1" in |
| ... | ... |
@@ -30,5 +30,7 @@ _install_rootlesskit() {
|
| 30 | 30 |
git clone https://github.com/rootless-containers/rootlesskit.git "$GOPATH/src/github.com/rootless-containers/rootlesskit" |
| 31 | 31 |
cd "$GOPATH/src/github.com/rootless-containers/rootlesskit" |
| 32 | 32 |
git checkout -q "$ROOTLESSKIT_COMMIT" |
| 33 |
- go build $BUILD_MODE -ldflags="$ROOTLESSKIT_LDFLAGS" -o "${PREFIX}/rootlesskit" github.com/rootless-containers/rootlesskit/cmd/rootlesskit
|
|
| 33 |
+ for f in rootlesskit rootlesskit-docker-proxy; do |
|
| 34 |
+ go build $BUILD_MODE -ldflags="$ROOTLESSKIT_LDFLAGS" -o "${PREFIX}/$f" github.com/rootless-containers/rootlesskit/cmd/$f
|
|
| 35 |
+ done |
|
| 34 | 36 |
} |
| ... | ... |
@@ -8,5 +8,6 @@ DOCKER_CONTAINERD_SHIM_BINARY_NAME='containerd-shim' |
| 8 | 8 |
DOCKER_PROXY_BINARY_NAME='docker-proxy' |
| 9 | 9 |
DOCKER_INIT_BINARY_NAME='docker-init' |
| 10 | 10 |
DOCKER_ROOTLESSKIT_BINARY_NAME='rootlesskit' |
| 11 |
+DOCKER_ROOTLESSKIT_DOCKER_PROXY_BINARY_NAME='rootlesskit-docker-proxy' |
|
| 11 | 12 |
DOCKER_VPNKIT_BINARY_NAME='vpnkit' |
| 12 | 13 |
DOCKER_DAEMON_ROOTLESS_SH_BINARY_NAME='dockerd-rootless.sh' |
| ... | ... |
@@ -14,7 +14,7 @@ copy_binaries() {
|
| 14 | 14 |
return |
| 15 | 15 |
fi |
| 16 | 16 |
echo "Copying nested executables into $dir" |
| 17 |
- for file in containerd containerd-shim ctr runc docker-init docker-proxy rootlesskit dockerd-rootless.sh; do |
|
| 17 |
+ for file in containerd containerd-shim ctr runc docker-init docker-proxy rootlesskit rootlesskit-docker-proxy dockerd-rootless.sh; do |
|
| 18 | 18 |
cp -f `which "$file"` "$dir/" |
| 19 | 19 |
if [ "$hash" == "hash" ]; then |
| 20 | 20 |
hash_files "$dir/$file" |
| ... | ... |
@@ -27,6 +27,7 @@ install_binary() {
|
| 27 | 27 |
install_binary "${DEST}/${DOCKER_PROXY_BINARY_NAME}"
|
| 28 | 28 |
install_binary "${DEST}/${DOCKER_INIT_BINARY_NAME}"
|
| 29 | 29 |
install_binary "${DEST}/${DOCKER_ROOTLESSKIT_BINARY_NAME}"
|
| 30 |
+ install_binary "${DEST}/${DOCKER_ROOTLESSKIT_DOCKER_PROXY_BINARY_NAME}"
|
|
| 30 | 31 |
install_binary "${DEST}/${DOCKER_DAEMON_ROOTLESS_SH_BINARY_NAME}"
|
| 31 | 32 |
if [ -f "${DEST}/${DOCKER_VPNKIT_BINARY_NAME}" ]; then
|
| 32 | 33 |
install_binary "${DEST}/${DOCKER_VPNKIT_BINARY_NAME}"
|