Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Tonis Tiigi authored on 2019/02/28 17:12:55... | ... |
@@ -107,7 +107,7 @@ func newController(rt http.RoundTripper, opt Opt) (*control.Controller, error) { |
107 | 107 |
return nil, err |
108 | 108 |
} |
109 | 109 |
|
110 |
- exec, err := newExecutor(root, opt.DefaultCgroupParent, opt.NetworkController) |
|
110 |
+ exec, err := newExecutor(root, opt.DefaultCgroupParent, opt.NetworkController, opt.Rootless) |
|
111 | 111 |
if err != nil { |
112 | 112 |
return nil, err |
113 | 113 |
} |
... | ... |
@@ -20,9 +20,9 @@ import ( |
20 | 20 |
|
21 | 21 |
const networkName = "bridge" |
22 | 22 |
|
23 |
-func newExecutor(root, cgroupParent string, net libnetwork.NetworkController) (executor.Executor, error) { |
|
23 |
+func newExecutor(root, cgroupParent string, net libnetwork.NetworkController, rootless bool) (executor.Executor, error) { |
|
24 | 24 |
networkProviders := map[pb.NetMode]network.Provider{ |
25 |
- pb.NetMode_UNSET: &bridgeProvider{NetworkController: net}, |
|
25 |
+ pb.NetMode_UNSET: &bridgeProvider{NetworkController: net, Root: filepath.Join(root, "net")}, |
|
26 | 26 |
pb.NetMode_HOST: network.NewHostProvider(), |
27 | 27 |
pb.NetMode_NONE: network.NewNoneProvider(), |
28 | 28 |
} |
... | ... |
@@ -30,11 +30,13 @@ func newExecutor(root, cgroupParent string, net libnetwork.NetworkController) (e |
30 | 30 |
Root: filepath.Join(root, "executor"), |
31 | 31 |
CommandCandidates: []string{"runc"}, |
32 | 32 |
DefaultCgroupParent: cgroupParent, |
33 |
+ Rootless: rootless, |
|
33 | 34 |
}, networkProviders) |
34 | 35 |
} |
35 | 36 |
|
36 | 37 |
type bridgeProvider struct { |
37 | 38 |
libnetwork.NetworkController |
39 |
+ Root string |
|
38 | 40 |
} |
39 | 41 |
|
40 | 42 |
func (p *bridgeProvider) New() (network.Namespace, error) { |
... | ... |
@@ -70,7 +72,8 @@ func (iface *lnInterface) init(c libnetwork.NetworkController, n libnetwork.Netw |
70 | 70 |
return |
71 | 71 |
} |
72 | 72 |
|
73 |
- sbx, err := c.NewSandbox(id, libnetwork.OptionUseExternalKey()) |
|
73 |
+ sbx, err := c.NewSandbox(id, libnetwork.OptionUseExternalKey(), libnetwork.OptionHostsPath(filepath.Join(iface.provider.Root, id, "hosts")), |
|
74 |
+ libnetwork.OptionResolvConfPath(filepath.Join(iface.provider.Root, id, "resolv.conf"))) |
|
74 | 75 |
if err != nil { |
75 | 76 |
iface.err = err |
76 | 77 |
return |
... | ... |
@@ -88,23 +91,26 @@ func (iface *lnInterface) init(c libnetwork.NetworkController, n libnetwork.Netw |
88 | 88 |
func (iface *lnInterface) Set(s *specs.Spec) { |
89 | 89 |
<-iface.ready |
90 | 90 |
if iface.err != nil { |
91 |
+ logrus.WithError(iface.err).Error("failed to set networking spec") |
|
91 | 92 |
return |
92 | 93 |
} |
93 | 94 |
// attach netns to bridge within the container namespace, using reexec in a prestart hook |
94 | 95 |
s.Hooks = &specs.Hooks{ |
95 | 96 |
Prestart: []specs.Hook{{ |
96 | 97 |
Path: filepath.Join("/proc", strconv.Itoa(os.Getpid()), "exe"), |
97 |
- Args: []string{"libnetwork-setkey", iface.sbx.ContainerID(), iface.provider.NetworkController.ID()}, |
|
98 |
+ Args: []string{"libnetwork-setkey", "-exec-root=" + iface.provider.Config().Daemon.ExecRoot, iface.sbx.ContainerID(), iface.provider.NetworkController.ID()}, |
|
98 | 99 |
}}, |
99 | 100 |
} |
100 | 101 |
} |
101 | 102 |
|
102 | 103 |
func (iface *lnInterface) Close() error { |
103 | 104 |
<-iface.ready |
104 |
- go func() { |
|
105 |
- if err := iface.sbx.Delete(); err != nil { |
|
106 |
- logrus.Errorf("failed to delete builder network sandbox: %v", err) |
|
107 |
- } |
|
108 |
- }() |
|
105 |
+ if iface.sbx != nil { |
|
106 |
+ go func() { |
|
107 |
+ if err := iface.sbx.Delete(); err != nil { |
|
108 |
+ logrus.Errorf("failed to delete builder network sandbox: %v", err) |
|
109 |
+ } |
|
110 |
+ }() |
|
111 |
+ } |
|
109 | 112 |
return iface.err |
110 | 113 |
} |
... | ... |
@@ -10,7 +10,7 @@ import ( |
10 | 10 |
"github.com/moby/buildkit/executor" |
11 | 11 |
) |
12 | 12 |
|
13 |
-func newExecutor(_, _ string, _ libnetwork.NetworkController) (executor.Executor, error) { |
|
13 |
+func newExecutor(_, _ string, _ libnetwork.NetworkController, _ bool) (executor.Executor, error) { |
|
14 | 14 |
return &winExecutor{}, nil |
15 | 15 |
} |
16 | 16 |
|
... | ... |
@@ -325,6 +325,7 @@ func newRouterOptions(config *config.Config, d *daemon.Daemon) (routerOptions, e |
325 | 325 |
DefaultCgroupParent: cgroupParent, |
326 | 326 |
ResolverOpt: d.NewResolveOptionsFunc(), |
327 | 327 |
BuilderConfig: config.Builder, |
328 |
+ Rootless: d.Rootless(), |
|
328 | 329 |
}) |
329 | 330 |
if err != nil { |
330 | 331 |
return opts, err |
... | ... |
@@ -175,7 +175,7 @@ func (daemon *Daemon) fillSecurityOptions(v *types.Info, sysInfo *sysinfo.SysInf |
175 | 175 |
if rootIDs := daemon.idMapping.RootPair(); rootIDs.UID != 0 || rootIDs.GID != 0 { |
176 | 176 |
securityOptions = append(securityOptions, "name=userns") |
177 | 177 |
} |
178 |
- if daemon.configStoreRootless() { |
|
178 |
+ if daemon.Rootless() { |
|
179 | 179 |
securityOptions = append(securityOptions, "name=rootless") |
180 | 180 |
} |
181 | 181 |
v.SecurityOptions = securityOptions |
... | ... |
@@ -247,6 +247,7 @@ func parseRuncVersion(v string) (version string, commit string, err error) { |
247 | 247 |
return version, commit, err |
248 | 248 |
} |
249 | 249 |
|
250 |
-func (daemon *Daemon) configStoreRootless() bool { |
|
250 |
+// Rootless returns true if daemon is running in rootless mode |
|
251 |
+func (daemon *Daemon) Rootless() bool { |
|
251 | 252 |
return daemon.configStore.Rootless |
252 | 253 |
} |
... | ... |
@@ -14,6 +14,7 @@ func (daemon *Daemon) fillPlatformVersion(v *types.Version) {} |
14 | 14 |
func fillDriverWarnings(v *types.Info) { |
15 | 15 |
} |
16 | 16 |
|
17 |
-func (daemon *Daemon) configStoreRootless() bool { |
|
17 |
+// Rootless returns true if daemon is running in rootless mode |
|
18 |
+func (daemon *Daemon) Rootless() bool { |
|
18 | 19 |
return false |
19 | 20 |
} |