diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..6a61659 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,30 @@ +FROM registry.fedoraproject.org/fedora:rawhide + +ENV VERSION=0 RELEASE=1 ARCH=x86_64 +LABEL com.redhat.component="docker" \ + name="docker" \ + version="$VERSION" \ + release="$RELEASE.$DISTTAG" \ + architecture="$ARCH" \ + usage="atomic install --system --system-package=no docker && systemctl start docker" \ + summary="The docker daemon as a system container." \ + maintainer="Giuseppe Scrivano " \ + atomic.type="system" + +RUN dnf install --setopt=tsflags=nodocs -y docker container-storage-setup container-selinux cloud-utils-growpart python-docker-py docker-novolume-plugin lvm2 iptables procps-ng xz oci-register-machine \ + && rpm -V docker container-storage-setup container-selinux cloud-utils-growpart python-docker-py docker-novolume-plugin lvm2 iptables procps-ng xz oci-register-machine \ + && mkdir -p /usr/lib/modules && dnf clean all + +RUN ln -s /usr/libexec/docker/docker-runc-current /usr/bin/docker-runc + +COPY README.md / +COPY shim.sh init.sh /usr/bin/ + +# system container +COPY set_mounts.sh / +COPY config.json.template service.template tmpfiles.template /exports/ +COPY daemon.json /exports/hostfs/etc/docker/container-daemon.json +# https://github.com/rhatdan/oci-umount/issues/2 +RUN cp /etc/oci-umount.conf /exports/hostfs/etc + +CMD ["/usr/bin/init.sh"] diff --git a/README.md b/README.md new file mode 100644 index 0000000..5731492 --- /dev/null +++ b/README.md @@ -0,0 +1,60 @@ +# docker + +This is the docker daemon system container for Fedora systems based on the moby project. +For more information refer to: https://github.com/moby/moby + +Note this only provides the *daemon process*, and does not include CLI tools. The current use +case for this would be switching between different versions of docker by updating the container. + +## Building the image from source: + +``` +# git clone https://github.com/projectatomic/atomic-system-containers +# cd atomic-system-containers/docker-fedora +# docker build -t docker . +``` + +## Running the system container, with the atomic CLI: + +Pull from registry into ostree: + +``` +# atomic pull --storage ostree $REGISTRY/docker +``` + +Or alternatively, pull from local docker: + +``` +# atomic pull --storage ostree docker:docker:latest +``` + +Install the container: + +Currently we recommend using --system-package=no to avoid having rpmbuild create an rpm file +during installation. This flag will tell the atomic CLI to fall back to copying files to the +host instead. + +``` +# atomic install --system --system-package=no --name=docker ($REGISTRY)/docker + +Note that if you have the package docker locally, you would need to use another +name for the service (i.e. --name=docker-system-container, etc.) +``` + +Start as a systemd service: + +``` +# systemctl start docker +``` + +Stopping the service + +``` +# systemctl stop docker +``` + +Removing the container + +``` +# atomic uninstall docker +``` diff --git a/config.json.template b/config.json.template new file mode 100644 index 0000000..3ce615c --- /dev/null +++ b/config.json.template @@ -0,0 +1,399 @@ +{ + "ociVersion": "1.0.0", + "platform": { + "os": "linux", + "arch": "amd64" + }, + "process": { + "terminal": false, + "user": { + "uid": 0, + "gid": 0 + }, + "args": [ + "/usr/bin/init.sh" + ], + "env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "TERM=xterm", + "NAME=$NAME" + ], + "cwd": "/", + "capabilities": { + "bounding": [ + "CAP_CHOWN", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_DAC_OVERRIDE", + "CAP_MAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND", + "CAP_AUDIT_READ" + ], + "permitted": [ + "CAP_CHOWN", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_DAC_OVERRIDE", + "CAP_MAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND", + "CAP_AUDIT_READ" + ], + "inheritable": [ + "CAP_CHOWN", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_DAC_OVERRIDE", + "CAP_MAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND", + "CAP_AUDIT_READ" + ], + "effective": [ + "CAP_CHOWN", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_DAC_OVERRIDE", + "CAP_MAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND", + "CAP_AUDIT_READ" + ], + "ambient": [ + "CAP_CHOWN", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_DAC_OVERRIDE", + "CAP_MAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND", + "CAP_AUDIT_READ" + ] + }, + "noNewPrivileges": false + }, + "root": { + "path": "rootfs", + "readonly": true + }, + "mounts": [ + { + "source": "/tmp", + "destination": "/tmp", + "type": "bind", + "options": [ + "private", + "bind", + "rw", + "mode=755" + ] + }, + { + "type": "bind", + "source": "/etc", + "destination": "/etc", + "options": [ + "rbind", + "rprivate", + "rw", + "mode=755" + ] + }, + { + "type": "bind", + "source": "/lib/modules", + "destination": "/lib/modules", + "options": [ + "rbind", + "rprivate", + "rw", + "mode=755" + ] + }, + { + "type": "bind", + "source": "/root", + "destination": "/root", + "options": [ + "rbind", + "rprivate", + "rw", + "mode=755" + ] + }, + { + "type": "bind", + "source": "/home", + "destination": "/home", + "options": [ + "rbind", + "rprivate", + "rw", + "mode=755" + ] + }, + { + "type": "bind", + "source": "/mnt", + "destination": "/mnt", + "options": [ + "rbind", + "rw", + "rprivate", + "mode=755" + ] + }, + { + "type": "bind", + "source": "/usr/share/rhel", + "destination": "/usr/share/rhel", + "options": [ + "rprivate", + "rbind", + "ro", + "mode=755" + ] + }, + { + "type": "bind", + "source": "${RUN_DIRECTORY}", + "destination": "/run", + "options": [ + "rshared", + "rbind", + "rw", + "mode=755" + ] + }, + { + "type": "bind", + "source": "/run/systemd", + "destination": "/run/systemd", + "options": [ + "rslave", + "bind", + "rw", + "mode=755" + ] + }, + { + "type": "bind", + "source": "/var/log", + "destination": "/var/log", + "options": [ + "rbind", + "rslave", + "rw" + ] + }, + { + "type": "bind", + "source": "${STATE_DIRECTORY}", + "destination": "/var/lib", + "options": [ + "rbind", + "rshared", + "rw" + ] + }, + { + "source": "/dev", + "destination": "/dev", + "type": "bind", + "options": [ + "rprivate", + "rbind", + "rw", + "mode=755" + ] + }, + { + "source": "/sys", + "destination": "/sys", + "type": "bind", + "options": [ + "rprivate", + "rbind", + "rw", + "mode=755" + ] + }, + { + "source": "/proc", + "destination": "/proc", + "type": "proc", + "options": [ + "private" + ] + } + ], + "hooks": {}, + "linux": { + "rootfsPropagation": "private", + "resources": { + "devices": [ + { + "allow": true, + "access": "rwm" + } + ] + }, + "namespaces": [ + { + "type": "mount" + } + ], + "selinuxProcessLabel": "system_u:system_r:container_runtime_t:s0" + } +} diff --git a/daemon.json b/daemon.json new file mode 100644 index 0000000..ea5e789 --- /dev/null +++ b/daemon.json @@ -0,0 +1,13 @@ + +{ + "authorization-plugins": ["rhel-push-plugin"], + "default-runtime": "oci", + "containerd": "/run/containerd.sock", + "userland-proxy-path": "/usr/libexec/docker/docker-proxy-current", + "exec-opts": ["native.cgroupdriver=systemd"], + "runtimes": { + "oci": { + "path": "/usr/libexec/docker/docker-runc-current" + } + } +} diff --git a/init.sh b/init.sh new file mode 100755 index 0000000..ac03b38 --- /dev/null +++ b/init.sh @@ -0,0 +1,42 @@ +#!/bin/bash + +source /run/docker-bash-env + +# set storage first +( + . /etc/sysconfig/docker-storage-setup + /usr/bin/docker-storage-setup +) + +getent group docker || groupadd docker + + +# Inhibit sd-notify for docker-containerd, we want to get the notification +# from the docker process +NOTIFY_SOCKET=/dev/null /usr/libexec/docker/docker-containerd-current \ + --listen unix:///run/containerd.sock \ + --shim /usr/bin/shim.sh & + +while test \! -e /run/containerd.sock; +do + sleep 0.1 +done + +# Run all the installed containers +mkdir -p /run/docker/plugins/ +ls -1 /usr/libexec/docker/*plugin | \ +while read i; +do + plugin=$(basename $i) + test -e /run/docker/plugins/$plugin.sock || mkfifo /run/docker/plugins/$plugin.sock + $i & +done + +exec /usr/bin/dockerd-current \ + --config-file=/etc/docker/container-daemon.json \ + $OPTIONS \ + $DOCKER_STORAGE_OPTIONS \ + $DOCKER_NETWORK_OPTIONS \ + $ADD_REGISTRY \ + $BLOCK_REGISTRY \ + $INSECURE_REGISTRY diff --git a/service.template b/service.template new file mode 100644 index 0000000..f7784d4 --- /dev/null +++ b/service.template @@ -0,0 +1,23 @@ +[Unit] +Description=Docker service +After=network.target + +[Service] +EnvironmentFile=-/etc/sysconfig/docker-storage +EnvironmentFile=-/etc/sysconfig/docker-network +Environment=GOTRACEBACK=crash +ExecStartPre=/bin/sh $DESTDIR/rootfs/set_mounts.sh +ExecStartPre=/bin/bash -c 'export -p > /run/docker-bash-env' +ExecStart=$EXEC_START +ExecStop=$EXEC_STOP +Restart=on-failure +WorkingDirectory=$DESTDIR +LimitNOFILE=1048576 +LimitNPROC=1048576 +LimitCORE=infinity +TimeoutStartSec=0 +Type=notify +NotifyAccess=all + +[Install] +WantedBy=multi-user.target diff --git a/set_mounts.sh b/set_mounts.sh new file mode 100755 index 0000000..d0e4f73 --- /dev/null +++ b/set_mounts.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +findmnt /var/lib > /dev/null || mount --bind --make-shared /var/lib /var/lib +mount --make-shared /run +findmnt /run/systemd > /dev/null || mount --bind --make-rslave /run/systemd /run/systemd diff --git a/shim.sh b/shim.sh new file mode 100755 index 0000000..6cc7879 --- /dev/null +++ b/shim.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +CONTAINER_PID=$(/usr/libexec/docker/docker-runc-current state $1 | python -c 'import sys; import json; print(json.loads(sys.stdin.read())["pid"])') + +if test -n "$CONTAINER_PID"; then + WD=$(pwd) + SHIM_PID=$(cat /proc/$CONTAINER_PID/status | grep PPid | awk '{print $2}') + exec nsenter -C -F --wd=$WD -m -u -i -n -p -t $SHIM_PID /usr/libexec/docker/docker-containerd-shim-current $@ +else + exec systemd-run --slice $1 --scope -- /usr/libexec/docker/docker-containerd-shim-current $@ +fi diff --git a/tmpfiles.template b/tmpfiles.template new file mode 100644 index 0000000..e6afb1c --- /dev/null +++ b/tmpfiles.template @@ -0,0 +1,3 @@ +d /var/lib/docker - - - - - +d /var/run/docker - - - - - +d /var/run/containerd - - - - -