Merge branch 'rootless-containers:master' into arch_in_dockerfile

Author: Alexey

.github/workflows/main.yaml

@@ -186,6 +186,12 @@ jobs:
   test-integration-docker:
     name: "Integration test (Docker)"
     runs-on: ubuntu-24.04
+    strategy:
+      fail-fast: false
+      matrix:
+        # The design of the proxy was changed in Docker v28.
+        # rootlesskit-docker-proxy is no longer used since Docker v28.
+        docker_version: [27.5.1, 28.0.1]
     steps:
     - name: "Set up AppArmor"
       run: |
@@ -201,7 +207,9 @@ jobs:
     - name: "Check out"
       uses: actions/checkout@v4
     - name: "Build integration test image"
-      run: DOCKER_BUILDKIT=1 docker build -t rootlesskit:test-integration-docker --target test-integration-docker .
+      run: DOCKER_BUILDKIT=1 docker build -t rootlesskit:test-integration-docker --target test-integration-docker --build-arg DOCKER_VERSION .
+      env:
+        DOCKER_VERSION: ${{ matrix.docker_version }}
     - name: "Create a custom network to avoid IP confusion"
       run: docker network create custom
     - name: "Docker Integration test: net=slirp4netns, port-driver=builtin"

.github/workflows/release.yaml

@@ -16,7 +16,7 @@ on:
 
 jobs:
   release:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     # The maximum access is "read" for PRs from public forked repos
     # https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
     permissions:

Dockerfile

@@ -1,10 +1,10 @@
-ARG GO_VERSION=1.23
+ARG GO_VERSION=1.24
 ARG UBUNTU_VERSION=24.04
 ARG SHADOW_VERSION=4.16.0
-ARG SLIRP4NETNS_VERSION=v1.3.1
+ARG SLIRP4NETNS_VERSION=v1.3.2
 ARG VPNKIT_VERSION=0.5.0
-ARG PASST_VERSION=2024_12_11.09478d5
-ARG DOCKER_VERSION=27.5.0
+ARG PASST_VERSION=2025_02_17.a1e48a0
+ARG DOCKER_VERSION=28.0.1
 ARG DOCKER_CHANNEL=stable
 # also tested with aarch64
 ARG ARCH=x86_64
@@ -96,13 +96,19 @@ ENV LD_LIBRARY_PATH=/home/user/lib
 WORKDIR /home/user/hack
 
 FROM test-integration AS test-integration-docker
-COPY --from=artifact /rootlesskit-docker-proxy /home/user/bin/
 ARG DOCKER_VERSION
 ARG DOCKER_CHANNEL
 ARG ARCH
 RUN curl -fsSL https://download.docker.com/linux/static/${DOCKER_CHANNEL}/${ARCH}/docker-${DOCKER_VERSION}.tgz | tar xz --strip-components=1 -C /home/user/bin/
 RUN curl -fsSL -o /home/user/bin/dockerd-rootless.sh https://raw.githubusercontent.com/moby/moby/v${DOCKER_VERSION}/contrib/dockerd-rootless.sh && \
   chmod +x /home/user/bin/dockerd-rootless.sh
+# rootlesskit-docker-proxy is no longer needed since Docker v28
+RUN --mount=source=/rootlesskit-docker-proxy,target=/tmp/rootlesskit-docker-proxy,from=artifact <<EOT
+  set -ex
+  if [ "$(echo ${DOCKER_VERSION} | cut -d . -f 1)" -lt "28" ]; then
+    cp -a /tmp/rootlesskit-docker-proxy /home/user/bin
+  fi
+EOT
 ENV DOCKERD_ROOTLESS_ROOTLESSKIT_NET=slirp4netns
 ENV DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=builtin
 ENV DOCKER_HOST=unix:///run/user/2000/docker.sock

cmd/rootlesskit/main.go

@@ -15,6 +15,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli/v2"
 
+	"github.com/rootless-containers/rootlesskit/v2/cmd/rootlesskit/unshare"
 	"github.com/rootless-containers/rootlesskit/v2/pkg/child"
 	"github.com/rootless-containers/rootlesskit/v2/pkg/common"
 	"github.com/rootless-containers/rootlesskit/v2/pkg/copyup/tmpfssymlink"
@@ -41,6 +42,10 @@ const (
 )
 
 func main() {
+	if checkUnshareHelper() {
+		unshare.Main()
+		return
+	}
 	iAmActivationHelper := checkActivationHelper()
 	iAmChild := os.Getenv(pipeFDEnvKey) != ""
 	id := "parent"
@@ -701,3 +706,7 @@ func createActivationOpts(clicontext *cli.Context) (activation.Opt, error) {
 	}
 	return opt, nil
 }
+
+func checkUnshareHelper() bool {
+	return filepath.Base(os.Args[0]) == "unshare"
+}

cmd/rootlesskit/unshare/unshare.go

@@ -0,0 +1,53 @@
+package unshare
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"os/exec"
+	"syscall"
+
+	"github.com/rootless-containers/rootlesskit/v2/pkg/common"
+	"github.com/rootless-containers/rootlesskit/v2/pkg/version"
+	"github.com/urfave/cli/v2"
+)
+
+func Main() {
+	app := cli.NewApp()
+	app.Name = "unshare"
+	app.HideHelpCommand = true
+	app.Version = version.Version
+	app.Usage = "Reimplementation of unshare(1)"
+	app.UsageText = "unshare [global options] [arguments...]"
+	app.Flags = append(app.Flags, &cli.BoolFlag{
+		Name:  "n,net",
+		Usage: "unshare network namespace",
+	})
+	app.Action = action
+	if err := app.Run(os.Args); err != nil {
+		fmt.Fprintf(os.Stderr, "[rootlesskit:unshare] error: %v\n", err)
+		// propagate the exit code
+		code, ok := common.GetExecExitStatus(err)
+		if !ok {
+			code = 1
+		}
+		os.Exit(code)
+	}
+}
+
+func action(clicontext *cli.Context) error {
+	ctx := clicontext.Context
+	if clicontext.NArg() < 1 {
+		return errors.New("no command specified")
+	}
+	cmdFlags := clicontext.Args().Slice()
+	cmd := exec.CommandContext(ctx, cmdFlags[0], cmdFlags[1:]...)
+	cmd.Stdin = os.Stdin
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	cmd.SysProcAttr = &syscall.SysProcAttr{}
+	if clicontext.Bool("n") {
+		cmd.SysProcAttr.Cloneflags |= syscall.CLONE_NEWNET
+	}
+	return cmd.Run()
+}

go.mod

@@ -1,6 +1,6 @@
 module github.com/rootless-containers/rootlesskit/v2
 
-go 1.23
+go 1.23.0
 
 require (
 	github.com/Masterminds/semver/v3 v3.3.1
@@ -13,8 +13,8 @@ require (
 	github.com/moby/vpnkit v0.5.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/songgao/water v0.0.0-20200317203138-2b4b6d7c09d8
-	github.com/urfave/cli/v2 v2.27.5
-	golang.org/x/sys v0.30.0
+	github.com/urfave/cli/v2 v2.27.6
+	golang.org/x/sys v0.31.0
 	gotest.tools/v3 v3.5.2
 )
 
@@ -25,5 +25,5 @@ require (
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 // indirect
 	github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect
-	golang.org/x/net v0.33.0 // indirect
+	golang.org/x/net v0.36.0 // indirect
 )

go.sum

@@ -49,19 +49,19 @@ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsT
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 h1:pyC9PaHYZFgEKFdlp3G8RaCKgVpHZnecvArXvPXcFkM=
 github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701/go.mod h1:P3a5rG4X7tI17Nn3aOIAYr5HbIMukwXG0urG0WuL8OA=
-github.com/urfave/cli/v2 v2.27.5 h1:WoHEJLdsXr6dDWoJgMq/CboDmyY/8HMMH1fTECbih+w=
-github.com/urfave/cli/v2 v2.27.5/go.mod h1:3Sevf16NykTbInEnD0yKkjDAeZDS0A6bzhBH5hrMvTQ=
+github.com/urfave/cli/v2 v2.27.6 h1:VdRdS98FNhKZ8/Az8B7MTyGQmpIr36O1EHybx/LaZ4g=
+github.com/urfave/cli/v2 v2.27.6/go.mod h1:3Sevf16NykTbInEnD0yKkjDAeZDS0A6bzhBH5hrMvTQ=
 github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8=
 github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
 github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 h1:gEOO8jv9F4OT7lGCjxCBTO/36wtF6j2nSip77qHd4x4=
 github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1/go.mod h1:Ohn+xnUBiLI6FVj/9LpzZWtj1/D6lUovWYBkxHVV3aM=
-golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
-golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
+golang.org/x/net v0.36.0 h1:vWF2fRbw4qslQsQzgFqZff+BItCvGFQqKzKIzx1rmoA=
+golang.org/x/net v0.36.0/go.mod h1:bFmbeoIPfrw4sMHNhb4J9f6+tPziuGjq7Jk/38fxi1I=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
-golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
-golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
+golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
+golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
+golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
 golang.org/x/tools v0.26.0 h1:v/60pFQmzmT9ExmjDv2gGIfi3OqfKoEP6I5+umXlbnQ=
 golang.org/x/tools v0.26.0/go.mod h1:TPVVj70c7JJ3WCazhD8OdXcZg/og+b9+tH/KxylGwH0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

pkg/child/child.go

@@ -583,8 +583,16 @@ func NewNetNsWithPathWithoutEnter(p string) error {
 	if err := os.WriteFile(p, nil, 0400); err != nil {
 		return err
 	}
+	selfExe, err := os.Executable()
+	if err != nil {
+		return err
+	}
 	// this is hard (not impossible though) to reimplement in Go: https://github.com/cloudflare/slirpnetstack/commit/d7766a8a77f0093d3cb7a94bd0ccbe3f67d411ba
 	cmd := exec.Command("unshare", "-n", "mount", "--bind", "/proc/self/ns/net", p)
+	// Use our own implementation of unshare that is embedded in RootlessKit, so as to
+	// avoid /etc/apparmor.d/unshare-userns-restrict on Ubuntu 25.04.
+	// https://github.com/rootless-containers/rootlesskit/issues/494
+	cmd.Path = selfExe
 	out, err := cmd.CombinedOutput()
 	if err != nil {
 		return fmt.Errorf("failed to execute %v: %w (out=%q)", cmd.Args, err, string(out))

pkg/version/version.go

@@ -1,3 +1,3 @@
 package version
 
-const Version = "2.3.2+dev"
+const Version = "2.3.4+dev"