Skip to content

Commit 1cc9efe

Browse files
author
Alexey
authored
Merge branch 'rootless-containers:master' into arch_in_dockerfile
2 parents 1c97f79 + 530859a commit 1cc9efe

File tree

9 files changed

+104
-20
lines changed

9 files changed

+104
-20
lines changed

.github/workflows/main.yaml

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -186,6 +186,12 @@ jobs:
186186
test-integration-docker:
187187
name: "Integration test (Docker)"
188188
runs-on: ubuntu-24.04
189+
strategy:
190+
fail-fast: false
191+
matrix:
192+
# The design of the proxy was changed in Docker v28.
193+
# rootlesskit-docker-proxy is no longer used since Docker v28.
194+
docker_version: [27.5.1, 28.0.1]
189195
steps:
190196
- name: "Set up AppArmor"
191197
run: |
@@ -201,7 +207,9 @@ jobs:
201207
- name: "Check out"
202208
uses: actions/checkout@v4
203209
- name: "Build integration test image"
204-
run: DOCKER_BUILDKIT=1 docker build -t rootlesskit:test-integration-docker --target test-integration-docker .
210+
run: DOCKER_BUILDKIT=1 docker build -t rootlesskit:test-integration-docker --target test-integration-docker --build-arg DOCKER_VERSION .
211+
env:
212+
DOCKER_VERSION: ${{ matrix.docker_version }}
205213
- name: "Create a custom network to avoid IP confusion"
206214
run: docker network create custom
207215
- name: "Docker Integration test: net=slirp4netns, port-driver=builtin"

.github/workflows/release.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ on:
1616

1717
jobs:
1818
release:
19-
runs-on: ubuntu-22.04
19+
runs-on: ubuntu-24.04
2020
# The maximum access is "read" for PRs from public forked repos
2121
# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
2222
permissions:

Dockerfile

Lines changed: 11 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,10 @@
1-
ARG GO_VERSION=1.23
1+
ARG GO_VERSION=1.24
22
ARG UBUNTU_VERSION=24.04
33
ARG SHADOW_VERSION=4.16.0
4-
ARG SLIRP4NETNS_VERSION=v1.3.1
4+
ARG SLIRP4NETNS_VERSION=v1.3.2
55
ARG VPNKIT_VERSION=0.5.0
6-
ARG PASST_VERSION=2024_12_11.09478d5
7-
ARG DOCKER_VERSION=27.5.0
6+
ARG PASST_VERSION=2025_02_17.a1e48a0
7+
ARG DOCKER_VERSION=28.0.1
88
ARG DOCKER_CHANNEL=stable
99
# also tested with aarch64
1010
ARG ARCH=x86_64
@@ -96,13 +96,19 @@ ENV LD_LIBRARY_PATH=/home/user/lib
9696
WORKDIR /home/user/hack
9797

9898
FROM test-integration AS test-integration-docker
99-
COPY --from=artifact /rootlesskit-docker-proxy /home/user/bin/
10099
ARG DOCKER_VERSION
101100
ARG DOCKER_CHANNEL
102101
ARG ARCH
103102
RUN curl -fsSL https://download.docker.com/linux/static/${DOCKER_CHANNEL}/${ARCH}/docker-${DOCKER_VERSION}.tgz | tar xz --strip-components=1 -C /home/user/bin/
104103
RUN curl -fsSL -o /home/user/bin/dockerd-rootless.sh https://raw.githubusercontent.com/moby/moby/v${DOCKER_VERSION}/contrib/dockerd-rootless.sh && \
105104
chmod +x /home/user/bin/dockerd-rootless.sh
105+
# rootlesskit-docker-proxy is no longer needed since Docker v28
106+
RUN --mount=source=/rootlesskit-docker-proxy,target=/tmp/rootlesskit-docker-proxy,from=artifact <<EOT
107+
set -ex
108+
if [ "$(echo ${DOCKER_VERSION} | cut -d . -f 1)" -lt "28" ]; then
109+
cp -a /tmp/rootlesskit-docker-proxy /home/user/bin
110+
fi
111+
EOT
106112
ENV DOCKERD_ROOTLESS_ROOTLESSKIT_NET=slirp4netns
107113
ENV DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=builtin
108114
ENV DOCKER_HOST=unix:///run/user/2000/docker.sock

cmd/rootlesskit/main.go

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ import (
1515
"github.com/sirupsen/logrus"
1616
"github.com/urfave/cli/v2"
1717

18+
"github.com/rootless-containers/rootlesskit/v2/cmd/rootlesskit/unshare"
1819
"github.com/rootless-containers/rootlesskit/v2/pkg/child"
1920
"github.com/rootless-containers/rootlesskit/v2/pkg/common"
2021
"github.com/rootless-containers/rootlesskit/v2/pkg/copyup/tmpfssymlink"
@@ -41,6 +42,10 @@ const (
4142
)
4243

4344
func main() {
45+
if checkUnshareHelper() {
46+
unshare.Main()
47+
return
48+
}
4449
iAmActivationHelper := checkActivationHelper()
4550
iAmChild := os.Getenv(pipeFDEnvKey) != ""
4651
id := "parent"
@@ -701,3 +706,7 @@ func createActivationOpts(clicontext *cli.Context) (activation.Opt, error) {
701706
}
702707
return opt, nil
703708
}
709+
710+
func checkUnshareHelper() bool {
711+
return filepath.Base(os.Args[0]) == "unshare"
712+
}

cmd/rootlesskit/unshare/unshare.go

Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,53 @@
1+
package unshare
2+
3+
import (
4+
"errors"
5+
"fmt"
6+
"os"
7+
"os/exec"
8+
"syscall"
9+
10+
"github.com/rootless-containers/rootlesskit/v2/pkg/common"
11+
"github.com/rootless-containers/rootlesskit/v2/pkg/version"
12+
"github.com/urfave/cli/v2"
13+
)
14+
15+
func Main() {
16+
app := cli.NewApp()
17+
app.Name = "unshare"
18+
app.HideHelpCommand = true
19+
app.Version = version.Version
20+
app.Usage = "Reimplementation of unshare(1)"
21+
app.UsageText = "unshare [global options] [arguments...]"
22+
app.Flags = append(app.Flags, &cli.BoolFlag{
23+
Name: "n,net",
24+
Usage: "unshare network namespace",
25+
})
26+
app.Action = action
27+
if err := app.Run(os.Args); err != nil {
28+
fmt.Fprintf(os.Stderr, "[rootlesskit:unshare] error: %v\n", err)
29+
// propagate the exit code
30+
code, ok := common.GetExecExitStatus(err)
31+
if !ok {
32+
code = 1
33+
}
34+
os.Exit(code)
35+
}
36+
}
37+
38+
func action(clicontext *cli.Context) error {
39+
ctx := clicontext.Context
40+
if clicontext.NArg() < 1 {
41+
return errors.New("no command specified")
42+
}
43+
cmdFlags := clicontext.Args().Slice()
44+
cmd := exec.CommandContext(ctx, cmdFlags[0], cmdFlags[1:]...)
45+
cmd.Stdin = os.Stdin
46+
cmd.Stdout = os.Stdout
47+
cmd.Stderr = os.Stderr
48+
cmd.SysProcAttr = &syscall.SysProcAttr{}
49+
if clicontext.Bool("n") {
50+
cmd.SysProcAttr.Cloneflags |= syscall.CLONE_NEWNET
51+
}
52+
return cmd.Run()
53+
}

go.mod

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
module github.com/rootless-containers/rootlesskit/v2
22

3-
go 1.23
3+
go 1.23.0
44

55
require (
66
github.com/Masterminds/semver/v3 v3.3.1
@@ -13,8 +13,8 @@ require (
1313
github.com/moby/vpnkit v0.5.0
1414
github.com/sirupsen/logrus v1.9.3
1515
github.com/songgao/water v0.0.0-20200317203138-2b4b6d7c09d8
16-
github.com/urfave/cli/v2 v2.27.5
17-
golang.org/x/sys v0.30.0
16+
github.com/urfave/cli/v2 v2.27.6
17+
golang.org/x/sys v0.31.0
1818
gotest.tools/v3 v3.5.2
1919
)
2020

@@ -25,5 +25,5 @@ require (
2525
github.com/russross/blackfriday/v2 v2.1.0 // indirect
2626
github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 // indirect
2727
github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect
28-
golang.org/x/net v0.33.0 // indirect
28+
golang.org/x/net v0.36.0 // indirect
2929
)

go.sum

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -49,19 +49,19 @@ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsT
4949
github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
5050
github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 h1:pyC9PaHYZFgEKFdlp3G8RaCKgVpHZnecvArXvPXcFkM=
5151
github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701/go.mod h1:P3a5rG4X7tI17Nn3aOIAYr5HbIMukwXG0urG0WuL8OA=
52-
github.com/urfave/cli/v2 v2.27.5 h1:WoHEJLdsXr6dDWoJgMq/CboDmyY/8HMMH1fTECbih+w=
53-
github.com/urfave/cli/v2 v2.27.5/go.mod h1:3Sevf16NykTbInEnD0yKkjDAeZDS0A6bzhBH5hrMvTQ=
52+
github.com/urfave/cli/v2 v2.27.6 h1:VdRdS98FNhKZ8/Az8B7MTyGQmpIr36O1EHybx/LaZ4g=
53+
github.com/urfave/cli/v2 v2.27.6/go.mod h1:3Sevf16NykTbInEnD0yKkjDAeZDS0A6bzhBH5hrMvTQ=
5454
github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8=
5555
github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
5656
github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 h1:gEOO8jv9F4OT7lGCjxCBTO/36wtF6j2nSip77qHd4x4=
5757
github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1/go.mod h1:Ohn+xnUBiLI6FVj/9LpzZWtj1/D6lUovWYBkxHVV3aM=
58-
golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
59-
golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
58+
golang.org/x/net v0.36.0 h1:vWF2fRbw4qslQsQzgFqZff+BItCvGFQqKzKIzx1rmoA=
59+
golang.org/x/net v0.36.0/go.mod h1:bFmbeoIPfrw4sMHNhb4J9f6+tPziuGjq7Jk/38fxi1I=
6060
golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
61-
golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
62-
golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
63-
golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
64-
golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
61+
golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
62+
golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
63+
golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
64+
golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
6565
golang.org/x/tools v0.26.0 h1:v/60pFQmzmT9ExmjDv2gGIfi3OqfKoEP6I5+umXlbnQ=
6666
golang.org/x/tools v0.26.0/go.mod h1:TPVVj70c7JJ3WCazhD8OdXcZg/og+b9+tH/KxylGwH0=
6767
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

pkg/child/child.go

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -583,8 +583,16 @@ func NewNetNsWithPathWithoutEnter(p string) error {
583583
if err := os.WriteFile(p, nil, 0400); err != nil {
584584
return err
585585
}
586+
selfExe, err := os.Executable()
587+
if err != nil {
588+
return err
589+
}
586590
// this is hard (not impossible though) to reimplement in Go: https://github.com/cloudflare/slirpnetstack/commit/d7766a8a77f0093d3cb7a94bd0ccbe3f67d411ba
587591
cmd := exec.Command("unshare", "-n", "mount", "--bind", "/proc/self/ns/net", p)
592+
// Use our own implementation of unshare that is embedded in RootlessKit, so as to
593+
// avoid /etc/apparmor.d/unshare-userns-restrict on Ubuntu 25.04.
594+
// https://github.com/rootless-containers/rootlesskit/issues/494
595+
cmd.Path = selfExe
588596
out, err := cmd.CombinedOutput()
589597
if err != nil {
590598
return fmt.Errorf("failed to execute %v: %w (out=%q)", cmd.Args, err, string(out))

pkg/version/version.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,3 @@
11
package version
22

3-
const Version = "2.3.2+dev"
3+
const Version = "2.3.4+dev"

0 commit comments

Comments
 (0)