Add experimental "rootless" dind variant

[tianon]

This is an alternative proposal to #165 + #168.

This should have roughly the same behavior as the dockerd-rootless.sh script but without the extra depdendency (and frankly I'd love to pull some official vpnkit release binaries too instead of pulling the extras bundle, but I couldn't find any official binary releases nor did it look trivial to build from source). This allows us to iterate on this in between Docker releases as well, if necessary (like pulling in a newer rootlesskit release, for example).

I was toying with automatically adding --experimental as well, but wanted to enforce that being opt-in so that users don't switch without realizing what they're doing (since it does require some changes in usage).

Generally everything should "just work" as automatically as possible, but with the appropriate escape hatches for users who need/want to control the underlying knobs more directly.

Update (2021-03-04): as of 20.10.x, --experimental is no longer required (moby/moby#40759)

[AkihiroSuda]

Thanks for working on this, but I think dockerd-rootless.sh should be still kept as a separate script, so that we don't need to maintain the both upstream script and the downstream script in this repo.

Also, it is highly likely that the content of the script will differ in future revisions.

[AkihiroSuda]

the UID should be configurable as ARG https://github.com/docker-library/docker/pull/165/files#diff-3a278e88442db689fbd14924162365f4R12

[tianon]

Why? Folks shouldn't have to / shouldn't be rebuilding the image (I think the usability of that is way too low) -- the way it's configured, setting a reasonable value for HOME and setting up /etc/subuid and /etc/subgid should be enough for things to work (although some of the tools in use might also require /etc/passwd to be updated, but these are all pretty normal things for running a container as an "arbitrary user" and avoids requiring users to build their own custom images).

[AkihiroSuda]

the UID 1000 is likely to overwrap with other users on the host, and it might break the user's env when the daemon got compromised.

[AkihiroSuda]

Also the number of subuids should be reconfigurable, as some user might want more than 65536 subuids

[tianon]

The goal here is that the user can do something as trivial as the following in order to customize their environment (and thus adjust the numbers to their heart's content):

FROM docker:19.03-dind-rootless
USER root
RUN adduser -h /home/user -D -u 1234 user
RUN echo 'user:101234:65536' >> /etc/subuid
RUN echo 'user:101234:65536' >> /etc/subgid
USER user

(most of this is also easily accomplishable via a docker run line, although a bit more gymnastics are involved)

[tianon]

So, the reason I avoided dockerd-rootless.sh is because the entire script boiled down to setting a couple default values (based on autodetection that we can already assume based on what we include in the image) and doing a couple rm commands after running rootlesskit -- it doesn't seem worth using that script. Do you anticipate more custom setup being required? If so, what kinds of things do you expect and/or why can't dockerd itself perform the necessary setup?

[AkihiroSuda]

Do you anticipate more custom setup being required?

I don't know, but something may change when we get support fo cgroup (v2).
Anyway, we can revisit this when we face some real issue.

[AkihiroSuda]

FYI: the origin of the binary is djs55/vpnkit image https://github.com/moby/moby/blob/7cfd8146dc6089a5f21415dc4c0a609a93c507fe/Dockerfile#L249

[AkihiroSuda]

FYI: If you don't like the VPNKit binary footprint, https://github.com/rootless-containers/slirp4netns can be used instead of VPNKit.

slirp4netns is licensed under GPL2 and not included in the docker-rootless-extras.tgz because they didn't want to include GPL2 binary in the same tgz, but probably it doesn't hurt to put slirp4netns in Docker images.

[tianon]

I don't mind the footprint (or vpnkit in general -- I understand it's been used in Docker Desktop for a pretty respectable amount of time now, so it's "tested, tried, and true" so to speak) -- the issue I've got is with the need to pull this extra bundle which we then have to wait for a new Docker release to get an update to if there happens to be some issue that's resolved in a newer release of vpnkit, so it'd be really neat to get some official binary releases there, but I think that's a pretty minor issue at this point (vpnkit is pretty provably solid, as noted).

[AkihiroSuda]

I'd prefer setting ENV XDG_RUNTIME_DIR here so that it is visible to docker exec processes

[AkihiroSuda]

and also DOCKER_HOST for docker exec docker

[tianon]

The expected usage there would be either docker exec -it docker-entrypoint.sh sh or docker exec docker-entrypoint.sh version, etc (using the same functionality as docker run docker ... does to set those same variables automatically/appropriately). Along those lines, I'm also going to update dockerd-entrypoint.sh to pass not only docker ... through to docker-entrypoint.sh, but any command that isn't dockerd (which should help with this as well).

[tianon]

Tested latest push via:

$ docker run -it --rm --name dind --privileged -v omg-certs:/certs/client docker:19.03-dind-rootless --experimental
...

$ docker run -it --rm --link dind:docker -v omg-certs:/certs/client docker:19.03-dind-rootless version
Client: Docker Engine - Community
 Version:           19.03.1
 API version:       1.40
 Go version:        go1.12.5
 Git commit:        74b1e89e8a
 Built:             Thu Jul 25 21:17:37 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.1
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.12.5
  Git commit:       74b1e89e8a
  Built:            Thu Jul 25 21:27:55 2019
  OS/Arch:          linux/amd64
  Experimental:     true
 containerd:
  Version:          v1.2.6
  GitCommit:        894b81a4b802e4eb2a91d1ce216b8817763c29fb
 runc:
  Version:          1.0.0-rc8
  GitCommit:        425e105d5a03fabd737a126ad93d62a9eeede87f
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

[tim-gp]

I've tried to spin up without certs per #174 (comment)

$ docker run -it --rm --name dind --privileged docker:19.03.1-dind-rootless --experimental

I get [rootlesskit:child ] error: executing [[ip tuntap add name tap0 mode tap] [ip link set tap0 address <MAC>]]: exit status 1 on Docker Desktop for Mac 2.1.0.0.

[AkihiroSuda]

opened docker/for-mac#3838 for Docker fo Mac issue