Publish checksums and/or signed packages

[konstruktoid]

https://download.docker.com/linux/static/, https://get.docker.com/rootless, https://docs.docker.com/engine/security/rootless/ and https://docs.docker.com/engine/release-notes/ lacks any information about manual package verification or package checksums.

When following the instruction on how to run the Docker daemon as a non-root user curl -fsSL https://get.docker.com/rootless | sh is recommended by the documentation.
There is however no verification of the downloaded packages or information on how to verify the downloaded packages in https://github.com/docker/docker-install/blob/master/rootless-install.sh

Code ref: https://github.com/docker/docker-ce-packaging/blob/master/static/hash_files

[justincormack]

Hi, rootless support is now in the 20.10 official release, so these rootless specific packages are no longer recommended.

[konstruktoid]

Hi @justincormack, that's good to know but where is that documented?

https://docs.docker.com/engine/security/rootless/#manual-installation says "To install the binaries manually without using the installer, extract docker-rootless-extras-.tgz along with docker-.tgz from https://download.docker.com/linux/static/stable/x86_64/".
https://docs.docker.com/engine/security/rootless/#install says "The installation script is available at https://get.docker.com/rootless".
Checking the script at https://github.com/docker/docker-install/blob/master/rootless-install.sh#L37-L50, e.g:

echo "# Installing stable version ${STABLE_LATEST}"
STATIC_RELEASE_URL="https://download.docker.com/linux/static/$CHANNEL/$(uname -m)/docker-${STABLE_LATEST}.tgz"
STATIC_RELEASE_ROOTLESS_URL="https://download.docker.com/linux/static/$CHANNEL/$(uname -m)/docker-rootless-extras-${STABLE_LATEST}.tgz"

and that's for 20.10.2 (docker/docker-install@f9cd662).

[justincormack]

Oh I see, yes the standalone static binaries are not signed, only packages. In general I would not recommend using them as there are potential issues, you would be better off building binaries linked against your own distribution for production use, if the packages we build are not sufficient. Which platform are you using?

[konstruktoid]

Ubuntu 20.04 (Focal) on x86_64.

But how should rootless Docker be installed if the current documentation is incomplete, or incorrect?

[justincormack]

Let me take a look, this looks unsatisfactory to me.

[AkihiroSuda]

The most recommended way as of 20.10 is to just install Docker as root and then run dockerd-rootless-setuptool.sh install as non-root.

Using get.docker.com/rootless is still valid, but should be used only when the user has no access to RPM/DEB.

[konstruktoid]

So the recommended way is the two line instruction under https://docs.docker.com/engine/security/rootless/#manual-installation?

Why require a root user when the installation instructions, https://docs.docker.com/engine/security/rootless/#install, works perfectly fine compared to the manual installation (see below) as a non-root user?

But this issue is actually regarding missing official Docker checksums and/or signed packages.

Even if I use the rootful packages (curl -sSL get.docker.com | sh) and leave verification to dnf or apt-get, the required docker-rootless-extras-<version>.tgz is still lacking any form of verification.

~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.2 LTS
Release:        20.04
Codename:       focal
~$ curl -sSL get.docker.com | sh
[...]
Client: Docker Engine - Community
 Version:           20.10.3
 API version:       1.41
 Go version:        go1.13.15
 Git commit:        48d30b5
 Built:             Fri Jan 29 14:33:21 2021
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.3
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       46229ca
  Built:            Fri Jan 29 14:31:32 2021
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.4.3
  GitCommit:        269548fa27e0089a8b8278fc4fc781d7f65a939b
 runc:
  Version:          1.0.0-rc92
  GitCommit:        ff819c7e9184c13b7c2607fe6c30ae19403a7aff
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0
[...]
~$ dpkg -l | grep -E 'runc|container|docker'
ii  containerd.io                  1.4.3-1                           amd64        An open and reliable container runtime
ii  docker-ce                      5:20.10.3~3-0~ubuntu-focal        amd64        Docker: the open-source application container engine
ii  docker-ce-cli                  5:20.10.3~3-0~ubuntu-focal        amd64        Docker CLI: the open-source application container engine
~$ for d in containerd.io docker-ce docker-ce-cli; do dpkg-query -L "${d}" | grep root || echo 'nothing containing root'; done
nothing containing root
nothing containing root
nothing containing root
~$ wget https://download.docker.com/linux/static/stable/x86_64/docker-rootless-extras-20.10.3.tgz
[...]
~$ tar -xzf docker-rootless-extras-20.10.3.tgz
~$ mv docker-rootless-extras bin
~$ export PATH=~/bin/:$PATH
~$ echo $PATH
/home/vagrant/bin/:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
~$ sudo apt-get -y install uidmap
[...]
~$ dockerd-rootless-setuptool.sh install
[...]
~$ grep -E 'export.*(DOCKER_HOST|XDG_RUNTIME_DIR)=' bin/dockerd-rootless-setuptool.sh
                export XDG_RUNTIME_DIR="$HOME/.docker/run"
                echo "export XDG_RUNTIME_DIR=${XDG_RUNTIME_DIR}"
        echo "export DOCKER_HOST=unix://${XDG_RUNTIME_DIR}/docker.sock"
~$ echo $DOCKER_HOST $XDG_RUNTIME_DIR
unix:///home/vagrant/.docker/run/docker.sock /home/vagrant/.docker/run
~$ docker ps
Cannot connect to the Docker daemon at unix:///home/vagrant/.docker/run/docker.sock. Is the docker daemon running?
~$ systemctl status --user docker | grep listen
Feb 02 18:17:45 focal dockerd-rootless.sh[22136]: time="2021-02-02T18:17:45.617045861Z" level=info msg="API listen on /run/user/1000/docker.sock"

[AkihiroSuda]

Why require a root user

Simply because rpm (dnf) and dpkg (apt) requires root.

the required docker-rootless-extras-.tgz

You do not need this tgz since 20.10, as it is now included in rpm/dpkg.

[konstruktoid]

What am I missing? See the code snippet above and the code below.

Also, "if you already have the Docker daemon running as the root, you only need to extract docker-rootless-extras-<version>.tgz" is the only thing mentioning this. Not that "you do not need this tgz since 20.10, as it is now included in rpm/dpkg."

~$ curl -sSL get.docker.com | sh
# Executing docker install script, commit: 3d8fe77c2c46c5b7571f94b42793905e5b3e42e4
+ sudo -E sh -c apt-get update -qq >/dev/null
[...]
+ sudo -E sh -c docker version
Client: Docker Engine - Community
 Version:           20.10.3
 API version:       1.41
 Go version:        go1.13.15
 Git commit:        48d30b5
 Built:             Fri Jan 29 14:33:21 2021
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.3
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       46229ca
  Built:            Fri Jan 29 14:31:32 2021
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.4.3
  GitCommit:        269548fa27e0089a8b8278fc4fc781d7f65a939b
 runc:
  Version:          1.0.0-rc92
  GitCommit:        ff819c7e9184c13b7c2607fe6c30ae19403a7aff
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0
[...]
~$ dpkg -l | grep -E 'runc|container|docker'
ii  containerd.io                  1.4.3-1                           amd64        An open and reliable container runtime
ii  docker-ce                      5:20.10.3~3-0~ubuntu-focal        amd64        Docker: the open-source application container engine
ii  docker-ce-cli                  5:20.10.3~3-0~ubuntu-focal        amd64        Docker CLI: the open-source application container engine
~$ for d in containerd.io docker-ce docker-ce-cli; do dpkg-query -L "${d}" | grep dockerd || echo 'nothing containing dockerd'; done
nothing containing dockerd
/usr/bin/dockerd
/usr/share/man/man8/dockerd.8.gz
~$ for d in containerd.io docker-ce docker-ce-cli; do dpkg-query -L "${d}" | grep setup || echo 'nothing containing setup'; done
nothing containing setup
nothing containing setup
nothing containing setup
~$ for d in containerd.io docker-ce docker-ce-cli; do dpkg-query -L "${d}" | grep root || echo 'nothing containing root'; done
nothing containing root
nothing containing root
nothing containing root
~$ sudo find / -name '*rootless*' -type f
/usr/share/doc/dpkg-dev/rootless-builds.txt.gz

[AkihiroSuda]

This one is expected to be installed by default, but seems not working on your environment? https://download.docker.com/linux/ubuntu/dists/focal/pool/stable/amd64/docker-ce-rootless-extras_20.10.3~3-0~ubuntu-focal_amd64.deb

Anyway, the doc page is outdated and needs to be updated. I'll look into the doc later.

[konstruktoid]

Ah, it's a separate package named docker-ce-rootless-extras. That package isn't mentioned anywhere on https://docs.docker.com/engine/security/rootless/.

The following works:

~$ sudo apt-get -y install uidmap docker-ce-rootless-extras
~$ dockerd-rootless-setuptool.sh install

[AkihiroSuda]

Attempting to improve docs docker/docs#12234