Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rootless: expose ports automatically #38913

Merged
merged 1 commit into from Apr 3, 2019

Conversation

Projects
None yet
6 participants
@AkihiroSuda
Copy link
Member

AkihiroSuda commented Mar 20, 2019

Signed-off-by: Akihiro Suda suda.akihiro@lab.ntt.co.jp

- What I did

Now docker run -p ports can be exposed to the host namespace automatically when dockerd-rootless.sh is launched with --userland-proxy --userland-proxy-path $(which rootlesskit-docker-proxy).
This is akin to how Docker for Mac/Win works with --userland-proxy-path=/path/to/vpnkit-expose-port.

The port number on the host namespace needs to be set to >= 1024.
SCTP ports are currently unsupported.

New binaries built from RootlessKit repo:

  • rootlesskit-docker-proxy: drop-in replacement for docker-proxy. Needed for exposing ports.
  • rootlessctl: RootlessKit REST API client. Added only for ease of debugging, as in ctr.

RootlessKit changes: rootless-containers/rootlesskit@7bbbc48...ed26714

- How I did it

By using rootlesskit-docker-proxy with RootlessKit's builtin port driver.

- How to verify it

$ dockerd-rootless.sh --experimental --userland-proxy --userland-proxy-path=$(which rootlesskit-docker-proxy)
$ export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/docker.sock
$ docker run -d -p 8080:80 nginx:alpine
$ w3m http://localhost:8080

- Description for the changelog

rootless: expose ports automatically

- A picture of a cute animal (not mandatory but encouraged)

penguin

https://upload.wikimedia.org/wikipedia/commons/f/f5/Little_Penguin_Feb09.jpg

@AkihiroSuda

This comment has been minimized.

Copy link
Member Author

AkihiroSuda commented Mar 20, 2019

Show resolved Hide resolved hack/make/binary-daemon Outdated
rootless: expose ports automatically
Now `docker run -p` ports can be exposed to the host namespace automatically when `dockerd-rootless.sh` is launched with
`--userland-proxy --userland-proxy-path $(which rootlesskit-docker-proxy)`.
This is akin to how Docker for Mac/Win works with `--userland-proxy-path=/path/to/vpnkit-expose-port`.

The port number on the host namespace needs to be set to >= 1024.
SCTP ports are currently unsupported.

RootlessKit changes: rootless-containers/rootlesskit@7bbbc48...ed26714

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
@codecov

This comment has been minimized.

Copy link

codecov bot commented Mar 25, 2019

Codecov Report

Merging #38913 into master will decrease coverage by 0.13%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master   #38913      +/-   ##
==========================================
- Coverage   36.91%   36.78%   -0.14%     
==========================================
  Files         614      614              
  Lines       45380    46127     +747     
==========================================
+ Hits        16754    16969     +215     
- Misses      26337    26828     +491     
- Partials     2289     2330      +41
@AkihiroSuda

This comment has been minimized.

Copy link
Member Author

AkihiroSuda commented Mar 26, 2019

@tonistiigi can we get this in 19.03?

@AkihiroSuda

This comment has been minimized.

Copy link
Member Author

AkihiroSuda commented Apr 2, 2019

@thaJeztah

This comment has been minimized.

Copy link
Member

thaJeztah commented Apr 2, 2019

I asked @tonistiigi and @tiborvass to have a look 😥🤗

@djs55

This comment has been minimized.

Copy link

djs55 commented Apr 2, 2019

Looks good to me!

@thaJeztah
Copy link
Member

thaJeztah left a comment

thanks @djs55. I'll copy your LGTM

but would love a quick look from @tonistiigi and/or @tiborvass 😄

Show resolved Hide resolved docs/rootless.md
@tiborvass

This comment has been minimized.

Copy link
Collaborator

tiborvass commented Apr 2, 2019

@AkihiroSuda I couldn't get this to work inside the dev container.

$ docker run --name test -dit -p 1000:5000/tcp tiborvass/netcat nc -l -p 5000
9848d1fe9511328ebf84199fafd28f78e7bafdab1a6ddebce955398292e672bf
docker: Error response from daemon: driver failed programming external connectivity on endpoint test (9ff63a025c70566db7330602fced8c1759aba2f82c00cbf04b07a7c90b0562ff): Error starting userland proxy:.

Daemon logs:

time="2019-04-02T22:07:20.041164565Z" level=warning msg="Failed to allocate and map port 1000-1000: Error starting userland proxy: "
time="2019-04-02T22:07:20.104852910Z" level=warning msg="9848d1fe9511328ebf84199fafd28f78e7bafdab1a6ddebce955398292e672bf cleanup: failed to unmount IPC: umount /home/foo/.local/share/docker/containers/9848d1fe9511328ebf84199fafd28f78e7bafdab1a6ddebce955398292e672bf/mounts/shm, flags: 0x2: no such file or directory"
time="2019-04-02T22:07:20.105603920Z" level=error msg="9848d1fe9511328ebf84199fafd28f78e7bafdab1a6ddebce955398292e672bf cleanup: failed to delete container from containerd: no such container"
time="2019-04-02T22:07:20.105668562Z" level=error msg="Handler for POST /v1.30/containers/9848d1fe9511328ebf84199fafd28f78e7bafdab1a6ddebce955398292e672bf/start returned error: driver failed programming external connectivity on endpoint test (9ff63a025c70566db7330602fced8c1759aba2f82c00cbf04b07a7c90b0562ff): Error starting userland proxy: "

When I start rootlesskit-docker-proxy manually to test it, it says:

2019/04/02 22:09:23 $ROOTLESSKIT_STATE_DIR needs to be set

So I don't know if that's something one of your binaries are setting.

@AkihiroSuda

This comment has been minimized.

Copy link
Member Author

AkihiroSuda commented Apr 3, 2019

-p 1000:5000/tcp tiborvass/netcat nc -l -p 5000

You can't listen on a port number below 1024 unless you have CAP_NET_BIND_SERVICE

2019/04/02 22:09:23 $ROOTLESSKIT_STATE_DIR needs to be set

Please make sure to have rootlesskit v0.3.0-beta.0 or later? rootless-containers/rootlesskit@732a90a

@tiborvass

This comment has been minimized.

Copy link
Collaborator

tiborvass commented Apr 3, 2019

@AkihiroSuda ok that worked. I tried with 2000.

I was testing inside the dev container from moby's Dockerfile, which should have the correct version of rootlesskit. It's just that I was running it manually from bash.

@tiborvass tiborvass merged commit a0d64a3 into moby:master Apr 3, 2019

9 checks passed

codecov/patch Coverage not affected when comparing 3d72963...f0b405f
Details
codecov/project 36.78% (-0.14%) compared to 3d72963
Details
dco-signed All commits are signed
experimental Jenkins build Docker-PRs-experimental 44548 has succeeded
Details
janky Jenkins build Docker-PRs 53416 has succeeded
Details
powerpc Jenkins build Docker-PRs-powerpc 13753 has succeeded
Details
windowsRS1 Jenkins build Docker-PRs-WoW-RS1 24558 has succeeded
Details
windowsRS5-process Jenkins build Docker-PRs-WoW-RS5-Process 1843 has succeeded
Details
z Jenkins build Docker-PRs-s390x 13645 has succeeded
Details
@AkihiroSuda

This comment has been minimized.

Copy link
Member Author

AkihiroSuda commented Apr 3, 2019

19.03: docker#189

AkihiroSuda added a commit to AkihiroSuda/docker-install that referenced this pull request Apr 3, 2019

rootless: use rootlesskit-docker-proxy
ref: moby/moby#38913

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>

AkihiroSuda added a commit to AkihiroSuda/docker-install that referenced this pull request Apr 3, 2019

rootless: use rootlesskit-docker-proxy
ref: moby/moby#38913

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>

AkihiroSuda added a commit to AkihiroSuda/docker-ce-packaging that referenced this pull request Apr 12, 2019

add rootlesskit-docker-proxy
For moby/moby#38913

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>

docker-jenkins pushed a commit to docker/docker-ce that referenced this pull request Apr 13, 2019

add rootlesskit-docker-proxy
For moby/moby#38913

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
Upstream-commit: 348476bafa0623a3f82e88710b6089a69418fe6e
Component: packaging
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.