-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
--copy-up
breaks relative symlinks in child directories
#225
Comments
Thanks for reporting, I guess we should have an option to bind-mount /etc/ssl from the parent |
Hmm, tumbleweed seems massively using relative symlinks for # grep VERSION_ID /etc/os-release
VERSION_ID="20210222"
# find /etc -type l | xargs ls -l | grep -F ..
lrwxrwxrwx 1 root root 21 Feb 22 23:20 /etc/os-release -> ../usr/lib/os-release
lrwxrwxrwx 1 root root 43 Jan 15 19:22 /etc/ssl/ca-bundle.pem -> ../../var/lib/ca-certificates/ca-bundle.pem
lrwxrwxrwx 1 root root 33 Jan 15 19:22 /etc/ssl/certs -> ../../var/lib/ca-certificates/pem
lrwxrwxrwx 1 root root 25 Feb 11 12:27 /etc/termcap -> ../usr/share/misc/termcap |
Workaround --- dockerd-rootless.sh.OLD 2021-02-26 07:46:56.137467327 +0100
+++ dockerd-rootless.sh 2021-02-26 07:51:09.832257325 +0100
@@ -95,5 +95,12 @@
# remove the symlinks for the existing files in the parent namespace if any,
# so that we can create our own files in our mount namespace.
rm -f /run/docker /run/containerd /run/xtables.lock
+
+ # Workaround for https://github.com/rootless-containers/rootlesskit/issues/225
+ realpath_etc_ssl=$(realpath /etc/ssl)
+ rm -f /etc/ssl
+ mkdir /etc/ssl
+ mount --rbind ${realpath_etc_ssl} /etc/ssl
+
exec dockerd $@
fi |
I found this out recently -- all symlinks in openSUSE rpm packages apparently get converted to relative symlinks -- I have no idea why because it's done at the end of the build as part of the rpmbuild post-processing stage. |
Thanks @AkihiroSuda for the suggestion. I tested it and it looks good to me, but not sure what the plans are to make sure this doesn't break other relative symlinks. Is there a reason Anyways glad I can now poke around at running docker rootlessly 🙂 |
That makes /etc unwritable. |
Opened Moby PR moby/moby#42457 |
Nice work around. The following cover this case too: # Workaround for "x509: certificate signed by unknown authority" on openSUSE Tumbleweed.
# https://github.com/rootless-containers/rootlesskit/issues/225
rm -f /etc/ssl
mkdir /etc/ssl
if [[ -z ${REQUESTS_CA_BUNDLE} ]];
then
realpath_etc_ssl=$(realpath /etc/ssl)
mount --rbind ${realpath_etc_ssl} /etc/ssl
else
mkdir /etc/ssl/certs
touch /etc/ssl/certs/ca-certificates.crt
mount --rbind ${REQUESTS_CA_BUNDLE} /etc/ssl/certs/ca-certificates.crt
fi |
I was trying to use docker rootless with rootlesskit and I identified why x509 certificates were not being loaded (and therefore not allowing me to pull docker images). The
rootlesskit
command is run with--copy-up=/etc --copy-up=/run
which on my system the x509 certificates are symlinked:But those links are broken when running inside the rootless child:
I'm not sure if this is a known issue, but I didn't see it in the github issues and it took me awhile to debug the underlying issue (I lifted the docker pull code to try connecting to the docker registry until I narrowed down to the fact that the x509 certificates were not being loaded).
I'm slightly surprised to see a relative link to resolve
/var/lib
, but in general relative links should be supported and I assume this is not going to be a straightforward fix. If it might be I don't mind playing around with it and pushing a PR.The text was updated successfully, but these errors were encountered: