From 76df68a28ad17133f002b22d17c577f9426b8fd7 Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Fri, 10 Dec 2021 11:21:49 +0100 Subject: [docker-ce] New module (target: stage4) --- core/modules/docker-ce/data/etc/docker/daemon.json | 5 ++ .../systemd/system/docker-no-trivial-root.service | 14 +++++ .../docker-no-trivial-root.service | 1 + core/modules/docker-ce/module.build | 70 ++++++++++++++++++++++ core/modules/docker-ce/module.conf | 11 ++++ core/modules/docker-ce/module.conf.ubuntu | 7 +++ 6 files changed, 108 insertions(+) create mode 100644 core/modules/docker-ce/data/etc/docker/daemon.json create mode 100644 core/modules/docker-ce/data/etc/systemd/system/docker-no-trivial-root.service create mode 120000 core/modules/docker-ce/data/etc/systemd/system/multi-user.target.wants/docker-no-trivial-root.service create mode 100644 core/modules/docker-ce/module.build create mode 100644 core/modules/docker-ce/module.conf create mode 100644 core/modules/docker-ce/module.conf.ubuntu (limited to 'core/modules/docker-ce') diff --git a/core/modules/docker-ce/data/etc/docker/daemon.json b/core/modules/docker-ce/data/etc/docker/daemon.json new file mode 100644 index 00000000..b8877383 --- /dev/null +++ b/core/modules/docker-ce/data/etc/docker/daemon.json @@ -0,0 +1,5 @@ +{ + "data-root": "/tmp/virt/docker", + "storage-driver": "overlay2", + "userns-remap": "default" +} diff --git a/core/modules/docker-ce/data/etc/systemd/system/docker-no-trivial-root.service b/core/modules/docker-ce/data/etc/systemd/system/docker-no-trivial-root.service new file mode 100644 index 00000000..3a93b8b4 --- /dev/null +++ b/core/modules/docker-ce/data/etc/systemd/system/docker-no-trivial-root.service @@ -0,0 +1,14 @@ +[Unit] +Description=No Trivial Root for Docker +Before=docker.service +After=network.target + +[Service] +Type=simple +TimeoutStartSec=0 +Restart=always +RestartSec=12s +ExecStart=/usr/sbin/docker-no-trivial-root + +[Install] +WantedBy=multi-user.target diff --git a/core/modules/docker-ce/data/etc/systemd/system/multi-user.target.wants/docker-no-trivial-root.service b/core/modules/docker-ce/data/etc/systemd/system/multi-user.target.wants/docker-no-trivial-root.service new file mode 120000 index 00000000..7c7caf91 --- /dev/null +++ b/core/modules/docker-ce/data/etc/systemd/system/multi-user.target.wants/docker-no-trivial-root.service @@ -0,0 +1 @@ +../docker-no-trivial-root.service \ No newline at end of file diff --git a/core/modules/docker-ce/module.build b/core/modules/docker-ce/module.build new file mode 100644 index 00000000..0921ebee --- /dev/null +++ b/core/modules/docker-ce/module.build @@ -0,0 +1,70 @@ +#!/bin/bash + +module_init() { + local i url sigfile file hash + declare -a apts + [ "$SYS_DISTRIBUTION" = "ubuntu" ] || [ "$SYS_DISTRIBUTION" = "debian" ] || return 0 + # Forcefully add docker repo + apts=( + "https://download.docker.com/linux/${SYS_DISTRIBUTION}/gpg deb [arch=$(dpkg --print-architecture) signed-by=%FILE%] https://download.docker.com/linux/$SYS_DISTRIBUTION $(lsb_release -cs) stable" + "https://nvidia.github.io/nvidia-docker/gpgkey https://nvidia.github.io/nvidia-docker/${SYS_DISTRIBUTION}$(lsb_release -rs)/nvidia-docker.list" + ) + for i in "${apts[@]}"; do + url="${i%% *}" + hash="$( echo "$i" | md5sum | cut -c1-10 )" + sigfile="/usr/share/keyrings/docker-${hash}.gpg" + [ -s "$sigfile" ] && continue + curl -fsSL "$url" | gpg --dearmor -o "$sigfile" \ + || perror "Could not download docker gpg key from $url" + url="${i#* }" + file="/etc/apt/sources.list.d/docker-${hash}.list" + [ -s "$file" ] && continue + if [[ "${url}" == http* ]]; then + download "$url" "$file" + sed -i "s/^deb/deb [signed-by=${sigfile}]/" "$file" + else + echo "${url//%FILE%/$sigfile}" > "$file" + fi + done + apt-get update +} + +build() { + local service + for service in docker containerd; do + systemctl disable "${service}.service" || perror "Could not disable $service" + done + systemctl enable "docker.socket" || perror "Could not enable docker.socket activation" + # Plugin binary + download_untar "https://github.com/ad-freiburg/docker-no-trivial-root/releases/download/v0.1.0/docker-no-trivial-root_x86_64.tar.bz2" \ + "$MODULE_WORK_DIR/src" + mkdir -p "$MODULE_BUILD_DIR/usr/sbin" + mv "$MODULE_WORK_DIR/src/docker-no-trivial-root_x86_64/docker-no-trivial-root" \ + "$MODULE_BUILD_DIR/usr/sbin/docker-no-trivial-root" \ + || perror "Cannot move docker-no-trivial-root" + chmod +x "$MODULE_BUILD_DIR/usr/sbin/docker-no-trivial-root" + chown 0:0 "$MODULE_BUILD_DIR/usr/sbin/docker-no-trivial-root" + # Patch systemd service + mkdir -p "$MODULE_BUILD_DIR/etc/systemd/system" + sed -r 's/^(ExecStart=.*dockerd) (.*)$/\1 --authorization-plugin=no-trivial-root \2/' \ + "/lib/systemd/system/docker.service" > "$MODULE_BUILD_DIR/etc/systemd/system/docker.service" \ + || perror "Could not patch docker.service" + # That weird range stuff + local item + for item in subuid subgid; do + awk -F: 'BEGIN { + max=0 + found=0 + } { + if ($1=="dockremap") + found=1 + if ($2>max) + max=($2) + print $0 + } END { + if (!found) + print "dockremap:"max+65536":65536" + }' "/etc/${item}" > "${MODULE_BUILD_DIR}/etc/${item}" \ + || perror "Could not patch /etc/$item" + done +} diff --git a/core/modules/docker-ce/module.conf b/core/modules/docker-ce/module.conf new file mode 100644 index 00000000..1a45b0f8 --- /dev/null +++ b/core/modules/docker-ce/module.conf @@ -0,0 +1,11 @@ +#!/bin/bash + +REQUIRED_FILES=" + /etc/systemd/system/docker.service + /etc/subuid + /etc/subgid +" + +REQUIRED_BINARIES=" + docker-no-trivial-root +" diff --git a/core/modules/docker-ce/module.conf.ubuntu b/core/modules/docker-ce/module.conf.ubuntu new file mode 100644 index 00000000..c279a22e --- /dev/null +++ b/core/modules/docker-ce/module.conf.ubuntu @@ -0,0 +1,7 @@ +#!/bin/bash +REQUIRED_CONTENT_PACKAGES=" + containerd.io + docker-ce + docker-ce-cli + nvidia-container-toolkit +" -- cgit v1.2.3-55-g7522