diff --git a/1019-Dockerd-rootless-make-etc-var-run-cdi-available.patch b/1019-Dockerd-rootless-make-etc-var-run-cdi-available.patch new file mode 100644 index 0000000000000000000000000000000000000000..4e6bd56df9f9d2b6bb18b05709ca3f4311695b52 --- /dev/null +++ b/1019-Dockerd-rootless-make-etc-var-run-cdi-available.patch @@ -0,0 +1,99 @@ +From ddc8a15eb54f0f8911e463ce2694521dc4531b0f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez=20L=C3=B3pez?= + +Date: Mon, 23 Sep 2024 10:39:30 +0200 +Subject: Dockerd rootless: make {/etc,/var/run}/cdi available +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When dockerd is executed with the `dockerd-rootless.sh` script, make +/etc/cdi and /var/run/cdi available to the daemon if they exist. + +This makes it possible to enable the CDI integration in rootless mode. + +Fixes: #47676 + +Signed-off-by: Rafael Fernández López +(cherry picked from commit 4e30acb63ffa085e54576361814f417db8c84645) +Signed-off-by: Sebastiaan van Stijn +--- + contrib/dockerd-rootless.sh | 48 +++++++++++++++++++++++++++++++++---- + 1 file changed, 44 insertions(+), 4 deletions(-) + +diff --git a/contrib/dockerd-rootless.sh b/contrib/dockerd-rootless.sh +index 0baa112e2c..6c0775ec65 100755 +--- a/contrib/dockerd-rootless.sh ++++ b/contrib/dockerd-rootless.sh +@@ -53,6 +53,30 @@ if ! [ -d "$HOME" ]; then + exit 1 + fi + ++mount_directory() { ++ if [ -z "$_DOCKERD_ROOTLESS_CHILD" ]; then ++ echo "mount_directory should be called from the child context. Otherwise data loss is at risk" >&2 ++ exit 1 ++ fi ++ ++ DIRECTORY="$1" ++ if [ ! -d "$DIRECTORY" ]; then ++ return ++ fi ++ ++ # Bind mount directory: this makes this directory visible to ++ # Dockerd, even if it is originally a symlink, given Dockerd does ++ # not always follow symlinks. Some directories might also be ++ # "copied-up", meaning that they will also be writable on the child ++ # namespace; this will be the case only if they are provided as ++ # --copy-up to the rootlesskit. ++ DIRECTORY_REALPATH=$(realpath "$DIRECTORY") ++ MOUNT_OPTIONS="${2:---bind}" ++ rm -rf "$DIRECTORY" ++ mkdir -p "$DIRECTORY" ++ mount $MOUNT_OPTIONS "$DIRECTORY_REALPATH" "$DIRECTORY" ++} ++ + rootlesskit="" + for f in docker-rootlesskit rootlesskit; do + if command -v $f > /dev/null 2>&1; then +@@ -132,6 +156,25 @@ if [ -z "$_DOCKERD_ROOTLESS_CHILD" ]; then + "$0" "$@" + else + [ "$_DOCKERD_ROOTLESS_CHILD" = 1 ] ++ ++ # The Container Device Interface (CDI) specs can be found by default ++ # under {/etc,/var/run}/cdi. More information at: ++ # https://github.com/cncf-tags/container-device-interface ++ # ++ # In order to use the Container Device Interface (CDI) integration, ++ # the CDI paths need to exist before the Docker daemon is started in ++ # order for it to read the CDI specification files. Otherwise, a ++ # Docker daemon restart will be required for the daemon to discover ++ # them. ++ # ++ # If another set of CDI paths (other than the default /etc/cdi and ++ # /var/run/cdi) are configured through the Docker configuration file ++ # (using "cdi-spec-dirs"), they need to be bind mounted in rootless ++ # mode; otherwise the Docker daemon won't have access to the CDI ++ # specification files. ++ mount_directory /etc/cdi ++ mount_directory /var/run/cdi ++ + # remove the symlinks for the existing files in the parent namespace if any, + # so that we can create our own files in our mount namespace. + rm -f /run/docker /run/containerd /run/xtables.lock +@@ -146,10 +189,7 @@ else + if [ "$(stat -c %T -f /etc)" = "tmpfs" ] && [ -L "/etc/ssl" ]; then + # Workaround for "x509: certificate signed by unknown authority" on openSUSE Tumbleweed. + # https://github.com/rootless-containers/rootlesskit/issues/225 +- realpath_etc_ssl=$(realpath /etc/ssl) +- rm -f /etc/ssl +- mkdir /etc/ssl +- mount --rbind ${realpath_etc_ssl} /etc/ssl ++ mount_directory /etc/ssl "--rbind" + fi + + exec "$dockerd" "$@" +-- +2.27.0 + diff --git a/moby.spec b/moby.spec index 210779e0cf401af3765ccaadd558bf0067282d72..316618ba8f72263d8d47284739347349ad1dfb1e 100644 --- a/moby.spec +++ b/moby.spec @@ -7,7 +7,7 @@ Name: moby Version: 25.0.3 -Release: 30 +Release: 31 Summary: The open-source application container engine License: Apache-2.0 URL: https://www.docker.com @@ -42,6 +42,7 @@ Patch1015: 1015-rootless-fix-open-etc-docker-plugins-permission-deni.patch Patch1016: 1016-Fix-cases-where-we-are-wrapping-a-nil-error.patch Patch1017: 1017-libnetwork-fix-non-constant-format-string-in-call-go.patch Patch1018: 1018-Fix-setup-user-chains-even-if-there-are-running-cont.patch +Patch1019: 1019-Dockerd-rootless-make-etc-var-run-cdi-available.patch # Patch 2001-2999 for tini Patch2001: 2001-tini.c-a-function-declaration-without-a-prototype-is.patch Requires(meta): %{name}-engine = %{version}-%{release} @@ -233,6 +234,9 @@ fi %systemd_postun_with_restart docker.service %changelog +* Mon Apr 21 2025 shechenglong - 25.0.3-31 +- Dockerd rootless: make {/etc,/var/run}/cdi available + * Sun Apr 20 2025 shechenglong - 25.0.3-30 - Fix: setup user chains even if there are running containers