dilim/moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2026-06-24 08:48:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update RootlessKit (3.0.0)

Browse Source 
- slirp4netns/vpnkit is no longer needed as gvisor-tap-vsock is now embedded in RootlessKit.
  slirp4netns/vpnkit is still used when installed.
- The `builtin` port driver can now correctly propagate the source IP, when
  `userland-proxy` is disabled.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
This commit is contained in:
Akihiro Suda
2026-04-07 11:35:09 +09:00
parent de6c4d6e5d
commit 5249b1d165
7 changed files with 28 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
Dockerfile
View File

@@ -8,10 +8,6 @@ ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"
# It must be a valid tag in the docker.io/tonistiigi/xx image repository. # It must be a valid tag in the docker.io/tonistiigi/xx image repository.
ARG XX_VERSION=1.9.0 ARG XX_VERSION=1.9.0
# VPNKIT_VERSION is the version of the vpnkit binary which is used as a fallback
# network driver for rootless.
ARG VPNKIT_VERSION=0.6.0
# DOCKERCLI_VERSION is the version of the CLI to install in the dev-container. # DOCKERCLI_VERSION is the version of the CLI to install in the dev-container.
ARG DOCKERCLI_VERSION=v29.4.0 ARG DOCKERCLI_VERSION=v29.4.0
ARG DOCKERCLI_REPOSITORY="https://github.com/docker/cli.git" ARG DOCKERCLI_REPOSITORY="https://github.com/docker/cli.git"
@@ -328,7 +324,7 @@ FROM tini-${TARGETOS} AS tini
# rootlesskit # rootlesskit
FROM base AS rootlesskit-src FROM base AS rootlesskit-src
WORKDIR /usr/src/rootlesskit WORKDIR /usr/src/rootlesskit
ARG ROOTLESSKIT_VERSION=v2.3.6 ARG ROOTLESSKIT_VERSION=v3.0.0
ADD https://github.com/rootless-containers/rootlesskit.git?ref=${ROOTLESSKIT_VERSION}&keep-git-dir=1 . ADD https://github.com/rootless-containers/rootlesskit.git?ref=${ROOTLESSKIT_VERSION}&keep-git-dir=1 .
FROM base AS rootlesskit-build FROM base AS rootlesskit-build
@@ -388,19 +384,6 @@ RUN ./autogen.sh && \
./configure --bindir=/build && \ ./configure --bindir=/build && \
make -j install make -j install
# vpnkit
# use dummy scratch stage to avoid build to fail for unsupported platforms
FROM scratch AS vpnkit-windows
FROM scratch AS vpnkit-linux-386
FROM scratch AS vpnkit-linux-arm
FROM scratch AS vpnkit-linux-ppc64le
FROM scratch AS vpnkit-linux-riscv64
FROM scratch AS vpnkit-linux-s390x
FROM moby/vpnkit-bin:${VPNKIT_VERSION} AS vpnkit-linux-amd64
FROM moby/vpnkit-bin:${VPNKIT_VERSION} AS vpnkit-linux-arm64
FROM vpnkit-linux-${TARGETARCH} AS vpnkit-linux
FROM vpnkit-${TARGETOS} AS vpnkit
# containerutility # containerutility
FROM base AS containerutil-src FROM base AS containerutil-src
WORKDIR /usr/src/containerutil WORKDIR /usr/src/containerutil
@@ -449,7 +432,6 @@ COPY --link --from=shfmt /build/ /usr/local/bin/
COPY --link --from=runc /build/ /usr/local/bin/ COPY --link --from=runc /build/ /usr/local/bin/
COPY --link --from=containerd /build/ /usr/local/bin/ COPY --link --from=containerd /build/ /usr/local/bin/
COPY --link --from=rootlesskit /build/ /usr/local/bin/ COPY --link --from=rootlesskit /build/ /usr/local/bin/
COPY --link --from=vpnkit / /usr/local/bin/
COPY --link --from=containerutil /build/ /usr/local/bin/ COPY --link --from=containerutil /build/ /usr/local/bin/
COPY --link --from=crun /build/ /usr/local/bin/ COPY --link --from=crun /build/ /usr/local/bin/
COPY --link hack/dockerfile/etc/docker/ /etc/docker/ COPY --link hack/dockerfile/etc/docker/ /etc/docker/
@@ -628,7 +610,6 @@ COPY --link --from=runc /build/ /
COPY --link --from=containerd /build/ / COPY --link --from=containerd /build/ /
COPY --link --from=rootlesskit /build/ / COPY --link --from=rootlesskit /build/ /
COPY --link --from=containerutil /build/ / COPY --link --from=containerutil /build/ /
COPY --link --from=vpnkit / /
COPY --link --from=build /build / COPY --link --from=build /build /
# smoke tests # smoke tests

1
contrib/dockerd-rootless-setuptool.sh
View File

@@ -298,7 +298,6 @@ init() {
# TODO: support printing non-essential but recommended instructions: # TODO: support printing non-essential but recommended instructions:
# - sysctl: "net.ipv4.ping_group_range" # - sysctl: "net.ipv4.ping_group_range"
# - sysctl: "net.ipv4.ip_unprivileged_port_start" # - sysctl: "net.ipv4.ip_unprivileged_port_start"
# - external binary: slirp4netns
# - external binary: fuse-overlayfs # - external binary: fuse-overlayfs
} }

45
contrib/dockerd-rootless.sh
View File

@@ -6,16 +6,15 @@
# External dependencies: # External dependencies:
# * newuidmap and newgidmap needs to be installed. # * newuidmap and newgidmap needs to be installed.
# * /etc/subuid and /etc/subgid needs to be configured for the current user. # * /etc/subuid and /etc/subgid needs to be configured for the current user.
# * Either one of slirp4netns (>= v0.4.0), VPNKit, lxc-user-nic needs to be installed.
# #
# Recognized environment variables: # Recognized environment variables:
# * DOCKERD_ROOTLESS_ROOTLESSKIT_STATE_DIR=DIR: the rootlesskit state dir. # * DOCKERD_ROOTLESS_ROOTLESSKIT_STATE_DIR=DIR: the rootlesskit state dir.
# * Defaults to "$XDG_RUNTIME_DIR/dockerd-rootless". # * Defaults to "$XDG_RUNTIME_DIR/dockerd-rootless".
# * DOCKERD_ROOTLESS_ROOTLESSKIT_NET=(slirp4netns|vpnkit|pasta|lxc-user-nic): the rootlesskit network driver. # * DOCKERD_ROOTLESS_ROOTLESSKIT_NET=(slirp4netns|vpnkit|pasta|gvisor-tap-vsock|lxc-user-nic): the rootlesskit network driver.
# * Defaults to "slirp4netns" if slirp4netns (>= v0.4.0) is installed, else "pasta", else "vpnkit". # * Defaults to "slirp4netns" if slirp4netns (>= v0.4.0) is installed, else "pasta", else "vpnkit", else "gvisor-tap-vsock".
# * DOCKERD_ROOTLESS_ROOTLESSKIT_MTU=NUM: the MTU value for the rootlesskit network driver. # * DOCKERD_ROOTLESS_ROOTLESSKIT_MTU=NUM: the MTU value for the rootlesskit network driver.
# * Defaults to 65520 for slirp4netns and pasta, 1500 for other rootlesskit network drivers. # * Defaults to 65520 for slirp4netns, pasta, and gvisor-tap-vsock. Defaults to 1500 for other rootlesskit network drivers.
# * DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=(builtin|slirp4netns|implicit): the rootlesskit port driver. # * DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=(builtin|slirp4netns|implicit|gvisor-tap-vsock): the rootlesskit port driver.
# * Defaults to "implicit" for "pasta", "builtin" for other rootlesskit network drivers. # * Defaults to "implicit" for "pasta", "builtin" for other rootlesskit network drivers.
# * DOCKERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SANDBOX=(auto|true|false): whether to protect slirp4netns with a dedicated mount namespace. # * DOCKERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SANDBOX=(auto|true|false): whether to protect slirp4netns with a dedicated mount namespace.
# * Defaults to "auto". # * Defaults to "auto".
@@ -34,14 +33,18 @@
# Guide to choose the network driver and the port driver: # Guide to choose the network driver and the port driver:
# #
# Network driver | Port driver | Net throughput | Port throughput | Src IP | No SUID | Note # Network driver | Port driver | Net throughput | Port throughput | Src IP | No SUID | Note
# ---------------|----------------|----------------|-----------------|--------|---------|--------------------------------------------------------- # -----------------|------------------|----------------|-----------------|--------|---------|---------------------------------------------------------
# slirp4netns | builtin | Slow | Fast ✅ | | ✅ | Default in typical setup # gvisor-tap-vsock | builtin | Slow | Fast ✅ | ✅ (*) | ✅ | Default when slirp4netns is not installed
# vpnkit | builtin | Slow | Fast ✅ | | ✅ | Default when slirp4netns is not installed # slirp4netns | builtin | Slow | Fast ✅ | ✅ (*) | ✅ | Default when slirp4netns is installed
# slirp4netns | slirp4netns | Slow | Slow | ✅ | ✅ | # vpnkit | builtin | Slow | Fast ✅ | ✅ (*) | ✅ | Legacy
# pasta | implicit | Slow | Fast ✅ | | ✅ | Experimental; Needs recent version of pasta (2023_12_04) # gvisor-tap-vsock | gvisor-tap-vsock | Slow | Slow | | ✅ | Not recommended. Use `builtin` port driver instead.
# lxc-user-nic | builtin | Fast ✅ | Fast ✅ | | | Experimental # slirp4netns | slirp4netns | Slow | Slow | | |
# (bypass4netns) | (bypass4netns) | Fast ✅ | Fast ✅ | ✅ | ✅ | (Not integrated to RootlessKit) # pasta | implicit | Slow | Fast ✅ | ✅ | ✅ | Experimental; Needs recent version of pasta (2023_12_04)
# lxc-user-nic | builtin | Fast ✅ | Fast ✅ | ✅ (*) | ❌ | Experimental
# (bypass4netns) | (bypass4netns) | Fast ✅ | Fast ✅ | ✅ | ✅ | (Not integrated to RootlessKit)
#
# (*) Applicable since RootlessKit v3.0. Also requires userland-proxy to be disabled.
# See the documentation for the further information: https://docs.docker.com/go/rootless/ # See the documentation for the further information: https://docs.docker.com/go/rootless/
@@ -134,8 +137,7 @@ if [ -z "$net" ]; then
fi fi
fi fi
if [ -z "$net" ]; then if [ -z "$net" ]; then
echo "One of slirp4netns (>= v0.4.0), pasta (passt >= 2023_12_04), or vpnkit needs to be installed" net=gvisor-tap-vsock
exit 1
fi fi
fi fi
if [ "$net" = host ]; then if [ "$net" = host ]; then
@@ -143,11 +145,14 @@ if [ "$net" = host ]; then
exit 1 exit 1
fi fi
if [ -z "$mtu" ]; then if [ -z "$mtu" ]; then
if [ "$net" = slirp4netns -o "$net" = pasta ]; then case "$net" in
mtu=65520 slirp4netns | pasta | gvisor-tap-vsock)
else mtu=65520
mtu=1500 ;;
fi *)
mtu=1500
;;
esac
fi fi
if [ -z "$port_driver" ]; then if [ -z "$port_driver" ]; then
if [ "$net" = pasta ]; then if [ "$net" = pasta ]; then

2
docs/contributing/ctn-build.md
View File

@@ -30,7 +30,7 @@ docker buildx bake binary-cross
# build binaries for a specific platform # build binaries for a specific platform
docker buildx bake --set *.platform=linux/arm64 docker buildx bake --set *.platform=linux/arm64
# build "complete" binaries (including containerd, runc, vpnkit, etc.) # build "complete" binaries (including containerd, runc, etc.)
docker buildx bake all docker buildx bake all
# build "complete" binaries for all supported platforms # build "complete" binaries for all supported platforms

2
hack/dockerfile/install/rootlesskit.installer
View File

@@ -1,7 +1,7 @@
#!/bin/sh #!/bin/sh
# When updating, also update go.mod and Dockerfile accordingly. # When updating, also update go.mod and Dockerfile accordingly.
: "${ROOTLESSKIT_VERSION:=v2.3.6}" : "${ROOTLESSKIT_VERSION:=v3.0.0}"
install_rootlesskit() { install_rootlesskit() {
case "$1" in case "$1" in

5
hack/make/binary-daemon
View File

@@ -17,11 +17,6 @@ copy_binaries() {
for file in containerd containerd-shim-runc-v2 ctr runc docker-init rootlesskit dockerd-rootless.sh dockerd-rootless-setuptool.sh; do for file in containerd containerd-shim-runc-v2 ctr runc docker-init rootlesskit dockerd-rootless.sh dockerd-rootless-setuptool.sh; do
cp -f "$(command -v "$file")" "$dir/" cp -f "$(command -v "$file")" "$dir/"
done done
# vpnkit might not be available for the target platform, see vpnkit stage in
# the Dockerfile for more information.
if command -v vpnkit > /dev/null 2>&1; then
cp -f "$(command -v vpnkit)" "$dir/"
fi
} }
[ -z "$KEEPDEST" ] && rm -rf "$DEST" [ -z "$KEEPDEST" ] && rm -rf "$DEST"

3
hack/make/install-binary
View File

@@ -17,7 +17,4 @@ source "${MAKEDIR}/.install"
install_binary "${DEST}/rootlesskit" install_binary "${DEST}/rootlesskit"
install_binary "${DEST}/dockerd-rootless.sh" install_binary "${DEST}/dockerd-rootless.sh"
install_binary "${DEST}/dockerd-rootless-setuptool.sh" install_binary "${DEST}/dockerd-rootless-setuptool.sh"
if [ -f "${DEST}/vpnkit" ]; then
install_binary "${DEST}/vpnkit"
fi
) )