From ae54f66fbd03358f35c4dd15144f6fa239a83755 Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Thu, 10 Aug 2023 18:11:38 +0200 Subject: [PATCH 01/57] add docker and kind --- dockerfiles/Dockerfile.cloud | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/dockerfiles/Dockerfile.cloud b/dockerfiles/Dockerfile.cloud index 86a9f49e..51306839 100644 --- a/dockerfiles/Dockerfile.cloud +++ b/dockerfiles/Dockerfile.cloud @@ -40,6 +40,10 @@ ENV TERRAFORM_VERSION=v1.2.9 # renovate: datasource=github-tags depName=kubernetes/kubernetes ENV KUBECTL_VERSION=v1.25.5 +ENV DOCKER_VERSION="" + +ENV KIND_VERSION=v0.20.0 + RUN apk add --update --no-cache curl ca-certificates unzip wget openssl build-base && \ curl -L https://get.helm.sh/helm-${HELM_VERSION}-linux-${TARGETARCH}.tar.gz | tar xvz && \ mv linux-${TARGETARCH}/helm /usr/local/bin/helm && \ @@ -110,6 +114,18 @@ RUN echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages. google-cloud-sdk-gke-gcloud-auth-plugin && \ gcloud --help +RUN useradd -ms /bin/bash plural +# install Docker +#RUN apt-get -yq update && apt-get install -y curl && rm -rf /var/lib/apt/lists/* \ && curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh \ +RUN curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh && usermod -a -G docker plural +ADD https://raw.githubusercontent.com/docker/docker-ce/master/components/cli/contrib/completion/bash/docker /etc/bash_completion.d/docker.sh + +# install kind +# K8s.io KinD +RUN curl -Lo ./kind https://kind.sigs.k8s.io/dl/${KIND_VERSION}/kind-linux-amd64 \ + && chmod +x ./kind \ + && mv ./kind /usr/bin/kind + WORKDIR /root ENV TERM=xterm-256color @@ -120,7 +136,7 @@ RUN git clone https://github.com/powerline/fonts.git --depth=1 && \ rm -rf fonts WORKDIR $GOPATH/src/plural/ -RUN useradd -ms /bin/bash plural + COPY start-session.sh /usr/local/bin/start-session.sh COPY boot.sh /home/plural/boot.sh From a5b7be0f7c2c355964ab4d9958c021558310efcc Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Fri, 11 Aug 2023 10:56:05 +0200 Subject: [PATCH 02/57] fix, 24.0.5 not signed yet (?) --- dockerfiles/Dockerfile.cloud | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/dockerfiles/Dockerfile.cloud b/dockerfiles/Dockerfile.cloud index 51306839..73f58e8d 100644 --- a/dockerfiles/Dockerfile.cloud +++ b/dockerfiles/Dockerfile.cloud @@ -40,9 +40,6 @@ ENV TERRAFORM_VERSION=v1.2.9 # renovate: datasource=github-tags depName=kubernetes/kubernetes ENV KUBECTL_VERSION=v1.25.5 -ENV DOCKER_VERSION="" - -ENV KIND_VERSION=v0.20.0 RUN apk add --update --no-cache curl ca-certificates unzip wget openssl build-base && \ curl -L https://get.helm.sh/helm-${HELM_VERSION}-linux-${TARGETARCH}.tar.gz | tar xvz && \ @@ -115,13 +112,16 @@ RUN echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages. gcloud --help RUN useradd -ms /bin/bash plural + # install Docker +ENV DOCKER_VERSION=24.0.0 #RUN apt-get -yq update && apt-get install -y curl && rm -rf /var/lib/apt/lists/* \ && curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh \ -RUN curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh && usermod -a -G docker plural +RUN curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh --version ${DOCKER_VERSION} && usermod -a -G docker plural ADD https://raw.githubusercontent.com/docker/docker-ce/master/components/cli/contrib/completion/bash/docker /etc/bash_completion.d/docker.sh # install kind # K8s.io KinD +ENV KIND_VERSION=v0.20.0 RUN curl -Lo ./kind https://kind.sigs.k8s.io/dl/${KIND_VERSION}/kind-linux-amd64 \ && chmod +x ./kind \ && mv ./kind /usr/bin/kind From a84e8c20f03f71285dd7d02caf0b62abbec6c0d1 Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Fri, 11 Aug 2023 13:49:52 +0200 Subject: [PATCH 03/57] install s6 --- dockerfiles/Dockerfile.cloud | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/dockerfiles/Dockerfile.cloud b/dockerfiles/Dockerfile.cloud index 73f58e8d..c4b35bcb 100644 --- a/dockerfiles/Dockerfile.cloud +++ b/dockerfiles/Dockerfile.cloud @@ -75,6 +75,7 @@ RUN apt-get -yq update \ less \ lsb-release \ openssh-client \ + xz-utils \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* @@ -113,7 +114,13 @@ RUN echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages. RUN useradd -ms /bin/bash plural -# install Docker +# install s6 +ENV S6_OVERLAY_VERSION=3.1.5.0 +ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-noarch.tar.xz /tmp +RUN tar -C / -Jxpf /tmp/s6-overlay-noarch.tar.xz +ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-x86_64.tar.xz /tmp +RUN tar -C / -Jxpf /tmp/s6-overlay-x86_64.tar.xz + ENV DOCKER_VERSION=24.0.0 #RUN apt-get -yq update && apt-get install -y curl && rm -rf /var/lib/apt/lists/* \ && curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh \ RUN curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh --version ${DOCKER_VERSION} && usermod -a -G docker plural @@ -156,4 +163,6 @@ RUN sh -c "$(curl -fsSL https://raw.github.com/ohmyzsh/ohmyzsh/master/tools/inst ENV GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" ENV GOOGLE_APPLICATION_CREDENTIALS=/home/plural/gcp.json + +ENTRYPOINT [ "/init" ] CMD eval $(ssh-agent -s); plural serve From 70655823698760e0698306907b9841ce7bcd7198 Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Fri, 11 Aug 2023 15:50:54 +0200 Subject: [PATCH 04/57] need the dockerfiles in the context --- .dockerignore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.dockerignore b/.dockerignore index 768d6776..4c1a2e6c 100644 --- a/.dockerignore +++ b/.dockerignore @@ -15,4 +15,4 @@ packer/ hack/ Makefile Dockerfile -dockerfiles/ \ No newline at end of file +dockerfiles/Dockerfile.cloud \ No newline at end of file From f271a3cebce396ae042a761d3019e51f61ee597b Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Fri, 11 Aug 2023 16:07:47 +0200 Subject: [PATCH 05/57] s6 services config for docker --- .dockerignore | 3 ++- dockerfiles/Dockerfile.cloud | 3 +++ dockerfiles/s6-rc.d/dind/finish | 9 +++++++++ dockerfiles/s6-rc.d/dind/run | 2 ++ dockerfiles/s6-rc.d/dind/type | 1 + 5 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 dockerfiles/s6-rc.d/dind/finish create mode 100644 dockerfiles/s6-rc.d/dind/run create mode 100644 dockerfiles/s6-rc.d/dind/type diff --git a/.dockerignore b/.dockerignore index 4c1a2e6c..807fb439 100644 --- a/.dockerignore +++ b/.dockerignore @@ -15,4 +15,5 @@ packer/ hack/ Makefile Dockerfile -dockerfiles/Dockerfile.cloud \ No newline at end of file +dockerfiles +!dockerfiles/s6-rc.d \ No newline at end of file diff --git a/dockerfiles/Dockerfile.cloud b/dockerfiles/Dockerfile.cloud index c4b35bcb..f94103fe 100644 --- a/dockerfiles/Dockerfile.cloud +++ b/dockerfiles/Dockerfile.cloud @@ -115,11 +115,14 @@ RUN echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages. RUN useradd -ms /bin/bash plural # install s6 +# notes: https://github.com/just-containers/s6-overlay/blob/master/MOVING-TO-V3.md ENV S6_OVERLAY_VERSION=3.1.5.0 ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-noarch.tar.xz /tmp RUN tar -C / -Jxpf /tmp/s6-overlay-noarch.tar.xz ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-x86_64.tar.xz /tmp RUN tar -C / -Jxpf /tmp/s6-overlay-x86_64.tar.xz +COPY dockerfiles/s6-rc.d /etc/s6-overlay/s6-rc.d + ENV DOCKER_VERSION=24.0.0 #RUN apt-get -yq update && apt-get install -y curl && rm -rf /var/lib/apt/lists/* \ && curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh \ diff --git a/dockerfiles/s6-rc.d/dind/finish b/dockerfiles/s6-rc.d/dind/finish new file mode 100644 index 00000000..d4707f30 --- /dev/null +++ b/dockerfiles/s6-rc.d/dind/finish @@ -0,0 +1,9 @@ +#!/bin/sh + +if test "$1" -eq 256 ; then + e=$((128 + $2)) +else + e="$1" +fi + +echo "$e" > /run/s6-linux-init-container-results/exitcode \ No newline at end of file diff --git a/dockerfiles/s6-rc.d/dind/run b/dockerfiles/s6-rc.d/dind/run new file mode 100644 index 00000000..0a596d3c --- /dev/null +++ b/dockerfiles/s6-rc.d/dind/run @@ -0,0 +1,2 @@ +#!/command/with-contenv sh +exec dockerd --log-level error \ No newline at end of file diff --git a/dockerfiles/s6-rc.d/dind/type b/dockerfiles/s6-rc.d/dind/type new file mode 100644 index 00000000..1780f9f4 --- /dev/null +++ b/dockerfiles/s6-rc.d/dind/type @@ -0,0 +1 @@ +longrun \ No newline at end of file From a526df30600b8c86906df3914838088bc705c708 Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Fri, 11 Aug 2023 16:08:04 +0200 Subject: [PATCH 06/57] docker as nonroot --- dockerfiles/Dockerfile.cloud | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/dockerfiles/Dockerfile.cloud b/dockerfiles/Dockerfile.cloud index f94103fe..3afe8f0c 100644 --- a/dockerfiles/Dockerfile.cloud +++ b/dockerfiles/Dockerfile.cloud @@ -76,6 +76,8 @@ RUN apt-get -yq update \ lsb-release \ openssh-client \ xz-utils \ + uidmap \ + dbus-user-session \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* @@ -156,6 +158,9 @@ RUN chmod +x /usr/local/bin/start-session.sh && \ WORKDIR /home/plural USER plural +# setup nonroot docker +RUN dockerd-rootless-setuptool.sh instal + COPY tmux /home/plural/tmux COPY welcome.txt /home/plural/welcome.txt COPY .screenrc /home/plural/.screenrc From 9facf706afbb086ae095f8632c1a14a90315380c Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Fri, 11 Aug 2023 16:08:22 +0200 Subject: [PATCH 07/57] rename --- dockerfiles/s6-rc.d/dind/finish | 9 --------- dockerfiles/s6-rc.d/{dind => dockerd}/run | 0 dockerfiles/s6-rc.d/{dind => dockerd}/type | 0 3 files changed, 9 deletions(-) delete mode 100644 dockerfiles/s6-rc.d/dind/finish rename dockerfiles/s6-rc.d/{dind => dockerd}/run (100%) rename dockerfiles/s6-rc.d/{dind => dockerd}/type (100%) diff --git a/dockerfiles/s6-rc.d/dind/finish b/dockerfiles/s6-rc.d/dind/finish deleted file mode 100644 index d4707f30..00000000 --- a/dockerfiles/s6-rc.d/dind/finish +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh - -if test "$1" -eq 256 ; then - e=$((128 + $2)) -else - e="$1" -fi - -echo "$e" > /run/s6-linux-init-container-results/exitcode \ No newline at end of file diff --git a/dockerfiles/s6-rc.d/dind/run b/dockerfiles/s6-rc.d/dockerd/run similarity index 100% rename from dockerfiles/s6-rc.d/dind/run rename to dockerfiles/s6-rc.d/dockerd/run diff --git a/dockerfiles/s6-rc.d/dind/type b/dockerfiles/s6-rc.d/dockerd/type similarity index 100% rename from dockerfiles/s6-rc.d/dind/type rename to dockerfiles/s6-rc.d/dockerd/type From d05fd3c2c1ce5ebddcaaac848bf5c7d7226dc9bd Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Fri, 11 Aug 2023 16:15:24 +0200 Subject: [PATCH 08/57] fix typo --- dockerfiles/Dockerfile.cloud | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dockerfiles/Dockerfile.cloud b/dockerfiles/Dockerfile.cloud index 3afe8f0c..d2383d6b 100644 --- a/dockerfiles/Dockerfile.cloud +++ b/dockerfiles/Dockerfile.cloud @@ -159,7 +159,7 @@ WORKDIR /home/plural USER plural # setup nonroot docker -RUN dockerd-rootless-setuptool.sh instal +RUN dockerd-rootless-setuptool.sh install COPY tmux /home/plural/tmux COPY welcome.txt /home/plural/welcome.txt From 9ac19f3a5705650354dec5d18d3feb4cfb62797c Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Mon, 14 Aug 2023 10:57:16 +0200 Subject: [PATCH 09/57] fix iptables issue --- dockerfiles/Dockerfile.cloud | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/dockerfiles/Dockerfile.cloud b/dockerfiles/Dockerfile.cloud index d2383d6b..4d0e4864 100644 --- a/dockerfiles/Dockerfile.cloud +++ b/dockerfiles/Dockerfile.cloud @@ -78,6 +78,7 @@ RUN apt-get -yq update \ xz-utils \ uidmap \ dbus-user-session \ + iptables \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* @@ -158,8 +159,8 @@ RUN chmod +x /usr/local/bin/start-session.sh && \ WORKDIR /home/plural USER plural -# setup nonroot docker -RUN dockerd-rootless-setuptool.sh install +# setup rootless docker +RUN dockerd-rootless-setuptool.sh install --skip-iptables COPY tmux /home/plural/tmux COPY welcome.txt /home/plural/welcome.txt From d1a2962e61ff5d98ad548436563ee1ea8483029b Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Mon, 14 Aug 2023 16:17:08 +0200 Subject: [PATCH 10/57] add modprobe --- dockerfiles/Dockerfile.cloud | 1 + 1 file changed, 1 insertion(+) diff --git a/dockerfiles/Dockerfile.cloud b/dockerfiles/Dockerfile.cloud index 4d0e4864..5cdef1fb 100644 --- a/dockerfiles/Dockerfile.cloud +++ b/dockerfiles/Dockerfile.cloud @@ -79,6 +79,7 @@ RUN apt-get -yq update \ uidmap \ dbus-user-session \ iptables \ + kmod \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* From ee58c9dcc7980efca72c827a283714ba279bd2f0 Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Mon, 14 Aug 2023 16:17:31 +0200 Subject: [PATCH 11/57] use rootless install script --- dockerfiles/Dockerfile.cloud | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/dockerfiles/Dockerfile.cloud b/dockerfiles/Dockerfile.cloud index 5cdef1fb..590cf311 100644 --- a/dockerfiles/Dockerfile.cloud +++ b/dockerfiles/Dockerfile.cloud @@ -128,11 +128,6 @@ RUN tar -C / -Jxpf /tmp/s6-overlay-x86_64.tar.xz COPY dockerfiles/s6-rc.d /etc/s6-overlay/s6-rc.d -ENV DOCKER_VERSION=24.0.0 -#RUN apt-get -yq update && apt-get install -y curl && rm -rf /var/lib/apt/lists/* \ && curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh \ -RUN curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh --version ${DOCKER_VERSION} && usermod -a -G docker plural -ADD https://raw.githubusercontent.com/docker/docker-ce/master/components/cli/contrib/completion/bash/docker /etc/bash_completion.d/docker.sh - # install kind # K8s.io KinD ENV KIND_VERSION=v0.20.0 @@ -157,11 +152,26 @@ COPY boot.sh /home/plural/boot.sh RUN chmod +x /usr/local/bin/start-session.sh && \ chmod +x /home/plural/boot.sh +# prepare rootless docker +#ENV XDG_RUNTIME_DIR=/run/user/1000 + WORKDIR /home/plural +ENV XDG_RUNTIME_DIR=/home/plural/.docker/xrd +RUN mkdir -p $XDG_RUNTIME_DIR && \ + chown 1000:0 $XDG_RUNTIME_DIR && \ + echo "kernel.unprivileged_userns_clone=1" >> /etc/sysctl.conf + USER plural +#ENV DOCKER_VERSION=24.0.0 +#RUN apt-get -yq update && apt-get install -y curl && rm -rf /var/lib/apt/lists/* \ && curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh \ +#RUN curl -fsSL https://get.docker.com/rootless -o get-docker.sh && sh get-docker.sh --version ${DOCKER_VERSION} && usermod -a -G docker plural +ENV SKIP_IPTABLES=1 +RUN curl -fsSL https://get.docker.com/rootless -o get-docker.sh && sh get-docker.sh +#&& usermod -a -G docker plural +ADD https://raw.githubusercontent.com/docker/docker-ce/master/components/cli/contrib/completion/bash/docker /etc/bash_completion.d/docker.sh # setup rootless docker -RUN dockerd-rootless-setuptool.sh install --skip-iptables +#RUN dockerd-rootless-setuptool.sh install --skip-iptables COPY tmux /home/plural/tmux COPY welcome.txt /home/plural/welcome.txt @@ -174,5 +184,5 @@ RUN sh -c "$(curl -fsSL https://raw.github.com/ohmyzsh/ohmyzsh/master/tools/inst ENV GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" ENV GOOGLE_APPLICATION_CREDENTIALS=/home/plural/gcp.json +USER root ENTRYPOINT [ "/init" ] -CMD eval $(ssh-agent -s); plural serve From 42ca6adb5bc3e79c058d329ca84355a12b4f2ad8 Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Mon, 14 Aug 2023 16:38:21 +0200 Subject: [PATCH 12/57] add env vars --- dockerfiles/Dockerfile.cloud | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/dockerfiles/Dockerfile.cloud b/dockerfiles/Dockerfile.cloud index 590cf311..ee06aeca 100644 --- a/dockerfiles/Dockerfile.cloud +++ b/dockerfiles/Dockerfile.cloud @@ -156,7 +156,7 @@ RUN chmod +x /usr/local/bin/start-session.sh && \ #ENV XDG_RUNTIME_DIR=/run/user/1000 WORKDIR /home/plural -ENV XDG_RUNTIME_DIR=/home/plural/.docker/xrd +ENV XDG_RUNTIME_DIR=/home/plural/.docker RUN mkdir -p $XDG_RUNTIME_DIR && \ chown 1000:0 $XDG_RUNTIME_DIR && \ echo "kernel.unprivileged_userns_clone=1" >> /etc/sysctl.conf @@ -166,14 +166,17 @@ USER plural #RUN apt-get -yq update && apt-get install -y curl && rm -rf /var/lib/apt/lists/* \ && curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh \ #RUN curl -fsSL https://get.docker.com/rootless -o get-docker.sh && sh get-docker.sh --version ${DOCKER_VERSION} && usermod -a -G docker plural ENV SKIP_IPTABLES=1 -RUN curl -fsSL https://get.docker.com/rootless -o get-docker.sh && sh get-docker.sh +RUN curl -fsSL https://get.docker.com/rootless -o get-docker.sh && sh get-docker.sh && DOCKER +ENV PATH "$PATH:/sbin" +ENV PATH "$PATH:/home/plural/bin:$PATH" +ENV DOCKER_HOST "unix:///${XDG_RUNTIME_DIR}/docker.sock" #&& usermod -a -G docker plural ADD https://raw.githubusercontent.com/docker/docker-ce/master/components/cli/contrib/completion/bash/docker /etc/bash_completion.d/docker.sh # setup rootless docker #RUN dockerd-rootless-setuptool.sh install --skip-iptables -COPY tmux /home/plural/tmux +COPY tmux /home/plural/tmuxd COPY welcome.txt /home/plural/welcome.txt COPY .screenrc /home/plural/.screenrc From 12b00b951cd088c582f0227dbd77f2780c7d8dbb Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Mon, 14 Aug 2023 16:38:57 +0200 Subject: [PATCH 13/57] fix --- dockerfiles/Dockerfile.cloud | 2 +- dockerfiles/log-prepare/dependencies.d/base | 0 dockerfiles/log-prepare/type | 1 + dockerfiles/log-prepare/up | 3 + dockerfiles/s6-rc.d/dockerd/run | 6 +- dockerfiles/s6-rc.d/plural/run | 4 + dockerfiles/s6-rc.d/plural/type | 1 + dockerfiles/s6-rc.d/ssh/run | 4 + dockerfiles/s6-rc.d/ssh/type | 1 + get-docker.sh | 743 ++++++++++++++++++++ 10 files changed, 762 insertions(+), 3 deletions(-) create mode 100644 dockerfiles/log-prepare/dependencies.d/base create mode 100644 dockerfiles/log-prepare/type create mode 100644 dockerfiles/log-prepare/up create mode 100644 dockerfiles/s6-rc.d/plural/run create mode 100644 dockerfiles/s6-rc.d/plural/type create mode 100644 dockerfiles/s6-rc.d/ssh/run create mode 100644 dockerfiles/s6-rc.d/ssh/type create mode 100644 get-docker.sh diff --git a/dockerfiles/Dockerfile.cloud b/dockerfiles/Dockerfile.cloud index ee06aeca..d702b2df 100644 --- a/dockerfiles/Dockerfile.cloud +++ b/dockerfiles/Dockerfile.cloud @@ -168,7 +168,7 @@ USER plural ENV SKIP_IPTABLES=1 RUN curl -fsSL https://get.docker.com/rootless -o get-docker.sh && sh get-docker.sh && DOCKER ENV PATH "$PATH:/sbin" -ENV PATH "$PATH:/home/plural/bin:$PATH" +ENV PATH "$PATH:/home/plural/bin" ENV DOCKER_HOST "unix:///${XDG_RUNTIME_DIR}/docker.sock" #&& usermod -a -G docker plural ADD https://raw.githubusercontent.com/docker/docker-ce/master/components/cli/contrib/completion/bash/docker /etc/bash_completion.d/docker.sh diff --git a/dockerfiles/log-prepare/dependencies.d/base b/dockerfiles/log-prepare/dependencies.d/base new file mode 100644 index 00000000..e69de29b diff --git a/dockerfiles/log-prepare/type b/dockerfiles/log-prepare/type new file mode 100644 index 00000000..3d92b15f --- /dev/null +++ b/dockerfiles/log-prepare/type @@ -0,0 +1 @@ +oneshot \ No newline at end of file diff --git a/dockerfiles/log-prepare/up b/dockerfiles/log-prepare/up new file mode 100644 index 00000000..6a0484e2 --- /dev/null +++ b/dockerfiles/log-prepare/up @@ -0,0 +1,3 @@ +if { mkdir -p /var/log/dind } +if { chown nobody:nogroup /var/log/dind } +chmod 02755 /var/log/dind \ No newline at end of file diff --git a/dockerfiles/s6-rc.d/dockerd/run b/dockerfiles/s6-rc.d/dockerd/run index 0a596d3c..adbe85ff 100644 --- a/dockerfiles/s6-rc.d/dockerd/run +++ b/dockerfiles/s6-rc.d/dockerd/run @@ -1,2 +1,4 @@ -#!/command/with-contenv sh -exec dockerd --log-level error \ No newline at end of file +#!/command/execlineb -P +with-contenv +s6-setuidgid plural +dockerd-rootless.sh --experimental diff --git a/dockerfiles/s6-rc.d/plural/run b/dockerfiles/s6-rc.d/plural/run new file mode 100644 index 00000000..cf08450e --- /dev/null +++ b/dockerfiles/s6-rc.d/plural/run @@ -0,0 +1,4 @@ +#!/command/execlineb -P +with-contenv +s6-setuidgid plural +eval $(ssh-agent -s) \ No newline at end of file diff --git a/dockerfiles/s6-rc.d/plural/type b/dockerfiles/s6-rc.d/plural/type new file mode 100644 index 00000000..1780f9f4 --- /dev/null +++ b/dockerfiles/s6-rc.d/plural/type @@ -0,0 +1 @@ +longrun \ No newline at end of file diff --git a/dockerfiles/s6-rc.d/ssh/run b/dockerfiles/s6-rc.d/ssh/run new file mode 100644 index 00000000..e21a573c --- /dev/null +++ b/dockerfiles/s6-rc.d/ssh/run @@ -0,0 +1,4 @@ +#!/command/execlineb -P +with-contenv +s6-setuidgid plural +plural serve \ No newline at end of file diff --git a/dockerfiles/s6-rc.d/ssh/type b/dockerfiles/s6-rc.d/ssh/type new file mode 100644 index 00000000..1780f9f4 --- /dev/null +++ b/dockerfiles/s6-rc.d/ssh/type @@ -0,0 +1 @@ +longrun \ No newline at end of file diff --git a/get-docker.sh b/get-docker.sh new file mode 100644 index 00000000..8284dd88 --- /dev/null +++ b/get-docker.sh @@ -0,0 +1,743 @@ +#!/bin/sh +set -e +# Docker Engine for Linux installation script. +# +# This script is intended as a convenient way to configure docker's package +# repositories and to install Docker Engine, This script is not recommended +# for production environments. Before running this script, make yourself familiar +# with potential risks and limitations, and refer to the installation manual +# at https://docs.docker.com/engine/install/ for alternative installation methods. +# +# The script: +# +# - Requires `root` or `sudo` privileges to run. +# - Attempts to detect your Linux distribution and version and configure your +# package management system for you. +# - Doesn't allow you to customize most installation parameters. +# - Installs dependencies and recommendations without asking for confirmation. +# - Installs the latest stable release (by default) of Docker CLI, Docker Engine, +# Docker Buildx, Docker Compose, containerd, and runc. When using this script +# to provision a machine, this may result in unexpected major version upgrades +# of these packages. Always test upgrades in a test environment before +# deploying to your production systems. +# - Isn't designed to upgrade an existing Docker installation. When using the +# script to update an existing installation, dependencies may not be updated +# to the expected version, resulting in outdated versions. +# +# Source code is available at https://github.com/docker/docker-install/ +# +# Usage +# ============================================================================== +# +# To install the latest stable versions of Docker CLI, Docker Engine, and their +# dependencies: +# +# 1. download the script +# +# $ curl -fsSL https://get.docker.com -o install-docker.sh +# +# 2. verify the script's content +# +# $ cat install-docker.sh +# +# 3. run the script with --dry-run to verify the steps it executes +# +# $ sh install-docker.sh --dry-run +# +# 4. run the script either as root, or using sudo to perform the installation. +# +# $ sudo sh install-docker.sh +# +# Command-line options +# ============================================================================== +# +# --version +# Use the --version option to install a specific version, for example: +# +# $ sudo sh install-docker.sh --version 23.0 +# +# --channel +# +# Use the --channel option to install from an alternative installation channel. +# The following example installs the latest versions from the "test" channel, +# which includes pre-releases (alpha, beta, rc): +# +# $ sudo sh install-docker.sh --channel test +# +# Alternatively, use the script at https://test.docker.com, which uses the test +# channel as default. +# +# --mirror +# +# Use the --mirror option to install from a mirror supported by this script. +# Available mirrors are "Aliyun" (https://mirrors.aliyun.com/docker-ce), and +# "AzureChinaCloud" (https://mirror.azure.cn/docker-ce), for example: +# +# $ sudo sh install-docker.sh --mirror AzureChinaCloud +# +# ============================================================================== + + +# Git commit from https://github.com/docker/docker-install when +# the script was uploaded (Should only be modified by upload job): +SCRIPT_COMMIT_SHA="c2de0811708b6d9015ed1a2c80f02c9b70c8ce7b" + +# strip "v" prefix if present +VERSION="${VERSION#v}" + +# The channel to install from: +# * stable +# * test +# * edge (deprecated) +# * nightly (unmaintained) +DEFAULT_CHANNEL_VALUE="stable" +if [ -z "$CHANNEL" ]; then + CHANNEL=$DEFAULT_CHANNEL_VALUE +fi + +DEFAULT_DOWNLOAD_URL="https://download.docker.com" +if [ -z "$DOWNLOAD_URL" ]; then + DOWNLOAD_URL=$DEFAULT_DOWNLOAD_URL +fi + +DEFAULT_REPO_FILE="docker-ce.repo" +if [ -z "$REPO_FILE" ]; then + REPO_FILE="$DEFAULT_REPO_FILE" +fi + +mirror='' +DRY_RUN=${DRY_RUN:-} +while [ $# -gt 0 ]; do + case "$1" in + --channel) + CHANNEL="$2" + shift + ;; + --dry-run) + DRY_RUN=1 + ;; + --mirror) + mirror="$2" + shift + ;; + --version) + VERSION="${2#v}" + shift + ;; + --*) + echo "Illegal option $1" + ;; + esac + shift $(( $# > 0 ? 1 : 0 )) +done + +case "$mirror" in + Aliyun) + DOWNLOAD_URL="https://mirrors.aliyun.com/docker-ce" + ;; + AzureChinaCloud) + DOWNLOAD_URL="https://mirror.azure.cn/docker-ce" + ;; + "") + ;; + *) + >&2 echo "unknown mirror '$mirror': use either 'Aliyun', or 'AzureChinaCloud'." + exit 1 + ;; +esac + +case "$CHANNEL" in + stable|test) + ;; + edge|nightly) + >&2 echo "DEPRECATED: the $CHANNEL channel has been deprecated and no longer supported by this script." + exit 1 + ;; + *) + >&2 echo "unknown CHANNEL '$CHANNEL': use either stable or test." + exit 1 + ;; +esac + +command_exists() { + command -v "$@" > /dev/null 2>&1 +} + +# version_gte checks if the version specified in $VERSION is at least the given +# SemVer (Maj.Minor[.Patch]), or CalVer (YY.MM) version.It returns 0 (success) +# if $VERSION is either unset (=latest) or newer or equal than the specified +# version, or returns 1 (fail) otherwise. +# +# examples: +# +# VERSION=23.0 +# version_gte 23.0 // 0 (success) +# version_gte 20.10 // 0 (success) +# version_gte 19.03 // 0 (success) +# version_gte 21.10 // 1 (fail) +version_gte() { + if [ -z "$VERSION" ]; then + return 0 + fi + eval version_compare "$VERSION" "$1" +} + +# version_compare compares two version strings (either SemVer (Major.Minor.Path), +# or CalVer (YY.MM) version strings. It returns 0 (success) if version A is newer +# or equal than version B, or 1 (fail) otherwise. Patch releases and pre-release +# (-alpha/-beta) are not taken into account +# +# examples: +# +# version_compare 23.0.0 20.10 // 0 (success) +# version_compare 23.0 20.10 // 0 (success) +# version_compare 20.10 19.03 // 0 (success) +# version_compare 20.10 20.10 // 0 (success) +# version_compare 19.03 20.10 // 1 (fail) +version_compare() ( + set +x + + yy_a="$(echo "$1" | cut -d'.' -f1)" + yy_b="$(echo "$2" | cut -d'.' -f1)" + if [ "$yy_a" -lt "$yy_b" ]; then + return 1 + fi + if [ "$yy_a" -gt "$yy_b" ]; then + return 0 + fi + mm_a="$(echo "$1" | cut -d'.' -f2)" + mm_b="$(echo "$2" | cut -d'.' -f2)" + + # trim leading zeros to accommodate CalVer + mm_a="${mm_a#0}" + mm_b="${mm_b#0}" + + if [ "${mm_a:-0}" -lt "${mm_b:-0}" ]; then + return 1 + fi + + return 0 +) + +is_dry_run() { + if [ -z "$DRY_RUN" ]; then + return 1 + else + return 0 + fi +} + +is_wsl() { + case "$(uname -r)" in + *microsoft* ) true ;; # WSL 2 + *Microsoft* ) true ;; # WSL 1 + * ) false;; + esac +} + +is_darwin() { + case "$(uname -s)" in + *darwin* ) true ;; + *Darwin* ) true ;; + * ) false;; + esac +} + +deprecation_notice() { + distro=$1 + distro_version=$2 + echo + printf "\033[91;1mDEPRECATION WARNING\033[0m\n" + printf " This Linux distribution (\033[1m%s %s\033[0m) reached end-of-life and is no longer supported by this script.\n" "$distro" "$distro_version" + echo " No updates or security fixes will be released for this distribution, and users are recommended" + echo " to upgrade to a currently maintained version of $distro." + echo + printf "Press \033[1mCtrl+C\033[0m now to abort this script, or wait for the installation to continue." + echo + sleep 10 +} + +get_distribution() { + lsb_dist="" + # Every system that we officially support has /etc/os-release + if [ -r /etc/os-release ]; then + lsb_dist="$(. /etc/os-release && echo "$ID")" + fi + # Returning an empty string here should be alright since the + # case statements don't act unless you provide an actual value + echo "$lsb_dist" +} + +echo_docker_as_nonroot() { + if is_dry_run; then + return + fi + if command_exists docker && [ -e /var/run/docker.sock ]; then + ( + set -x + $sh_c 'docker version' + ) || true + fi + + # intentionally mixed spaces and tabs here -- tabs are stripped by "<<-EOF", spaces are kept in the output + echo + echo "================================================================================" + echo + if version_gte "20.10"; then + echo "To run Docker as a non-privileged user, consider setting up the" + echo "Docker daemon in rootless mode for your user:" + echo + echo " dockerd-rootless-setuptool.sh install" + echo + echo "Visit https://docs.docker.com/go/rootless/ to learn about rootless mode." + echo + fi + echo + echo "To run the Docker daemon as a fully privileged service, but granting non-root" + echo "users access, refer to https://docs.docker.com/go/daemon-access/" + echo + echo "WARNING: Access to the remote API on a privileged Docker daemon is equivalent" + echo " to root access on the host. Refer to the 'Docker daemon attack surface'" + echo " documentation for details: https://docs.docker.com/go/attack-surface/" + echo + echo "================================================================================" + echo +} + +# Check if this is a forked Linux distro +check_forked() { + + # Check for lsb_release command existence, it usually exists in forked distros + if command_exists lsb_release; then + # Check if the `-u` option is supported + set +e + lsb_release -a -u > /dev/null 2>&1 + lsb_release_exit_code=$? + set -e + + # Check if the command has exited successfully, it means we're in a forked distro + if [ "$lsb_release_exit_code" = "0" ]; then + # Print info about current distro + cat <<-EOF + You're using '$lsb_dist' version '$dist_version'. + EOF + + # Get the upstream release info + lsb_dist=$(lsb_release -a -u 2>&1 | tr '[:upper:]' '[:lower:]' | grep -E 'id' | cut -d ':' -f 2 | tr -d '[:space:]') + dist_version=$(lsb_release -a -u 2>&1 | tr '[:upper:]' '[:lower:]' | grep -E 'codename' | cut -d ':' -f 2 | tr -d '[:space:]') + + # Print info about upstream distro + cat <<-EOF + Upstream release is '$lsb_dist' version '$dist_version'. + EOF + else + if [ -r /etc/debian_version ] && [ "$lsb_dist" != "ubuntu" ] && [ "$lsb_dist" != "raspbian" ]; then + if [ "$lsb_dist" = "osmc" ]; then + # OSMC runs Raspbian + lsb_dist=raspbian + else + # We're Debian and don't even know it! + lsb_dist=debian + fi + dist_version="$(sed 's/\/.*//' /etc/debian_version | sed 's/\..*//')" + case "$dist_version" in + 12) + dist_version="bookworm" + ;; + 11) + dist_version="bullseye" + ;; + 10) + dist_version="buster" + ;; + 9) + dist_version="stretch" + ;; + 8) + dist_version="jessie" + ;; + esac + fi + fi + fi +} + +do_install() { + echo "# Executing docker install script, commit: $SCRIPT_COMMIT_SHA" + + if command_exists docker; then + cat >&2 <<-'EOF' + Warning: the "docker" command appears to already exist on this system. + + If you already have Docker installed, this script can cause trouble, which is + why we're displaying this warning and provide the opportunity to cancel the + installation. + + If you installed the current Docker package using this script and are using it + again to update Docker, you can safely ignore this message. + + You may press Ctrl+C now to abort this script. + EOF + ( set -x; sleep 20 ) + fi + + user="$(id -un 2>/dev/null || true)" + + sh_c='sh -c' + if [ "$user" != 'root' ]; then + if command_exists sudo; then + sh_c='sudo -E sh -c' + elif command_exists su; then + sh_c='su -c' + else + cat >&2 <<-'EOF' + Error: this installer needs the ability to run commands as root. + We are unable to find either "sudo" or "su" available to make this happen. + EOF + exit 1 + fi + fi + + if is_dry_run; then + sh_c="echo" + fi + + # perform some very rudimentary platform detection + lsb_dist=$( get_distribution ) + lsb_dist="$(echo "$lsb_dist" | tr '[:upper:]' '[:lower:]')" + + if is_wsl; then + echo + echo "WSL DETECTED: We recommend using Docker Desktop for Windows." + echo "Please get Docker Desktop from https://www.docker.com/products/docker-desktop/" + echo + cat >&2 <<-'EOF' + + You may press Ctrl+C now to abort this script. + EOF + ( set -x; sleep 20 ) + fi + + case "$lsb_dist" in + + ubuntu) + if command_exists lsb_release; then + dist_version="$(lsb_release --codename | cut -f2)" + fi + if [ -z "$dist_version" ] && [ -r /etc/lsb-release ]; then + dist_version="$(. /etc/lsb-release && echo "$DISTRIB_CODENAME")" + fi + ;; + + debian|raspbian) + dist_version="$(sed 's/\/.*//' /etc/debian_version | sed 's/\..*//')" + case "$dist_version" in + 12) + dist_version="bookworm" + ;; + 11) + dist_version="bullseye" + ;; + 10) + dist_version="buster" + ;; + 9) + dist_version="stretch" + ;; + 8) + dist_version="jessie" + ;; + esac + ;; + + centos|rhel|sles) + if [ -z "$dist_version" ] && [ -r /etc/os-release ]; then + dist_version="$(. /etc/os-release && echo "$VERSION_ID")" + fi + ;; + + *) + if command_exists lsb_release; then + dist_version="$(lsb_release --release | cut -f2)" + fi + if [ -z "$dist_version" ] && [ -r /etc/os-release ]; then + dist_version="$(. /etc/os-release && echo "$VERSION_ID")" + fi + ;; + + esac + + # Check if this is a forked Linux distro + check_forked + + # Print deprecation warnings for distro versions that recently reached EOL, + # but may still be commonly used (especially LTS versions). + case "$lsb_dist.$dist_version" in + debian.stretch|debian.jessie) + deprecation_notice "$lsb_dist" "$dist_version" + ;; + raspbian.stretch|raspbian.jessie) + deprecation_notice "$lsb_dist" "$dist_version" + ;; + ubuntu.xenial|ubuntu.trusty) + deprecation_notice "$lsb_dist" "$dist_version" + ;; + ubuntu.impish|ubuntu.hirsute|ubuntu.groovy|ubuntu.eoan|ubuntu.disco|ubuntu.cosmic) + deprecation_notice "$lsb_dist" "$dist_version" + ;; + fedora.*) + if [ "$dist_version" -lt 36 ]; then + deprecation_notice "$lsb_dist" "$dist_version" + fi + ;; + esac + + # Run setup for each distro accordingly + case "$lsb_dist" in + ubuntu|debian|raspbian) + pre_reqs="apt-transport-https ca-certificates curl" + if ! command -v gpg > /dev/null; then + pre_reqs="$pre_reqs gnupg" + fi + apt_repo="deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] $DOWNLOAD_URL/linux/$lsb_dist $dist_version $CHANNEL" + ( + if ! is_dry_run; then + set -x + fi + $sh_c 'apt-get update -qq >/dev/null' + $sh_c "DEBIAN_FRONTEND=noninteractive apt-get install -y -qq $pre_reqs >/dev/null" + $sh_c 'install -m 0755 -d /etc/apt/keyrings' + $sh_c "curl -fsSL \"$DOWNLOAD_URL/linux/$lsb_dist/gpg\" | gpg --dearmor --yes -o /etc/apt/keyrings/docker.gpg" + $sh_c "chmod a+r /etc/apt/keyrings/docker.gpg" + $sh_c "echo \"$apt_repo\" > /etc/apt/sources.list.d/docker.list" + $sh_c 'apt-get update -qq >/dev/null' + ) + pkg_version="" + if [ -n "$VERSION" ]; then + if is_dry_run; then + echo "# WARNING: VERSION pinning is not supported in DRY_RUN" + else + # Will work for incomplete versions IE (17.12), but may not actually grab the "latest" if in the test channel + pkg_pattern="$(echo "$VERSION" | sed 's/-ce-/~ce~.*/g' | sed 's/-/.*/g')" + search_command="apt-cache madison docker-ce | grep '$pkg_pattern' | head -1 | awk '{\$1=\$1};1' | cut -d' ' -f 3" + pkg_version="$($sh_c "$search_command")" + echo "INFO: Searching repository for VERSION '$VERSION'" + echo "INFO: $search_command" + if [ -z "$pkg_version" ]; then + echo + echo "ERROR: '$VERSION' not found amongst apt-cache madison results" + echo + exit 1 + fi + if version_gte "18.09"; then + search_command="apt-cache madison docker-ce-cli | grep '$pkg_pattern' | head -1 | awk '{\$1=\$1};1' | cut -d' ' -f 3" + echo "INFO: $search_command" + cli_pkg_version="=$($sh_c "$search_command")" + fi + pkg_version="=$pkg_version" + fi + fi + ( + pkgs="docker-ce${pkg_version%=}" + if version_gte "18.09"; then + # older versions didn't ship the cli and containerd as separate packages + pkgs="$pkgs docker-ce-cli${cli_pkg_version%=} containerd.io" + fi + if version_gte "20.10"; then + pkgs="$pkgs docker-compose-plugin docker-ce-rootless-extras$pkg_version" + fi + if version_gte "23.0"; then + pkgs="$pkgs docker-buildx-plugin" + fi + if ! is_dry_run; then + set -x + fi + $sh_c "DEBIAN_FRONTEND=noninteractive apt-get install -y -qq $pkgs >/dev/null" + ) + echo_docker_as_nonroot + exit 0 + ;; + centos|fedora|rhel) + if [ "$(uname -m)" != "s390x" ] && [ "$lsb_dist" = "rhel" ]; then + echo "Packages for RHEL are currently only available for s390x." + exit 1 + fi + if [ "$lsb_dist" = "fedora" ]; then + pkg_manager="dnf" + config_manager="dnf config-manager" + enable_channel_flag="--set-enabled" + disable_channel_flag="--set-disabled" + pre_reqs="dnf-plugins-core" + pkg_suffix="fc$dist_version" + else + pkg_manager="yum" + config_manager="yum-config-manager" + enable_channel_flag="--enable" + disable_channel_flag="--disable" + pre_reqs="yum-utils" + pkg_suffix="el" + fi + repo_file_url="$DOWNLOAD_URL/linux/$lsb_dist/$REPO_FILE" + ( + if ! is_dry_run; then + set -x + fi + $sh_c "$pkg_manager install -y -q $pre_reqs" + $sh_c "$config_manager --add-repo $repo_file_url" + + if [ "$CHANNEL" != "stable" ]; then + $sh_c "$config_manager $disable_channel_flag 'docker-ce-*'" + $sh_c "$config_manager $enable_channel_flag 'docker-ce-$CHANNEL'" + fi + $sh_c "$pkg_manager makecache" + ) + pkg_version="" + if [ -n "$VERSION" ]; then + if is_dry_run; then + echo "# WARNING: VERSION pinning is not supported in DRY_RUN" + else + pkg_pattern="$(echo "$VERSION" | sed 's/-ce-/\\\\.ce.*/g' | sed 's/-/.*/g').*$pkg_suffix" + search_command="$pkg_manager list --showduplicates docker-ce | grep '$pkg_pattern' | tail -1 | awk '{print \$2}'" + pkg_version="$($sh_c "$search_command")" + echo "INFO: Searching repository for VERSION '$VERSION'" + echo "INFO: $search_command" + if [ -z "$pkg_version" ]; then + echo + echo "ERROR: '$VERSION' not found amongst $pkg_manager list results" + echo + exit 1 + fi + if version_gte "18.09"; then + # older versions don't support a cli package + search_command="$pkg_manager list --showduplicates docker-ce-cli | grep '$pkg_pattern' | tail -1 | awk '{print \$2}'" + cli_pkg_version="$($sh_c "$search_command" | cut -d':' -f 2)" + fi + # Cut out the epoch and prefix with a '-' + pkg_version="-$(echo "$pkg_version" | cut -d':' -f 2)" + fi + fi + ( + pkgs="docker-ce$pkg_version" + if version_gte "18.09"; then + # older versions didn't ship the cli and containerd as separate packages + if [ -n "$cli_pkg_version" ]; then + pkgs="$pkgs docker-ce-cli-$cli_pkg_version containerd.io" + else + pkgs="$pkgs docker-ce-cli containerd.io" + fi + fi + if version_gte "20.10"; then + pkgs="$pkgs docker-compose-plugin docker-ce-rootless-extras$pkg_version" + fi + if version_gte "23.0"; then + pkgs="$pkgs docker-buildx-plugin" + fi + if ! is_dry_run; then + set -x + fi + $sh_c "$pkg_manager install -y -q $pkgs" + ) + echo_docker_as_nonroot + exit 0 + ;; + sles) + if [ "$(uname -m)" != "s390x" ]; then + echo "Packages for SLES are currently only available for s390x" + exit 1 + fi + if [ "$dist_version" = "15.3" ]; then + sles_version="SLE_15_SP3" + else + sles_minor_version="${dist_version##*.}" + sles_version="15.$sles_minor_version" + fi + repo_file_url="$DOWNLOAD_URL/linux/$lsb_dist/$REPO_FILE" + pre_reqs="ca-certificates curl libseccomp2 awk" + ( + if ! is_dry_run; then + set -x + fi + $sh_c "zypper install -y $pre_reqs" + $sh_c "zypper addrepo $repo_file_url" + if ! is_dry_run; then + cat >&2 <<-'EOF' + WARNING!! + openSUSE repository (https://download.opensuse.org/repositories/security:SELinux) will be enabled now. + Do you wish to continue? + You may press Ctrl+C now to abort this script. + EOF + ( set -x; sleep 30 ) + fi + opensuse_repo="https://download.opensuse.org/repositories/security:SELinux/$sles_version/security:SELinux.repo" + $sh_c "zypper addrepo $opensuse_repo" + $sh_c "zypper --gpg-auto-import-keys refresh" + $sh_c "zypper lr -d" + ) + pkg_version="" + if [ -n "$VERSION" ]; then + if is_dry_run; then + echo "# WARNING: VERSION pinning is not supported in DRY_RUN" + else + pkg_pattern="$(echo "$VERSION" | sed 's/-ce-/\\\\.ce.*/g' | sed 's/-/.*/g')" + search_command="zypper search -s --match-exact 'docker-ce' | grep '$pkg_pattern' | tail -1 | awk '{print \$6}'" + pkg_version="$($sh_c "$search_command")" + echo "INFO: Searching repository for VERSION '$VERSION'" + echo "INFO: $search_command" + if [ -z "$pkg_version" ]; then + echo + echo "ERROR: '$VERSION' not found amongst zypper list results" + echo + exit 1 + fi + search_command="zypper search -s --match-exact 'docker-ce-cli' | grep '$pkg_pattern' | tail -1 | awk '{print \$6}'" + # It's okay for cli_pkg_version to be blank, since older versions don't support a cli package + cli_pkg_version="$($sh_c "$search_command")" + pkg_version="-$pkg_version" + fi + fi + ( + pkgs="docker-ce$pkg_version" + if version_gte "18.09"; then + if [ -n "$cli_pkg_version" ]; then + # older versions didn't ship the cli and containerd as separate packages + pkgs="$pkgs docker-ce-cli-$cli_pkg_version containerd.io" + else + pkgs="$pkgs docker-ce-cli containerd.io" + fi + fi + if version_gte "20.10"; then + pkgs="$pkgs docker-compose-plugin docker-ce-rootless-extras$pkg_version" + fi + if version_gte "23.0"; then + pkgs="$pkgs docker-buildx-plugin" + fi + if ! is_dry_run; then + set -x + fi + $sh_c "zypper -q install -y $pkgs" + ) + echo_docker_as_nonroot + exit 0 + ;; + *) + if [ -z "$lsb_dist" ]; then + if is_darwin; then + echo + echo "ERROR: Unsupported operating system 'macOS'" + echo "Please get Docker Desktop from https://www.docker.com/products/docker-desktop" + echo + exit 1 + fi + fi + echo + echo "ERROR: Unsupported distribution '$lsb_dist'" + echo + exit 1 + ;; + esac + exit 1 +} + +# wrapped up in a function so that we have some protection against only getting +# half the file during "curl | sh" +do_install From 1b116f85ddc0e98c6d44dcbb61a4d75f3dfa97b3 Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Mon, 14 Aug 2023 16:39:35 +0200 Subject: [PATCH 14/57] fix --- dockerfiles/Dockerfile.cloud | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dockerfiles/Dockerfile.cloud b/dockerfiles/Dockerfile.cloud index d702b2df..6293baff 100644 --- a/dockerfiles/Dockerfile.cloud +++ b/dockerfiles/Dockerfile.cloud @@ -166,7 +166,7 @@ USER plural #RUN apt-get -yq update && apt-get install -y curl && rm -rf /var/lib/apt/lists/* \ && curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh \ #RUN curl -fsSL https://get.docker.com/rootless -o get-docker.sh && sh get-docker.sh --version ${DOCKER_VERSION} && usermod -a -G docker plural ENV SKIP_IPTABLES=1 -RUN curl -fsSL https://get.docker.com/rootless -o get-docker.sh && sh get-docker.sh && DOCKER +RUN curl -fsSL https://get.docker.com/rootless -o get-docker.sh && sh get-docker.sh ENV PATH "$PATH:/sbin" ENV PATH "$PATH:/home/plural/bin" ENV DOCKER_HOST "unix:///${XDG_RUNTIME_DIR}/docker.sock" From 2ecb415180fc82e13a975e835e2cd42ac0803de6 Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Mon, 14 Aug 2023 16:56:14 +0200 Subject: [PATCH 15/57] fix --- dockerfiles/Dockerfile.cloud | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/dockerfiles/Dockerfile.cloud b/dockerfiles/Dockerfile.cloud index 6293baff..e3b5ebbf 100644 --- a/dockerfiles/Dockerfile.cloud +++ b/dockerfiles/Dockerfile.cloud @@ -167,16 +167,13 @@ USER plural #RUN curl -fsSL https://get.docker.com/rootless -o get-docker.sh && sh get-docker.sh --version ${DOCKER_VERSION} && usermod -a -G docker plural ENV SKIP_IPTABLES=1 RUN curl -fsSL https://get.docker.com/rootless -o get-docker.sh && sh get-docker.sh -ENV PATH "$PATH:/sbin" -ENV PATH "$PATH:/home/plural/bin" -ENV DOCKER_HOST "unix:///${XDG_RUNTIME_DIR}/docker.sock" #&& usermod -a -G docker plural ADD https://raw.githubusercontent.com/docker/docker-ce/master/components/cli/contrib/completion/bash/docker /etc/bash_completion.d/docker.sh # setup rootless docker #RUN dockerd-rootless-setuptool.sh install --skip-iptables -COPY tmux /home/plural/tmuxd +COPY tmux /home/plural/tmux COPY welcome.txt /home/plural/welcome.txt COPY .screenrc /home/plural/.screenrc @@ -184,6 +181,8 @@ RUN sh -c "$(curl -fsSL https://raw.github.com/ohmyzsh/ohmyzsh/master/tools/inst cat tmux/.zshrc.local >> /home/plural/.zshrc && \ helm plugin install https://github.com/databus23/helm-diff +RUN echo "export PATH=\$PATH:/sbin" >> /home/plural/.zhsrc && echo "export PATH=\$PATH:/home/plural/bin" >> /home/plural/.zhsrc && echo "export DOCKER_HOST=unix:///${XDG_RUNTIME_DIR}/docker.sock" >> /home/plural/.zshrc + ENV GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" ENV GOOGLE_APPLICATION_CREDENTIALS=/home/plural/gcp.json From e8bc23d2379b24476dd32812d4f196799098d356 Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Mon, 14 Aug 2023 19:24:38 +0200 Subject: [PATCH 16/57] rm debug code --- dockerfiles/Dockerfile.cloud | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/dockerfiles/Dockerfile.cloud b/dockerfiles/Dockerfile.cloud index e3b5ebbf..8c00dd3a 100644 --- a/dockerfiles/Dockerfile.cloud +++ b/dockerfiles/Dockerfile.cloud @@ -159,7 +159,8 @@ WORKDIR /home/plural ENV XDG_RUNTIME_DIR=/home/plural/.docker RUN mkdir -p $XDG_RUNTIME_DIR && \ chown 1000:0 $XDG_RUNTIME_DIR && \ - echo "kernel.unprivileged_userns_clone=1" >> /etc/sysctl.conf + echo 1 > /proc/sys/kernel/unprivileged_userns_clone + #echo "kernel.unprivileged_userns_clone=1" >> /etc/sysctl.conf USER plural #ENV DOCKER_VERSION=24.0.0 @@ -181,7 +182,9 @@ RUN sh -c "$(curl -fsSL https://raw.github.com/ohmyzsh/ohmyzsh/master/tools/inst cat tmux/.zshrc.local >> /home/plural/.zshrc && \ helm plugin install https://github.com/databus23/helm-diff -RUN echo "export PATH=\$PATH:/sbin" >> /home/plural/.zhsrc && echo "export PATH=\$PATH:/home/plural/bin" >> /home/plural/.zhsrc && echo "export DOCKER_HOST=unix:///${XDG_RUNTIME_DIR}/docker.sock" >> /home/plural/.zshrc +RUN printf "\nexport PATH=$PATH:/sbin" >> /home/plural/.zshrc && \ + printf "\nexport PATH=$PATH:/home/plural/bin" >> /home/plural/.zshrc && \ + printf "\nexport DOCKER_HOST=unix:///${XDG_RUNTIME_DIR}/docker.sock" >> /home/plural/.zshrc ENV GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" ENV GOOGLE_APPLICATION_CREDENTIALS=/home/plural/gcp.json From e770374585421f07767ffecfaf2af7a7ad8f989d Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Mon, 14 Aug 2023 20:43:18 +0200 Subject: [PATCH 17/57] try with fuse-overlayfs --- dockerfiles/Dockerfile.cloud | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/dockerfiles/Dockerfile.cloud b/dockerfiles/Dockerfile.cloud index 8c00dd3a..92d8f2ee 100644 --- a/dockerfiles/Dockerfile.cloud +++ b/dockerfiles/Dockerfile.cloud @@ -80,6 +80,7 @@ RUN apt-get -yq update \ dbus-user-session \ iptables \ kmod \ + fuse-overlayfs \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* @@ -159,8 +160,8 @@ WORKDIR /home/plural ENV XDG_RUNTIME_DIR=/home/plural/.docker RUN mkdir -p $XDG_RUNTIME_DIR && \ chown 1000:0 $XDG_RUNTIME_DIR && \ - echo 1 > /proc/sys/kernel/unprivileged_userns_clone - #echo "kernel.unprivileged_userns_clone=1" >> /etc/sysctl.conf + echo "kernel.unprivileged_userns_clone=1" >> /etc/sysctl.conf && \ + sysctl --system USER plural #ENV DOCKER_VERSION=24.0.0 From 26aaa512c3952fabe81fee8f934d1da1f16bbed4 Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Tue, 15 Aug 2023 12:07:41 +0200 Subject: [PATCH 18/57] test --- Makefile | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/Makefile b/Makefile index ced6101d..9cab8df0 100644 --- a/Makefile +++ b/Makefile @@ -101,6 +101,16 @@ build-cloud: ## build the cloud docker image -t gcr.io/$(GCP_PROJECT)/$(APP_NAME)-cloud:$(APP_VSN) \ -t $(DKR_HOST)/plural/$(APP_NAME)-cloud:$(APP_VSN) -f dockerfiles/Dockerfile.cloud . +.PHONY: build-test +build-test: ## build the cloud docker image + docker build --build-arg APP_NAME=$(APP_NAME) \ + --build-arg APP_VSN=$(APP_VSN) \ + --build-arg APP_DATE=$(APP_DATE) \ + --build-arg APP_COMMIT=$(BUILD) \ + -t $(APP_NAME)-test:$(APP_VSN) \ + -t $(APP_NAME)-test:latest \ + -t $(DKR_HOST)/plural/$(APP_NAME)-test:$(APP_VSN) -f dockerfiles/Dockerfile.test . + .PHONY: push push: ## push to gcr docker push gcr.io/$(GCP_PROJECT)/$(APP_NAME):$(APP_VSN) From 99bcb4757a2c286933d93f9ea6e0c0239462bf04 Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Tue, 15 Aug 2023 12:08:25 +0200 Subject: [PATCH 19/57] test dockerfile systemd --- .gitignore | 1 + dockerfiles/Dockerfile.test | 69 +++++++++++++++++++++++++++++++++++++ 2 files changed, 70 insertions(+) create mode 100644 dockerfiles/Dockerfile.test diff --git a/.gitignore b/.gitignore index 5140c33f..d9e3db70 100644 --- a/.gitignore +++ b/.gitignore @@ -8,6 +8,7 @@ # Test binary, built with `go test -c` *.test +!Dockerfile.test # Output of the go coverage tool, specifically when used with LiteIDE *.out diff --git a/dockerfiles/Dockerfile.test b/dockerfiles/Dockerfile.test new file mode 100644 index 00000000..2605a70a --- /dev/null +++ b/dockerfiles/Dockerfile.test @@ -0,0 +1,69 @@ +FROM ghcr.io/nestybox/ubuntu-jammy-systemd:latest + +RUN apt-get -yq update \ + && apt-get -yq install --no-install-recommends \ + apt-transport-https \ + ca-certificates \ + gnupg \ + unzip \ + git \ + openssl \ + curl \ + zsh \ + emacs \ + vim \ + python3 \ + locales-all\ + screen \ + tree \ + less \ + lsb-release \ + openssh-client \ + xz-utils \ + uidmap \ + dbus-user-session \ + iptables \ + kmod \ + fuse-overlayfs \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* + +RUN useradd -ms /bin/bash plural + +WORKDIR /home/plural +ENV XDG_RUNTIME_DIR=/home/plural/.docker +RUN mkdir -p $XDG_RUNTIME_DIR && \ + chown 1000:1000 $XDG_RUNTIME_DIR && \ + echo "kernel.unprivileged_userns_clone=1" >> /etc/sysctl.conf && \ + sysctl --system + +USER plural +#ENV DOCKER_VERSION=24.0.0 +#RUN apt-get -yq update && apt-get install -y curl && rm -rf /var/lib/apt/lists/* \ && curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh \ +#RUN curl -fsSL https://get.docker.com/rootless -o get-docker.sh && sh get-docker.sh --version ${DOCKER_VERSION} && usermod -a -G docker plural +ENV SKIP_IPTABLES=1 +RUN curl -fsSL https://get.docker.com/rootless -o get-docker.sh && sh get-docker.sh +#&& usermod -a -G docker plural +ADD https://raw.githubusercontent.com/docker/docker-ce/master/components/cli/contrib/completion/bash/docker /etc/bash_completion.d/docker.sh + + +## Install Docker +#RUN apt-get update && apt-get install -y curl \ +# && rm -rf /var/lib/apt/lists/* \ +# && curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh \ +# # Add user "admin" to the Docker group +# && usermod -a -G docker admin +#ADD https://raw.githubusercontent.com/docker/docker-ce/master/components/cli/contrib/completion/bash/docker /etc/bash_completion.d/docker.sh +# +## Install Sshd +#RUN apt-get update && apt-get install --no-install-recommends -y openssh-server \ +# && rm -rf /var/lib/apt/lists/* \ +# && mkdir /home/admin/.ssh \ +# && chown admin:admin /home/admin/.ssh + +EXPOSE 22 + +USER root + +# Set systemd as entrypoint. +ENTRYPOINT [ "/sbin/init", "--log-level=err" ] \ No newline at end of file From f46f1fccffb07bccf362ee9a3b9c8a82eca1f22e Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Tue, 15 Aug 2023 12:20:46 +0200 Subject: [PATCH 20/57] fix build --- Makefile | 2 +- dockerfiles/Dockerfile.test | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index 9cab8df0..6c2cf370 100644 --- a/Makefile +++ b/Makefile @@ -103,7 +103,7 @@ build-cloud: ## build the cloud docker image .PHONY: build-test build-test: ## build the cloud docker image - docker build --build-arg APP_NAME=$(APP_NAME) \ + docker build --progress=plain --build-arg APP_NAME=$(APP_NAME) \ --build-arg APP_VSN=$(APP_VSN) \ --build-arg APP_DATE=$(APP_DATE) \ --build-arg APP_COMMIT=$(BUILD) \ diff --git a/dockerfiles/Dockerfile.test b/dockerfiles/Dockerfile.test index 2605a70a..4e8e114a 100644 --- a/dockerfiles/Dockerfile.test +++ b/dockerfiles/Dockerfile.test @@ -28,12 +28,13 @@ RUN apt-get -yq update \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* -RUN useradd -ms /bin/bash plural +RUN cat /etc/passwd +RUN useradd -u 1001 -ms /bin/bash plural WORKDIR /home/plural ENV XDG_RUNTIME_DIR=/home/plural/.docker RUN mkdir -p $XDG_RUNTIME_DIR && \ - chown 1000:1000 $XDG_RUNTIME_DIR && \ + chown 1001:0 $XDG_RUNTIME_DIR && \ echo "kernel.unprivileged_userns_clone=1" >> /etc/sysctl.conf && \ sysctl --system From 9034f80af92cfc8f3c6263070975521b092f15c2 Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Tue, 15 Aug 2023 14:03:52 +0200 Subject: [PATCH 21/57] add missing iproute2 --- dockerfiles/Dockerfile.cloud | 1 + 1 file changed, 1 insertion(+) diff --git a/dockerfiles/Dockerfile.cloud b/dockerfiles/Dockerfile.cloud index 92d8f2ee..13b0a399 100644 --- a/dockerfiles/Dockerfile.cloud +++ b/dockerfiles/Dockerfile.cloud @@ -81,6 +81,7 @@ RUN apt-get -yq update \ iptables \ kmod \ fuse-overlayfs \ + iproute2 \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* From 518f7bd459c40b4729e96ce7290442b353283b4a Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Tue, 15 Aug 2023 14:08:59 +0200 Subject: [PATCH 22/57] pod yamls --- dockerfiles/pod_priv.yaml | 25 +++++++++++++++++++++++++ dockerfiles/pod_unpriv.yaml | 25 +++++++++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 dockerfiles/pod_priv.yaml create mode 100644 dockerfiles/pod_unpriv.yaml diff --git a/dockerfiles/pod_priv.yaml b/dockerfiles/pod_priv.yaml new file mode 100644 index 00000000..515c1d3a --- /dev/null +++ b/dockerfiles/pod_priv.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: plural-cloud-priv + namespace: sysbox + #annotations: + # io.kubernetes.cri-o.userns-mode: "auto:size=65536" +spec: + #runtimeClassName: sysbox-runc + containers: + - name: plural-cloud-priv + image: ghcr.io/pluralsh/plural-cli-cloud:sha-fcf2725 + #command: ["/sbin/init", "--log-level=err"] + resources: + requests: + memory: "256Mi" + cpu: "1m" + securityContext: + privileged: true + tolerations: + - key: plural.sh/sysbox + operator: Exists + - key: plural.sh/capacityType + operator: Exists + restartPolicy: Never \ No newline at end of file diff --git a/dockerfiles/pod_unpriv.yaml b/dockerfiles/pod_unpriv.yaml new file mode 100644 index 00000000..590b725b --- /dev/null +++ b/dockerfiles/pod_unpriv.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: plural-cloud-unpriv + namespace: sysbox + #annotations: + # io.kubernetes.cri-o.userns-mode: "auto:size=65536" +spec: + #runtimeClassName: sysbox-runc + containers: + - name: plural-cloud-unpriv + image: ghcr.io/pluralsh/plural-cli-cloud:sha-fcf2725 + #command: ["/sbin/init", "--log-level=err"] + resources: + requests: + memory: "256Mi" + cpu: "1m" + securityContext: + privileged: false + tolerations: + - key: plural.sh/sysbox + operator: Exists + - key: plural.sh/capacityType + operator: Exists + restartPolicy: Never \ No newline at end of file From 934d37a88bf274ac3237446a015acece1f627460 Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Tue, 15 Aug 2023 14:09:17 +0200 Subject: [PATCH 23/57] jammy test with plural login --- dockerfiles/Dockerfile.test | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/dockerfiles/Dockerfile.test b/dockerfiles/Dockerfile.test index 4e8e114a..488fd993 100644 --- a/dockerfiles/Dockerfile.test +++ b/dockerfiles/Dockerfile.test @@ -25,11 +25,12 @@ RUN apt-get -yq update \ iptables \ kmod \ fuse-overlayfs \ + iproute2 \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* RUN cat /etc/passwd -RUN useradd -u 1001 -ms /bin/bash plural +RUN useradd -u 1001 -ms /bin/bash plural && echo "plural:plural" | chpasswd && adduser admin sudo WORKDIR /home/plural ENV XDG_RUNTIME_DIR=/home/plural/.docker @@ -56,15 +57,10 @@ ADD https://raw.githubusercontent.com/docker/docker-ce/master/components/cli/con # && usermod -a -G docker admin #ADD https://raw.githubusercontent.com/docker/docker-ce/master/components/cli/contrib/completion/bash/docker /etc/bash_completion.d/docker.sh # -## Install Sshd -#RUN apt-get update && apt-get install --no-install-recommends -y openssh-server \ -# && rm -rf /var/lib/apt/lists/* \ -# && mkdir /home/admin/.ssh \ -# && chown admin:admin /home/admin/.ssh -EXPOSE 22 USER root +EXPOSE 22 # Set systemd as entrypoint. ENTRYPOINT [ "/sbin/init", "--log-level=err" ] \ No newline at end of file From 67b0cd3d262980f003c5a2243f90d8780cf3528f Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Tue, 15 Aug 2023 14:41:12 +0200 Subject: [PATCH 24/57] update image --- dockerfiles/pod_priv.yaml | 3 ++- dockerfiles/pod_unpriv.yaml | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/dockerfiles/pod_priv.yaml b/dockerfiles/pod_priv.yaml index 515c1d3a..c5d7ba7d 100644 --- a/dockerfiles/pod_priv.yaml +++ b/dockerfiles/pod_priv.yaml @@ -9,7 +9,8 @@ spec: #runtimeClassName: sysbox-runc containers: - name: plural-cloud-priv - image: ghcr.io/pluralsh/plural-cli-cloud:sha-fcf2725 + #image: ghcr.io/pluralsh/plural-cli-cloud:sha-fcf2725 + image: ghcr.io/pluralsh/plural-cli-cloud:sha-791720e #command: ["/sbin/init", "--log-level=err"] resources: requests: diff --git a/dockerfiles/pod_unpriv.yaml b/dockerfiles/pod_unpriv.yaml index 590b725b..0b02cfb1 100644 --- a/dockerfiles/pod_unpriv.yaml +++ b/dockerfiles/pod_unpriv.yaml @@ -9,7 +9,8 @@ spec: #runtimeClassName: sysbox-runc containers: - name: plural-cloud-unpriv - image: ghcr.io/pluralsh/plural-cli-cloud:sha-fcf2725 + #image: ghcr.io/pluralsh/plural-cli-cloud:sha-fcf2725 + image: ghcr.io/pluralsh/plural-cli-cloud:sha-791720e #command: ["/sbin/init", "--log-level=err"] resources: requests: From 980c7b46c066872d9385fd28d9327cc0b95234fc Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Tue, 15 Aug 2023 14:56:14 +0200 Subject: [PATCH 25/57] sysbox priv --- dockerfiles/pod_priv_sysbox.yaml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 dockerfiles/pod_priv_sysbox.yaml diff --git a/dockerfiles/pod_priv_sysbox.yaml b/dockerfiles/pod_priv_sysbox.yaml new file mode 100644 index 00000000..f0d45f81 --- /dev/null +++ b/dockerfiles/pod_priv_sysbox.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: plural-cloud-unpriv + namespace: sysbox + #annotations: + # io.kubernetes.cri-o.userns-mode: "auto:size=65536" +spec: + runtimeClassName: sysbox-runc + containers: + - name: plural-cloud-unpriv + #image: ghcr.io/pluralsh/plural-cli-cloud:sha-fcf2725 + image: ghcr.io/pluralsh/plural-cli-cloud:sha-791720e + #command: ["/sbin/init", "--log-level=err"] + resources: + requests: + memory: "256Mi" + cpu: "1m" + securityContext: + privileged: false + tolerations: + - key: plural.sh/sysbox + operator: Exists + - key: plural.sh/capacityType + operator: Exists + restartPolicy: Never \ No newline at end of file From 4bfdf90515c43b626cbf4b1ac80f03c42abba39f Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Tue, 15 Aug 2023 16:04:35 +0200 Subject: [PATCH 26/57] add user/contents.d --- .dockerignore | 3 +++ dockerfiles/s6-rc.d/user/contents.d/dockerd | 0 dockerfiles/s6-rc.d/user/contents.d/plural | 0 dockerfiles/s6-rc.d/user/contents.d/ssh | 0 4 files changed, 3 insertions(+) create mode 100644 dockerfiles/s6-rc.d/user/contents.d/dockerd create mode 100644 dockerfiles/s6-rc.d/user/contents.d/plural create mode 100644 dockerfiles/s6-rc.d/user/contents.d/ssh diff --git a/.dockerignore b/.dockerignore index 807fb439..b4ae8b22 100644 --- a/.dockerignore +++ b/.dockerignore @@ -16,4 +16,7 @@ hack/ Makefile Dockerfile dockerfiles +dockerfiles/s6-rc.d/user/contents.d/dockerd +dockerfiles/s6-rc.d/user/contents.d/plural +dockerfiles/s6-rc.d/user/contents.d/ssh !dockerfiles/s6-rc.d \ No newline at end of file diff --git a/dockerfiles/s6-rc.d/user/contents.d/dockerd b/dockerfiles/s6-rc.d/user/contents.d/dockerd new file mode 100644 index 00000000..e69de29b diff --git a/dockerfiles/s6-rc.d/user/contents.d/plural b/dockerfiles/s6-rc.d/user/contents.d/plural new file mode 100644 index 00000000..e69de29b diff --git a/dockerfiles/s6-rc.d/user/contents.d/ssh b/dockerfiles/s6-rc.d/user/contents.d/ssh new file mode 100644 index 00000000..e69de29b From b3c5de0dd140e29fafa6d7d83560bffeeba78629 Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Thu, 17 Aug 2023 14:31:59 +0200 Subject: [PATCH 27/57] test podman build --- .dockerignore | 3 +- dockerfiles/Dockerfile.cloud | 58 +++++- dockerfiles/podman-conf/containers.conf | 16 ++ dockerfiles/podman-conf/storage.conf | 236 ++++++++++++++++++++++++ 4 files changed, 303 insertions(+), 10 deletions(-) create mode 100644 dockerfiles/podman-conf/containers.conf create mode 100644 dockerfiles/podman-conf/storage.conf diff --git a/.dockerignore b/.dockerignore index b4ae8b22..3a70eb61 100644 --- a/.dockerignore +++ b/.dockerignore @@ -19,4 +19,5 @@ dockerfiles dockerfiles/s6-rc.d/user/contents.d/dockerd dockerfiles/s6-rc.d/user/contents.d/plural dockerfiles/s6-rc.d/user/contents.d/ssh -!dockerfiles/s6-rc.d \ No newline at end of file +!dockerfiles/s6-rc.d +!dockerfiles/podman-conf \ No newline at end of file diff --git a/dockerfiles/Dockerfile.cloud b/dockerfiles/Dockerfile.cloud index 13b0a399..410171b3 100644 --- a/dockerfiles/Dockerfile.cloud +++ b/dockerfiles/Dockerfile.cloud @@ -80,7 +80,7 @@ RUN apt-get -yq update \ dbus-user-session \ iptables \ kmod \ - fuse-overlayfs \ + #fuse-overlayfs \ iproute2 \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* @@ -130,6 +130,46 @@ RUN tar -C / -Jxpf /tmp/s6-overlay-x86_64.tar.xz COPY dockerfiles/s6-rc.d /etc/s6-overlay/s6-rc.d +# install podman +RUN apt-get -yq update \ + && apt-get -yq install --no-install-recommends \ + podman \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* + +RUN setcap cap_setuid+ep /usr/bin/newuidmap +RUN setcap cap_setgid+ep /usr/bin/newgidmap +RUN chmod 0755 /usr/bin/newuidmap +RUN chmod 0755 /usr/bin/newgidmap + +RUN echo "plural:100000:65536" > /etc/subuid +RUN echo "plural:100000:65536" > /etc/subgid +#RUN echo "plural ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers + +COPY dockerfiles/podman-conf/containers.conf /etc/containers/containers.conf +COPY dockerfiles/podman-conf/storage.conf /etc/containers/storage.conf +RUN chmod 644 /etc/containers/containers.conf && \ + chmod 644 /etc/containers/storage.conf + +RUN mkdir -p /home/plural/.local/share/containers && \ + chown plural:plural -R /home/plural + +#RUN mkdir -p /var/lib/shared/overlay-images \ +# /var/lib/shared/overlay-layers \ +# /var/lib/shared/vfs-images \ +# /var/lib/shared/vfs-layers && \ +# touch /var/lib/shared/overlay-images/images.lock && \ +# touch /var/lib/shared/overlay-layers/layers.lock && \ +# touch /var/lib/shared/vfs-images/images.lock && \ +# touch /var/lib/shared/vfs-layers/layers.lock + +#ENV _CONTAINERS_USERNS_CONFIGURED="" + +# Alias "docker" to "podman" +RUN ln -s /usr/bin/podman /usr/bin/docker + +#RUN chsh -s /bin/bash podman + # install kind # K8s.io KinD ENV KIND_VERSION=v0.20.0 @@ -158,20 +198,20 @@ RUN chmod +x /usr/local/bin/start-session.sh && \ #ENV XDG_RUNTIME_DIR=/run/user/1000 WORKDIR /home/plural -ENV XDG_RUNTIME_DIR=/home/plural/.docker -RUN mkdir -p $XDG_RUNTIME_DIR && \ - chown 1000:0 $XDG_RUNTIME_DIR && \ - echo "kernel.unprivileged_userns_clone=1" >> /etc/sysctl.conf && \ - sysctl --system +#ENV XDG_RUNTIME_DIR=/home/plural/.docker +#RUN mkdir -p $XDG_RUNTIME_DIR && \ +# chown 1000:0 $XDG_RUNTIME_DIR && \ +# echo "kernel.unprivileged_userns_clone=1" >> /etc/sysctl.conf && \ +# sysctl --system USER plural #ENV DOCKER_VERSION=24.0.0 #RUN apt-get -yq update && apt-get install -y curl && rm -rf /var/lib/apt/lists/* \ && curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh \ #RUN curl -fsSL https://get.docker.com/rootless -o get-docker.sh && sh get-docker.sh --version ${DOCKER_VERSION} && usermod -a -G docker plural -ENV SKIP_IPTABLES=1 -RUN curl -fsSL https://get.docker.com/rootless -o get-docker.sh && sh get-docker.sh +#ENV SKIP_IPTABLES=1 +#RUN curl -fsSL https://get.docker.com/rootless -o get-docker.sh && sh get-docker.sh #&& usermod -a -G docker plural -ADD https://raw.githubusercontent.com/docker/docker-ce/master/components/cli/contrib/completion/bash/docker /etc/bash_completion.d/docker.sh +#ADD https://raw.githubusercontent.com/docker/docker-ce/master/components/cli/contrib/completion/bash/docker /etc/bash_completion.d/docker.sh # setup rootless docker #RUN dockerd-rootless-setuptool.sh install --skip-iptables diff --git a/dockerfiles/podman-conf/containers.conf b/dockerfiles/podman-conf/containers.conf new file mode 100644 index 00000000..e4aee2bd --- /dev/null +++ b/dockerfiles/podman-conf/containers.conf @@ -0,0 +1,16 @@ +[containers] +netns="host" +userns="host" +ipcns="host" +utsns="host" +cgroupns="host" +cgroups="disabled" +log_driver = "k8s-file" +volumes = [ + "/proc:/proc", +] +default_sysctls = [] +[engine] +cgroup_manager = "cgroupfs" +events_logger="file" +runtime="crun" diff --git a/dockerfiles/podman-conf/storage.conf b/dockerfiles/podman-conf/storage.conf new file mode 100644 index 00000000..916c3c90 --- /dev/null +++ b/dockerfiles/podman-conf/storage.conf @@ -0,0 +1,236 @@ +# This file is the configuration file for all tools +# that use the containers/storage library. The storage.conf file +# overrides all other storage.conf files. Container engines using the +# container/storage library do not inherit fields from other storage.conf +# files. +# +# Note: The storage.conf file overrides other storage.conf files based on this precedence: +# /usr/containers/storage.conf +# /etc/containers/storage.conf +# $HOME/.config/containers/storage.conf +# $XDG_CONFIG_HOME/containers/storage.conf (If XDG_CONFIG_HOME is set) +# See man 5 containers-storage.conf for more information +# The "container storage" table contains all of the server options. +[storage] + +# Default Storage Driver, Must be set for proper operation. +driver = "overlay" + +# runroot and graphroot should be ignored as per https://github.com/containers/podman/blob/53b2b0222d318c9111797a961ce995b1227d16e3/docs/tutorials/rootless_tutorial.md +# Temporary storage location +#runroot = "/run/containers/storage" +runroot = "" + +# Primary Read/Write location of container storage +# When changing the graphroot location on an SELINUX system, you must +# ensure the labeling matches the default locations labels with the +# following commands: +# semanage fcontext -a -e /var/lib/containers/storage /NEWSTORAGEPATH +# restorecon -R -v /NEWSTORAGEPATH +#graphroot = "/var/lib/containers/storage" +graphroot = "" + + +# Storage path for rootless users +# +# rootless_storage_path = "$HOME/.local/share/containers/storage" + +[storage.options] +# Storage options to be passed to underlying storage drivers + +# AdditionalImageStores is used to pass paths to additional Read/Only image stores +# Must be comma separated list. +additionalimagestores = [ + "/var/lib/shared", +] + +# Allows specification of how storage is populated when pulling images. This +# option can speed the pulling process of images compressed with format +# zstd:chunked. Containers/storage looks for files within images that are being +# pulled from a container registry that were previously pulled to the host. It +# can copy or create a hard link to the existing file when it finds them, +# eliminating the need to pull them from the container registry. These options +# can deduplicate pulling of content, disk storage of content and can allow the +# kernel to use less memory when running containers. + +# containers/storage supports four keys +# * enable_partial_images="true" | "false" +# Tells containers/storage to look for files previously pulled in storage +# rather then always pulling them from the container registry. +# * use_hard_links = "false" | "true" +# Tells containers/storage to use hard links rather then create new files in +# the image, if an identical file already existed in storage. +# * ostree_repos = "" +# Tells containers/storage where an ostree repository exists that might have +# previously pulled content which can be used when attempting to avoid +# pulling content from the container registry +pull_options = {enable_partial_images = "false", use_hard_links = "false", ostree_repos=""} + +# Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of +# a container, to the UIDs/GIDs as they should appear outside of the container, +# and the length of the range of UIDs/GIDs. Additional mapped sets can be +# listed and will be needed by libraries, but there are limits to the number of +# mappings which the kernel will allow when you later attempt to run a +# container. +# +# remap-uids = 0:1668442479:65536 +# remap-gids = 0:1668442479:65536 + +# Remap-User/Group is a user name which can be used to look up one or more UID/GID +# ranges in the /etc/subuid or /etc/subgid file. Mappings are set up starting +# with an in-container ID of 0 and then a host-level ID taken from the lowest +# range that matches the specified name, and using the length of that range. +# Additional ranges are then assigned, using the ranges which specify the +# lowest host-level IDs first, to the lowest not-yet-mapped in-container ID, +# until all of the entries have been used for maps. +# +# remap-user = "containers" +# remap-group = "containers" + +# Root-auto-userns-user is a user name which can be used to look up one or more UID/GID +# ranges in the /etc/subuid and /etc/subgid file. These ranges will be partitioned +# to containers configured to create automatically a user namespace. Containers +# configured to automatically create a user namespace can still overlap with containers +# having an explicit mapping set. +# This setting is ignored when running as rootless. +# root-auto-userns-user = "storage" +# +# Auto-userns-min-size is the minimum size for a user namespace created automatically. +# auto-userns-min-size=1024 +# +# Auto-userns-max-size is the minimum size for a user namespace created automatically. +# auto-userns-max-size=65536 + +[storage.options.overlay] +# ignore_chown_errors can be set to allow a non privileged user running with +# a single UID within a user namespace to run containers. The user can pull +# and use any image even those with multiple uids. Note multiple UIDs will be +# squashed down to the default uid in the container. These images will have no +# separation between the users in the container. Only supported for the overlay +# and vfs drivers. +#ignore_chown_errors = "false" + +# Inodes is used to set a maximum inodes of the container image. +# inodes = "" + +# Path to an helper program to use for mounting the file system instead of mounting it +# directly. +mount_program = "/usr/bin/fuse-overlayfs" + +# mountopt specifies comma separated list of extra mount options +mountopt = "nodev,fsync=0" + +# Set to skip a PRIVATE bind mount on the storage home directory. +# skip_mount_home = "false" + +# Size is used to set a maximum size of the container image. +# size = "" + +# ForceMask specifies the permissions mask that is used for new files and +# directories. +# +# The values "shared" and "private" are accepted. +# Octal permission masks are also accepted. +# +# "": No value specified. +# All files/directories, get set with the permissions identified within the +# image. +# "private": it is equivalent to 0700. +# All files/directories get set with 0700 permissions. The owner has rwx +# access to the files. No other users on the system can access the files. +# This setting could be used with networked based homedirs. +# "shared": it is equivalent to 0755. +# The owner has rwx access to the files and everyone else can read, access +# and execute them. This setting is useful for sharing containers storage +# with other users. For instance have a storage owned by root but shared +# to rootless users as an additional store. +# NOTE: All files within the image are made readable and executable by any +# user on the system. Even /etc/shadow within your image is now readable by +# any user. +# +# OCTAL: Users can experiment with other OCTAL Permissions. +# +# Note: The force_mask Flag is an experimental feature, it could change in the +# future. When "force_mask" is set the original permission mask is stored in +# the "user.containers.override_stat" xattr and the "mount_program" option must +# be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the +# extended attribute permissions to processes within containers rather than the +# "force_mask" permissions. +# +# force_mask = "" + +[storage.options.thinpool] +# Storage Options for thinpool + +# autoextend_percent determines the amount by which pool needs to be +# grown. This is specified in terms of % of pool size. So a value of 20 means +# that when threshold is hit, pool will be grown by 20% of existing +# pool size. +# autoextend_percent = "20" + +# autoextend_threshold determines the pool extension threshold in terms +# of percentage of pool size. For example, if threshold is 60, that means when +# pool is 60% full, threshold has been hit. +# autoextend_threshold = "80" + +# basesize specifies the size to use when creating the base device, which +# limits the size of images and containers. +# basesize = "10G" + +# blocksize specifies a custom blocksize to use for the thin pool. +# blocksize="64k" + +# directlvm_device specifies a custom block storage device to use for the +# thin pool. Required if you setup devicemapper. +# directlvm_device = "" + +# directlvm_device_force wipes device even if device already has a filesystem. +# directlvm_device_force = "True" + +# fs specifies the filesystem type to use for the base device. +# fs="xfs" + +# log_level sets the log level of devicemapper. +# 0: LogLevelSuppress 0 (Default) +# 2: LogLevelFatal +# 3: LogLevelErr +# 4: LogLevelWarn +# 5: LogLevelNotice +# 6: LogLevelInfo +# 7: LogLevelDebug +# log_level = "7" + +# min_free_space specifies the min free space percent in a thin pool require for +# new device creation to succeed. Valid values are from 0% - 99%. +# Value 0% disables +# min_free_space = "10%" + +# mkfsarg specifies extra mkfs arguments to be used when creating the base +# device. +# mkfsarg = "" + +# metadata_size is used to set the `pvcreate --metadatasize` options when +# creating thin devices. Default is 128k +# metadata_size = "" + +# Size is used to set a maximum size of the container image. +# size = "" + +# use_deferred_removal marks devicemapper block device for deferred removal. +# If the thinpool is in use when the driver attempts to remove it, the driver +# tells the kernel to remove it as soon as possible. Note this does not free +# up the disk space, use deferred deletion to fully remove the thinpool. +# use_deferred_removal = "True" + +# use_deferred_deletion marks thinpool device for deferred deletion. +# If the device is busy when the driver attempts to delete it, the driver +# will attempt to delete device every 30 seconds until successful. +# If the program using the driver exits, the driver will continue attempting +# to cleanup the next time the driver is used. Deferred deletion permanently +# deletes the device and all data stored in device will be lost. +# use_deferred_deletion = "True" + +# xfs_nospace_max_retries specifies the maximum number of retries XFS should +# attempt to complete IO when ENOSPC (no space) error is returned by +# underlying storage device. +# xfs_nospace_max_retries = "0" \ No newline at end of file From db55c6978b50a9deaef3de8bf4a1887e1aba1d5a Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Thu, 17 Aug 2023 15:50:40 +0200 Subject: [PATCH 28/57] this at least works with --privileged --- dockerfiles/Dockerfile.cloud | 32 +++++++++++++++++++------------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/dockerfiles/Dockerfile.cloud b/dockerfiles/Dockerfile.cloud index 410171b3..94306ae4 100644 --- a/dockerfiles/Dockerfile.cloud +++ b/dockerfiles/Dockerfile.cloud @@ -142,10 +142,15 @@ RUN setcap cap_setgid+ep /usr/bin/newgidmap RUN chmod 0755 /usr/bin/newuidmap RUN chmod 0755 /usr/bin/newgidmap -RUN echo "plural:100000:65536" > /etc/subuid -RUN echo "plural:100000:65536" > /etc/subgid +#RUN echo "plural:100000:65536" > /etc/subuid +#RUN echo "plural:100000:65536" > /etc/subgid +RUN printf "plural:1:999\nplural:1001:64535" > /etc/subuid +RUN printf "plural:1:999\nplural:1001:64535" > /etc/subgid #RUN echo "plural ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers +VOLUME /var/lib/containers +VOLUME /home/plural/.local/share/containers + COPY dockerfiles/podman-conf/containers.conf /etc/containers/containers.conf COPY dockerfiles/podman-conf/storage.conf /etc/containers/storage.conf RUN chmod 644 /etc/containers/containers.conf && \ @@ -154,16 +159,17 @@ RUN chmod 644 /etc/containers/containers.conf && \ RUN mkdir -p /home/plural/.local/share/containers && \ chown plural:plural -R /home/plural -#RUN mkdir -p /var/lib/shared/overlay-images \ -# /var/lib/shared/overlay-layers \ -# /var/lib/shared/vfs-images \ -# /var/lib/shared/vfs-layers && \ -# touch /var/lib/shared/overlay-images/images.lock && \ -# touch /var/lib/shared/overlay-layers/layers.lock && \ -# touch /var/lib/shared/vfs-images/images.lock && \ -# touch /var/lib/shared/vfs-layers/layers.lock +ENV _CONTAINERS_USERNS_CONFIGURED="" + +RUN mkdir -p /var/lib/shared/overlay-images \ + /var/lib/shared/overlay-layers \ + /var/lib/shared/vfs-images \ + /var/lib/shared/vfs-layers && \ + touch /var/lib/shared/overlay-images/images.lock && \ + touch /var/lib/shared/overlay-layers/layers.lock && \ + touch /var/lib/shared/vfs-images/images.lock && \ + touch /var/lib/shared/vfs-layers/layers.lock -#ENV _CONTAINERS_USERNS_CONFIGURED="" # Alias "docker" to "podman" RUN ln -s /usr/bin/podman /usr/bin/docker @@ -201,8 +207,8 @@ WORKDIR /home/plural #ENV XDG_RUNTIME_DIR=/home/plural/.docker #RUN mkdir -p $XDG_RUNTIME_DIR && \ # chown 1000:0 $XDG_RUNTIME_DIR && \ -# echo "kernel.unprivileged_userns_clone=1" >> /etc/sysctl.conf && \ -# sysctl --system +RUN echo "kernel.unprivileged_userns_clone=1" >> /etc/sysctl.conf && \ + sysctl --system USER plural #ENV DOCKER_VERSION=24.0.0 From 028913c33bd4a19349c8d42e9a5195fe510db027 Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Thu, 17 Aug 2023 17:39:43 +0200 Subject: [PATCH 29/57] rm dockerd s6 service, clogs logs --- dockerfiles/s6-rc.d/dockerd/run | 4 ---- dockerfiles/s6-rc.d/dockerd/type | 1 - dockerfiles/s6-rc.d/user/contents.d/dockerd | 0 3 files changed, 5 deletions(-) delete mode 100644 dockerfiles/s6-rc.d/dockerd/run delete mode 100644 dockerfiles/s6-rc.d/dockerd/type delete mode 100644 dockerfiles/s6-rc.d/user/contents.d/dockerd diff --git a/dockerfiles/s6-rc.d/dockerd/run b/dockerfiles/s6-rc.d/dockerd/run deleted file mode 100644 index adbe85ff..00000000 --- a/dockerfiles/s6-rc.d/dockerd/run +++ /dev/null @@ -1,4 +0,0 @@ -#!/command/execlineb -P -with-contenv -s6-setuidgid plural -dockerd-rootless.sh --experimental diff --git a/dockerfiles/s6-rc.d/dockerd/type b/dockerfiles/s6-rc.d/dockerd/type deleted file mode 100644 index 1780f9f4..00000000 --- a/dockerfiles/s6-rc.d/dockerd/type +++ /dev/null @@ -1 +0,0 @@ -longrun \ No newline at end of file diff --git a/dockerfiles/s6-rc.d/user/contents.d/dockerd b/dockerfiles/s6-rc.d/user/contents.d/dockerd deleted file mode 100644 index e69de29b..00000000 From eb27230e822f7e50a324a05ead23cf00f0ca23bd Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Thu, 17 Aug 2023 17:40:07 +0200 Subject: [PATCH 30/57] try on sysbox runc --- dockerfiles/pod_priv2.yaml | 38 +++++++++++++++++++ .../{pod_priv_sysbox.yaml => pod_sysbox.yaml} | 17 ++++++--- 2 files changed, 49 insertions(+), 6 deletions(-) create mode 100644 dockerfiles/pod_priv2.yaml rename dockerfiles/{pod_priv_sysbox.yaml => pod_sysbox.yaml} (57%) diff --git a/dockerfiles/pod_priv2.yaml b/dockerfiles/pod_priv2.yaml new file mode 100644 index 00000000..048de695 --- /dev/null +++ b/dockerfiles/pod_priv2.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Pod +metadata: + name: plural-cloud-priv2 + namespace: sysbox + #annotations: + # io.kubernetes.cri-o.userns-mode: "auto:size=65536" +spec: + #runtimeClassName: sysbox-runc + containers: + - name: plural-cloud-priv2 + image: ghcr.io/pluralsh/plural-cli-cloud:sha-0ea2f1a + resources: + requests: + memory: "256Mi" + cpu: "1m" + securityContext: + runAsUser: 1000 + capabilities: + add: + - "SYS_ADMIN" + - "MKNOD" + - "SYS_CHROOT" + - "SETFCAP" + #allowPrivilegeEscalation: false + volumeMounts: + - name: containers-volume + mountPath: /var/lib/containers + volumes: + - name: containers-volume + hostPath: + path: /var/lib/containers + tolerations: + - key: plural.sh/sysbox + operator: Exists + - key: plural.sh/capacityType + operator: Exists + restartPolicy: Never \ No newline at end of file diff --git a/dockerfiles/pod_priv_sysbox.yaml b/dockerfiles/pod_sysbox.yaml similarity index 57% rename from dockerfiles/pod_priv_sysbox.yaml rename to dockerfiles/pod_sysbox.yaml index f0d45f81..fbc188ab 100644 --- a/dockerfiles/pod_priv_sysbox.yaml +++ b/dockerfiles/pod_sysbox.yaml @@ -1,23 +1,28 @@ apiVersion: v1 kind: Pod metadata: - name: plural-cloud-unpriv + name: plural-cloud-sysbox namespace: sysbox #annotations: # io.kubernetes.cri-o.userns-mode: "auto:size=65536" spec: runtimeClassName: sysbox-runc containers: - - name: plural-cloud-unpriv - #image: ghcr.io/pluralsh/plural-cli-cloud:sha-fcf2725 - image: ghcr.io/pluralsh/plural-cli-cloud:sha-791720e - #command: ["/sbin/init", "--log-level=err"] + - name: plural-cloud-sysbox + image: ghcr.io/pluralsh/plural-cli-cloud:sha-0ea2f1a resources: requests: memory: "256Mi" cpu: "1m" securityContext: - privileged: false + #runAsUser: 1000 + capabilities: + add: + - "SYS_ADMIN" + #- "MKNOD" + - "SYS_CHROOT" + - "SETFCAP" + #allowPrivilegeEscalation: false tolerations: - key: plural.sh/sysbox operator: Exists From 14a057716d96d2afc9f1bf67481ac9e35b63a17b Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Thu, 17 Aug 2023 18:50:47 +0200 Subject: [PATCH 31/57] shouldn't matter, but let's see --- dockerfiles/Dockerfile.cloud | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/dockerfiles/Dockerfile.cloud b/dockerfiles/Dockerfile.cloud index 94306ae4..28e49e26 100644 --- a/dockerfiles/Dockerfile.cloud +++ b/dockerfiles/Dockerfile.cloud @@ -148,8 +148,6 @@ RUN printf "plural:1:999\nplural:1001:64535" > /etc/subuid RUN printf "plural:1:999\nplural:1001:64535" > /etc/subgid #RUN echo "plural ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers -VOLUME /var/lib/containers -VOLUME /home/plural/.local/share/containers COPY dockerfiles/podman-conf/containers.conf /etc/containers/containers.conf COPY dockerfiles/podman-conf/storage.conf /etc/containers/storage.conf @@ -159,6 +157,9 @@ RUN chmod 644 /etc/containers/containers.conf && \ RUN mkdir -p /home/plural/.local/share/containers && \ chown plural:plural -R /home/plural +VOLUME /var/lib/containers +VOLUME /home/plural/.local/share/containers + ENV _CONTAINERS_USERNS_CONFIGURED="" RUN mkdir -p /var/lib/shared/overlay-images \ From 7accdf44649688a5ce55ff9ef96f7ff786b45dd5 Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Fri, 18 Aug 2023 00:28:23 +0200 Subject: [PATCH 32/57] unset mount program, be specific about defaults --- dockerfiles/podman-conf/storage.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dockerfiles/podman-conf/storage.conf b/dockerfiles/podman-conf/storage.conf index 916c3c90..42fe0740 100644 --- a/dockerfiles/podman-conf/storage.conf +++ b/dockerfiles/podman-conf/storage.conf @@ -33,7 +33,7 @@ graphroot = "" # Storage path for rootless users # -# rootless_storage_path = "$HOME/.local/share/containers/storage" +rootless_storage_path = "/home/plural/.local/share/containers/storage" [storage.options] # Storage options to be passed to underlying storage drivers @@ -115,7 +115,7 @@ pull_options = {enable_partial_images = "false", use_hard_links = "false", ostre # Path to an helper program to use for mounting the file system instead of mounting it # directly. -mount_program = "/usr/bin/fuse-overlayfs" +#mount_program = "/usr/bin/fuse-overlayfs" # mountopt specifies comma separated list of extra mount options mountopt = "nodev,fsync=0" From 3020aba173329c83ec969724b6787699598a08ea Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Fri, 18 Aug 2023 00:29:11 +0200 Subject: [PATCH 33/57] test with new storage.conf --- dockerfiles/Dockerfile.cloud | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/dockerfiles/Dockerfile.cloud b/dockerfiles/Dockerfile.cloud index 28e49e26..a0a2dc32 100644 --- a/dockerfiles/Dockerfile.cloud +++ b/dockerfiles/Dockerfile.cloud @@ -118,7 +118,8 @@ RUN echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages. google-cloud-sdk-gke-gcloud-auth-plugin && \ gcloud --help -RUN useradd -ms /bin/bash plural +# create plural user +RUN useradd -u 1000 -ms /bin/bash plural # install s6 # notes: https://github.com/just-containers/s6-overlay/blob/master/MOVING-TO-V3.md @@ -137,6 +138,7 @@ RUN apt-get -yq update \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* + RUN setcap cap_setuid+ep /usr/bin/newuidmap RUN setcap cap_setgid+ep /usr/bin/newgidmap RUN chmod 0755 /usr/bin/newuidmap @@ -148,14 +150,22 @@ RUN printf "plural:1:999\nplural:1001:64535" > /etc/subuid RUN printf "plural:1:999\nplural:1001:64535" > /etc/subgid #RUN echo "plural ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers +# setup dirs +RUN mkdir -p /home/plural/.local/share/containers && \ + mkdir -p /home/plural/.config/containers +# for rootfull podman COPY dockerfiles/podman-conf/containers.conf /etc/containers/containers.conf COPY dockerfiles/podman-conf/storage.conf /etc/containers/storage.conf +# for rootless podman +COPY dockerfiles/podman-conf/containers.conf /home/plural/.config/containers/containers.conf +COPY dockerfiles/podman-conf/storage.conf /home/plural/.config/containers/storage.conf +# rootless podman still needs to read these RUN chmod 644 /etc/containers/containers.conf && \ chmod 644 /etc/containers/storage.conf -RUN mkdir -p /home/plural/.local/share/containers && \ - chown plural:plural -R /home/plural +# own it +RUN chown plural:plural -R /home/plural VOLUME /var/lib/containers VOLUME /home/plural/.local/share/containers From 5bb8d732d122ed3e7ed7ce59536b36fd29fe2d3a Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Fri, 18 Aug 2023 00:31:37 +0200 Subject: [PATCH 34/57] simplify --- dockerfiles/Dockerfile.cloud | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/dockerfiles/Dockerfile.cloud b/dockerfiles/Dockerfile.cloud index a0a2dc32..5fe1fa23 100644 --- a/dockerfiles/Dockerfile.cloud +++ b/dockerfiles/Dockerfile.cloud @@ -144,10 +144,8 @@ RUN setcap cap_setgid+ep /usr/bin/newgidmap RUN chmod 0755 /usr/bin/newuidmap RUN chmod 0755 /usr/bin/newgidmap -#RUN echo "plural:100000:65536" > /etc/subuid -#RUN echo "plural:100000:65536" > /etc/subgid -RUN printf "plural:1:999\nplural:1001:64535" > /etc/subuid -RUN printf "plural:1:999\nplural:1001:64535" > /etc/subgid +RUN echo "plural:100000:65536" > /etc/subuid +RUN echo "plural:100000:65536" > /etc/subgid #RUN echo "plural ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers # setup dirs From 383e8a256a0876a61448dba8fe7cabed8628cbfb Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Fri, 18 Aug 2023 12:37:50 +0200 Subject: [PATCH 35/57] for some reason this does make a difference --- dockerfiles/Dockerfile.cloud | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/dockerfiles/Dockerfile.cloud b/dockerfiles/Dockerfile.cloud index 5fe1fa23..a0a2dc32 100644 --- a/dockerfiles/Dockerfile.cloud +++ b/dockerfiles/Dockerfile.cloud @@ -144,8 +144,10 @@ RUN setcap cap_setgid+ep /usr/bin/newgidmap RUN chmod 0755 /usr/bin/newuidmap RUN chmod 0755 /usr/bin/newgidmap -RUN echo "plural:100000:65536" > /etc/subuid -RUN echo "plural:100000:65536" > /etc/subgid +#RUN echo "plural:100000:65536" > /etc/subuid +#RUN echo "plural:100000:65536" > /etc/subgid +RUN printf "plural:1:999\nplural:1001:64535" > /etc/subuid +RUN printf "plural:1:999\nplural:1001:64535" > /etc/subgid #RUN echo "plural ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers # setup dirs From 475da92cd333f9500b8e8bfd17528bf086e69fdd Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Fri, 18 Aug 2023 16:02:28 +0200 Subject: [PATCH 36/57] try with vfs --- dockerfiles/Dockerfile.cloud | 28 +-- .../{ => rootfull}/containers.conf | 4 - dockerfiles/podman-conf/rootfull/storage.conf | 234 ++++++++++++++++++ .../podman-conf/rootless/containers.conf | 5 + .../podman-conf/{ => rootless}/storage.conf | 14 +- 5 files changed, 259 insertions(+), 26 deletions(-) rename dockerfiles/podman-conf/{ => rootfull}/containers.conf (79%) create mode 100644 dockerfiles/podman-conf/rootfull/storage.conf create mode 100644 dockerfiles/podman-conf/rootless/containers.conf rename dockerfiles/podman-conf/{ => rootless}/storage.conf (97%) diff --git a/dockerfiles/Dockerfile.cloud b/dockerfiles/Dockerfile.cloud index a0a2dc32..0eed0042 100644 --- a/dockerfiles/Dockerfile.cloud +++ b/dockerfiles/Dockerfile.cloud @@ -141,8 +141,8 @@ RUN apt-get -yq update \ RUN setcap cap_setuid+ep /usr/bin/newuidmap RUN setcap cap_setgid+ep /usr/bin/newgidmap -RUN chmod 0755 /usr/bin/newuidmap -RUN chmod 0755 /usr/bin/newgidmap +RUN chmod 0777 /usr/bin/newuidmap +RUN chmod 0777 /usr/bin/newgidmap #RUN echo "plural:100000:65536" > /etc/subuid #RUN echo "plural:100000:65536" > /etc/subgid @@ -155,11 +155,11 @@ RUN mkdir -p /home/plural/.local/share/containers && \ mkdir -p /home/plural/.config/containers # for rootfull podman -COPY dockerfiles/podman-conf/containers.conf /etc/containers/containers.conf -COPY dockerfiles/podman-conf/storage.conf /etc/containers/storage.conf +COPY dockerfiles/podman-conf/rootfull/containers.conf /etc/containers/containers.conf +COPY dockerfiles/podman-conf/rootfull/storage.conf /etc/containers/storage.conf # for rootless podman -COPY dockerfiles/podman-conf/containers.conf /home/plural/.config/containers/containers.conf -COPY dockerfiles/podman-conf/storage.conf /home/plural/.config/containers/storage.conf +COPY --chown=1000:1000 dockerfiles/podman-conf/rootless/containers.conf /home/plural/.config/containers/containers.conf +COPY --chown=1000:1000 dockerfiles/podman-conf/rootless/storage.conf /home/plural/.config/containers/storage.conf # rootless podman still needs to read these RUN chmod 644 /etc/containers/containers.conf && \ chmod 644 /etc/containers/storage.conf @@ -167,6 +167,7 @@ RUN chmod 644 /etc/containers/containers.conf && \ # own it RUN chown plural:plural -R /home/plural +# circumvent overlayfs req? VOLUME /var/lib/containers VOLUME /home/plural/.local/share/containers @@ -205,21 +206,18 @@ RUN git clone https://github.com/powerline/fonts.git --depth=1 && \ WORKDIR $GOPATH/src/plural/ - COPY start-session.sh /usr/local/bin/start-session.sh COPY boot.sh /home/plural/boot.sh RUN chmod +x /usr/local/bin/start-session.sh && \ chmod +x /home/plural/boot.sh -# prepare rootless docker -#ENV XDG_RUNTIME_DIR=/run/user/1000 +ENV XDG_RUNTIME_DIR=/run/user/1000 WORKDIR /home/plural #ENV XDG_RUNTIME_DIR=/home/plural/.docker #RUN mkdir -p $XDG_RUNTIME_DIR && \ # chown 1000:0 $XDG_RUNTIME_DIR && \ -RUN echo "kernel.unprivileged_userns_clone=1" >> /etc/sysctl.conf && \ - sysctl --system +RUN echo "kernel.unprivileged_userns_clone=1" >> /etc/sysctl.conf && sysctl --system USER plural #ENV DOCKER_VERSION=24.0.0 @@ -242,11 +240,13 @@ RUN sh -c "$(curl -fsSL https://raw.github.com/ohmyzsh/ohmyzsh/master/tools/inst helm plugin install https://github.com/databus23/helm-diff RUN printf "\nexport PATH=$PATH:/sbin" >> /home/plural/.zshrc && \ - printf "\nexport PATH=$PATH:/home/plural/bin" >> /home/plural/.zshrc && \ - printf "\nexport DOCKER_HOST=unix:///${XDG_RUNTIME_DIR}/docker.sock" >> /home/plural/.zshrc + printf "\nexport PATH=$PATH:/home/plural/bin" >> /home/plural/.zshrc + #&& \ +# printf "\nexport DOCKER_HOST=unix:///${XDG_RUNTIME_DIR}/docker.sock" >> /home/plural/.zshrc ENV GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" ENV GOOGLE_APPLICATION_CREDENTIALS=/home/plural/gcp.json USER root -ENTRYPOINT [ "/init" ] +#ENTRYPOINT [ "/init" ] +ENTRYPOINT [ "/bin/bash" ] diff --git a/dockerfiles/podman-conf/containers.conf b/dockerfiles/podman-conf/rootfull/containers.conf similarity index 79% rename from dockerfiles/podman-conf/containers.conf rename to dockerfiles/podman-conf/rootfull/containers.conf index e4aee2bd..220c1f85 100644 --- a/dockerfiles/podman-conf/containers.conf +++ b/dockerfiles/podman-conf/rootfull/containers.conf @@ -6,10 +6,6 @@ utsns="host" cgroupns="host" cgroups="disabled" log_driver = "k8s-file" -volumes = [ - "/proc:/proc", -] -default_sysctls = [] [engine] cgroup_manager = "cgroupfs" events_logger="file" diff --git a/dockerfiles/podman-conf/rootfull/storage.conf b/dockerfiles/podman-conf/rootfull/storage.conf new file mode 100644 index 00000000..5a9530b8 --- /dev/null +++ b/dockerfiles/podman-conf/rootfull/storage.conf @@ -0,0 +1,234 @@ +# This file is the configuration file for all tools +# that use the containers/storage library. The storage.conf file +# overrides all other storage.conf files. Container engines using the +# container/storage library do not inherit fields from other storage.conf +# files. +# +# Note: The storage.conf file overrides other storage.conf files based on this precedence: +# /usr/containers/storage.conf +# /etc/containers/storage.conf +# $HOME/.config/containers/storage.conf +# $XDG_CONFIG_HOME/containers/storage.conf (If XDG_CONFIG_HOME is set) +# See man 5 containers-storage.conf for more information +# The "container storage" table contains all of the server options. +[storage] + +# Default Storage Driver, Must be set for proper operation. +driver = "vfs" + +# for rootless runroot and graphroot should be ignored as per https://github.com/containers/podman/blob/53b2b0222d318c9111797a961ce995b1227d16e3/docs/tutorials/rootless_tutorial.md +# Temporary storage location +runroot = "/run/containers/storage" + +# Primary Read/Write location of container storage +# When changing the graphroot location on an SELINUX system, you must +# ensure the labeling matches the default locations labels with the +# following commands: +# semanage fcontext -a -e /var/lib/containers/storage /NEWSTORAGEPATH +# restorecon -R -v /NEWSTORAGEPATH +graphroot = "/var/lib/containers/storage" + + +# Storage path for rootless users +# +#rootless_storage_path = "/home/plural/.local/share/containers/storage" + +[storage.options] +# Storage options to be passed to underlying storage drivers + +# AdditionalImageStores is used to pass paths to additional Read/Only image stores +# Must be comma separated list. +additionalimagestores = [ + "/var/lib/shared", +] + +# Allows specification of how storage is populated when pulling images. This +# option can speed the pulling process of images compressed with format +# zstd:chunked. Containers/storage looks for files within images that are being +# pulled from a container registry that were previously pulled to the host. It +# can copy or create a hard link to the existing file when it finds them, +# eliminating the need to pull them from the container registry. These options +# can deduplicate pulling of content, disk storage of content and can allow the +# kernel to use less memory when running containers. + +# containers/storage supports four keys +# * enable_partial_images="true" | "false" +# Tells containers/storage to look for files previously pulled in storage +# rather then always pulling them from the container registry. +# * use_hard_links = "false" | "true" +# Tells containers/storage to use hard links rather then create new files in +# the image, if an identical file already existed in storage. +# * ostree_repos = "" +# Tells containers/storage where an ostree repository exists that might have +# previously pulled content which can be used when attempting to avoid +# pulling content from the container registry +pull_options = {enable_partial_images = "false", use_hard_links = "false", ostree_repos=""} + +# Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of +# a container, to the UIDs/GIDs as they should appear outside of the container, +# and the length of the range of UIDs/GIDs. Additional mapped sets can be +# listed and will be needed by libraries, but there are limits to the number of +# mappings which the kernel will allow when you later attempt to run a +# container. +# +# remap-uids = 0:1668442479:65536 +# remap-gids = 0:1668442479:65536 + +# Remap-User/Group is a user name which can be used to look up one or more UID/GID +# ranges in the /etc/subuid or /etc/subgid file. Mappings are set up starting +# with an in-container ID of 0 and then a host-level ID taken from the lowest +# range that matches the specified name, and using the length of that range. +# Additional ranges are then assigned, using the ranges which specify the +# lowest host-level IDs first, to the lowest not-yet-mapped in-container ID, +# until all of the entries have been used for maps. +# +# remap-user = "containers" +# remap-group = "containers" + +# Root-auto-userns-user is a user name which can be used to look up one or more UID/GID +# ranges in the /etc/subuid and /etc/subgid file. These ranges will be partitioned +# to containers configured to create automatically a user namespace. Containers +# configured to automatically create a user namespace can still overlap with containers +# having an explicit mapping set. +# This setting is ignored when running as rootless. +# root-auto-userns-user = "storage" +# +# Auto-userns-min-size is the minimum size for a user namespace created automatically. +# auto-userns-min-size=1024 +# +# Auto-userns-max-size is the minimum size for a user namespace created automatically. +# auto-userns-max-size=65536 + +[storage.options.overlay] +# ignore_chown_errors can be set to allow a non privileged user running with +# a single UID within a user namespace to run containers. The user can pull +# and use any image even those with multiple uids. Note multiple UIDs will be +# squashed down to the default uid in the container. These images will have no +# separation between the users in the container. Only supported for the overlay +# and vfs drivers. +#ignore_chown_errors = "false" + +# Inodes is used to set a maximum inodes of the container image. +# inodes = "" + +# Path to an helper program to use for mounting the file system instead of mounting it +# directly. +#mount_program = "/usr/bin/fuse-overlayfs" + +# mountopt specifies comma separated list of extra mount options +mountopt = "nodev" + +# Set to skip a PRIVATE bind mount on the storage home directory. +# skip_mount_home = "false" + +# Size is used to set a maximum size of the container image. +# size = "" + +# ForceMask specifies the permissions mask that is used for new files and +# directories. +# +# The values "shared" and "private" are accepted. +# Octal permission masks are also accepted. +# +# "": No value specified. +# All files/directories, get set with the permissions identified within the +# image. +# "private": it is equivalent to 0700. +# All files/directories get set with 0700 permissions. The owner has rwx +# access to the files. No other users on the system can access the files. +# This setting could be used with networked based homedirs. +# "shared": it is equivalent to 0755. +# The owner has rwx access to the files and everyone else can read, access +# and execute them. This setting is useful for sharing containers storage +# with other users. For instance have a storage owned by root but shared +# to rootless users as an additional store. +# NOTE: All files within the image are made readable and executable by any +# user on the system. Even /etc/shadow within your image is now readable by +# any user. +# +# OCTAL: Users can experiment with other OCTAL Permissions. +# +# Note: The force_mask Flag is an experimental feature, it could change in the +# future. When "force_mask" is set the original permission mask is stored in +# the "user.containers.override_stat" xattr and the "mount_program" option must +# be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the +# extended attribute permissions to processes within containers rather than the +# "force_mask" permissions. +# +# force_mask = "" + +[storage.options.thinpool] +# Storage Options for thinpool + +# autoextend_percent determines the amount by which pool needs to be +# grown. This is specified in terms of % of pool size. So a value of 20 means +# that when threshold is hit, pool will be grown by 20% of existing +# pool size. +# autoextend_percent = "20" + +# autoextend_threshold determines the pool extension threshold in terms +# of percentage of pool size. For example, if threshold is 60, that means when +# pool is 60% full, threshold has been hit. +# autoextend_threshold = "80" + +# basesize specifies the size to use when creating the base device, which +# limits the size of images and containers. +# basesize = "10G" + +# blocksize specifies a custom blocksize to use for the thin pool. +# blocksize="64k" + +# directlvm_device specifies a custom block storage device to use for the +# thin pool. Required if you setup devicemapper. +# directlvm_device = "" + +# directlvm_device_force wipes device even if device already has a filesystem. +# directlvm_device_force = "True" + +# fs specifies the filesystem type to use for the base device. +# fs="xfs" + +# log_level sets the log level of devicemapper. +# 0: LogLevelSuppress 0 (Default) +# 2: LogLevelFatal +# 3: LogLevelErr +# 4: LogLevelWarn +# 5: LogLevelNotice +# 6: LogLevelInfo +# 7: LogLevelDebug +# log_level = "7" + +# min_free_space specifies the min free space percent in a thin pool require for +# new device creation to succeed. Valid values are from 0% - 99%. +# Value 0% disables +# min_free_space = "10%" + +# mkfsarg specifies extra mkfs arguments to be used when creating the base +# device. +# mkfsarg = "" + +# metadata_size is used to set the `pvcreate --metadatasize` options when +# creating thin devices. Default is 128k +# metadata_size = "" + +# Size is used to set a maximum size of the container image. +# size = "" + +# use_deferred_removal marks devicemapper block device for deferred removal. +# If the thinpool is in use when the driver attempts to remove it, the driver +# tells the kernel to remove it as soon as possible. Note this does not free +# up the disk space, use deferred deletion to fully remove the thinpool. +# use_deferred_removal = "True" + +# use_deferred_deletion marks thinpool device for deferred deletion. +# If the device is busy when the driver attempts to delete it, the driver +# will attempt to delete device every 30 seconds until successful. +# If the program using the driver exits, the driver will continue attempting +# to cleanup the next time the driver is used. Deferred deletion permanently +# deletes the device and all data stored in device will be lost. +# use_deferred_deletion = "True" + +# xfs_nospace_max_retries specifies the maximum number of retries XFS should +# attempt to complete IO when ENOSPC (no space) error is returned by +# underlying storage device. +# xfs_nospace_max_retries = "0" \ No newline at end of file diff --git a/dockerfiles/podman-conf/rootless/containers.conf b/dockerfiles/podman-conf/rootless/containers.conf new file mode 100644 index 00000000..46349640 --- /dev/null +++ b/dockerfiles/podman-conf/rootless/containers.conf @@ -0,0 +1,5 @@ +[containers] +volumes = [ + "/proc:/proc", +] +default_sysctls = [] \ No newline at end of file diff --git a/dockerfiles/podman-conf/storage.conf b/dockerfiles/podman-conf/rootless/storage.conf similarity index 97% rename from dockerfiles/podman-conf/storage.conf rename to dockerfiles/podman-conf/rootless/storage.conf index 42fe0740..94b87a13 100644 --- a/dockerfiles/podman-conf/storage.conf +++ b/dockerfiles/podman-conf/rootless/storage.conf @@ -14,12 +14,12 @@ [storage] # Default Storage Driver, Must be set for proper operation. -driver = "overlay" +driver = "vfs" # runroot and graphroot should be ignored as per https://github.com/containers/podman/blob/53b2b0222d318c9111797a961ce995b1227d16e3/docs/tutorials/rootless_tutorial.md # Temporary storage location #runroot = "/run/containers/storage" -runroot = "" +runroot = "/run/user/1000/containers/storage" # Primary Read/Write location of container storage # When changing the graphroot location on an SELINUX system, you must @@ -28,21 +28,19 @@ runroot = "" # semanage fcontext -a -e /var/lib/containers/storage /NEWSTORAGEPATH # restorecon -R -v /NEWSTORAGEPATH #graphroot = "/var/lib/containers/storage" -graphroot = "" +graphroot = "/home/plural/.local/share/containers/storage" # Storage path for rootless users # -rootless_storage_path = "/home/plural/.local/share/containers/storage" +#rootless_storage_path = "/home/plural/.local/share/containers/storage" [storage.options] # Storage options to be passed to underlying storage drivers # AdditionalImageStores is used to pass paths to additional Read/Only image stores # Must be comma separated list. -additionalimagestores = [ - "/var/lib/shared", -] +#additionalimagestores = ["/var/lib/shared"] # Allows specification of how storage is populated when pulling images. This # option can speed the pulling process of images compressed with format @@ -118,7 +116,7 @@ pull_options = {enable_partial_images = "false", use_hard_links = "false", ostre #mount_program = "/usr/bin/fuse-overlayfs" # mountopt specifies comma separated list of extra mount options -mountopt = "nodev,fsync=0" +mountopt = "" # Set to skip a PRIVATE bind mount on the storage home directory. # skip_mount_home = "false" From 69f07ba6b4af6d2153e396052ad509affa35abb2 Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Fri, 18 Aug 2023 16:28:38 +0200 Subject: [PATCH 37/57] makes it worse --- dockerfiles/Dockerfile.cloud | 2 -- 1 file changed, 2 deletions(-) diff --git a/dockerfiles/Dockerfile.cloud b/dockerfiles/Dockerfile.cloud index 0eed0042..050f5e73 100644 --- a/dockerfiles/Dockerfile.cloud +++ b/dockerfiles/Dockerfile.cloud @@ -211,8 +211,6 @@ COPY boot.sh /home/plural/boot.sh RUN chmod +x /usr/local/bin/start-session.sh && \ chmod +x /home/plural/boot.sh -ENV XDG_RUNTIME_DIR=/run/user/1000 - WORKDIR /home/plural #ENV XDG_RUNTIME_DIR=/home/plural/.docker #RUN mkdir -p $XDG_RUNTIME_DIR && \ From 92dbc94d852a1948493086d28c81e3a34cb2e184 Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Fri, 18 Aug 2023 17:59:54 +0200 Subject: [PATCH 38/57] fix perm on volume --- dockerfiles/Dockerfile.cloud | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/dockerfiles/Dockerfile.cloud b/dockerfiles/Dockerfile.cloud index 050f5e73..1f02f1cb 100644 --- a/dockerfiles/Dockerfile.cloud +++ b/dockerfiles/Dockerfile.cloud @@ -152,7 +152,8 @@ RUN printf "plural:1:999\nplural:1001:64535" > /etc/subgid # setup dirs RUN mkdir -p /home/plural/.local/share/containers && \ - mkdir -p /home/plural/.config/containers + mkdir -p /home/plural/.config/containers && \ + mkdir -p /var/lib/containers # for rootfull podman COPY dockerfiles/podman-conf/rootfull/containers.conf /etc/containers/containers.conf @@ -164,10 +165,9 @@ COPY --chown=1000:1000 dockerfiles/podman-conf/rootless/storage.conf /home/plura RUN chmod 644 /etc/containers/containers.conf && \ chmod 644 /etc/containers/storage.conf -# own it -RUN chown plural:plural -R /home/plural - # circumvent overlayfs req? +RUN chown plural:plural -R /home/plural && chown root:root /var/lib/containers && chmod g+s /var/lib/containers + VOLUME /var/lib/containers VOLUME /home/plural/.local/share/containers From 82f858475bec06b09529135b054eb23e3fa75841 Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Fri, 18 Aug 2023 18:00:04 +0200 Subject: [PATCH 39/57] add back mknod --- dockerfiles/pod_sysbox.yaml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/dockerfiles/pod_sysbox.yaml b/dockerfiles/pod_sysbox.yaml index fbc188ab..065280cc 100644 --- a/dockerfiles/pod_sysbox.yaml +++ b/dockerfiles/pod_sysbox.yaml @@ -3,13 +3,14 @@ kind: Pod metadata: name: plural-cloud-sysbox namespace: sysbox - #annotations: - # io.kubernetes.cri-o.userns-mode: "auto:size=65536" + annotations: + io.kubernetes.cri-o.userns-mode: "auto:size=65536" spec: runtimeClassName: sysbox-runc containers: - name: plural-cloud-sysbox - image: ghcr.io/pluralsh/plural-cli-cloud:sha-0ea2f1a + image: ghcr.io/pluralsh/plural-cli-cloud:sha-9414233 + command: ["sh", "-c", "while true; do sleep 3600; done"] resources: requests: memory: "256Mi" @@ -19,7 +20,7 @@ spec: capabilities: add: - "SYS_ADMIN" - #- "MKNOD" + - "MKNOD" - "SYS_CHROOT" - "SETFCAP" #allowPrivilegeEscalation: false From 288b32daeaca4b1c938ee9bfd7f31808caff640e Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Fri, 18 Aug 2023 21:00:01 +0200 Subject: [PATCH 40/57] force newer version of podman, crun dep is ancient --- dockerfiles/Dockerfile.cloud | 21 ++++++++++++++++----- dockerfiles/pod_sysbox.yaml | 2 +- 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/dockerfiles/Dockerfile.cloud b/dockerfiles/Dockerfile.cloud index 1f02f1cb..6b058b06 100644 --- a/dockerfiles/Dockerfile.cloud +++ b/dockerfiles/Dockerfile.cloud @@ -132,11 +132,22 @@ COPY dockerfiles/s6-rc.d /etc/s6-overlay/s6-rc.d # install podman -RUN apt-get -yq update \ - && apt-get -yq install --no-install-recommends \ - podman \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* +#RUN apt-get -yq update \ +# && apt-get -yq install --no-install-recommends \ +# podman \ +# && apt-get clean \ +# && rm -rf /var/lib/apt/lists/* + +RUN mkdir -p /etc/apt/keyrings +RUN curl -fsSL "https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/xUbuntu_$(lsb_release -rs)/Release.key" \ + | gpg --dearmor \ + | tee /etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg > /dev/null +RUN echo \ + "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg]\ + https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/xUbuntu_$(lsb_release -rs)/ /" \ + | tee /etc/apt/sources.list.d/devel:kubic:libcontainers:unstable.list > /dev/null +RUN apt-get update -qq +RUN apt-get -qq -y install podman RUN setcap cap_setuid+ep /usr/bin/newuidmap diff --git a/dockerfiles/pod_sysbox.yaml b/dockerfiles/pod_sysbox.yaml index 065280cc..27dfc11a 100644 --- a/dockerfiles/pod_sysbox.yaml +++ b/dockerfiles/pod_sysbox.yaml @@ -9,7 +9,7 @@ spec: runtimeClassName: sysbox-runc containers: - name: plural-cloud-sysbox - image: ghcr.io/pluralsh/plural-cli-cloud:sha-9414233 + image: ghcr.io/pluralsh/plural-cli-cloud:sha-04eebbd command: ["sh", "-c", "while true; do sleep 3600; done"] resources: requests: From d1a57a87407b4670b8588442db0578711cd37c5f Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Sun, 20 Aug 2023 16:23:05 +0200 Subject: [PATCH 41/57] trigger build --- dockerfiles/Dockerfile.cloud | 1 + 1 file changed, 1 insertion(+) diff --git a/dockerfiles/Dockerfile.cloud b/dockerfiles/Dockerfile.cloud index 6b058b06..8d83f02a 100644 --- a/dockerfiles/Dockerfile.cloud +++ b/dockerfiles/Dockerfile.cloud @@ -138,6 +138,7 @@ COPY dockerfiles/s6-rc.d /etc/s6-overlay/s6-rc.d # && apt-get clean \ # && rm -rf /var/lib/apt/lists/* + RUN mkdir -p /etc/apt/keyrings RUN curl -fsSL "https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/xUbuntu_$(lsb_release -rs)/Release.key" \ | gpg --dearmor \ From 952839c93980438e2bdf88fa5b70cb1358e3f8fc Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Mon, 21 Aug 2023 14:25:16 +0200 Subject: [PATCH 42/57] build with docker-ce-cli only --- dockerfiles/Dockerfile.cloud | 143 ++++++++++++++++++----------------- 1 file changed, 73 insertions(+), 70 deletions(-) diff --git a/dockerfiles/Dockerfile.cloud b/dockerfiles/Dockerfile.cloud index 8d83f02a..07df0aca 100644 --- a/dockerfiles/Dockerfile.cloud +++ b/dockerfiles/Dockerfile.cloud @@ -130,75 +130,67 @@ ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLA RUN tar -C / -Jxpf /tmp/s6-overlay-x86_64.tar.xz COPY dockerfiles/s6-rc.d /etc/s6-overlay/s6-rc.d - -# install podman -#RUN apt-get -yq update \ -# && apt-get -yq install --no-install-recommends \ -# podman \ -# && apt-get clean \ -# && rm -rf /var/lib/apt/lists/* - - -RUN mkdir -p /etc/apt/keyrings -RUN curl -fsSL "https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/xUbuntu_$(lsb_release -rs)/Release.key" \ - | gpg --dearmor \ - | tee /etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg > /dev/null -RUN echo \ - "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg]\ - https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/xUbuntu_$(lsb_release -rs)/ /" \ - | tee /etc/apt/sources.list.d/devel:kubic:libcontainers:unstable.list > /dev/null -RUN apt-get update -qq -RUN apt-get -qq -y install podman - - -RUN setcap cap_setuid+ep /usr/bin/newuidmap -RUN setcap cap_setgid+ep /usr/bin/newgidmap -RUN chmod 0777 /usr/bin/newuidmap -RUN chmod 0777 /usr/bin/newgidmap - -#RUN echo "plural:100000:65536" > /etc/subuid -#RUN echo "plural:100000:65536" > /etc/subgid -RUN printf "plural:1:999\nplural:1001:64535" > /etc/subuid -RUN printf "plural:1:999\nplural:1001:64535" > /etc/subgid -#RUN echo "plural ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers - -# setup dirs -RUN mkdir -p /home/plural/.local/share/containers && \ - mkdir -p /home/plural/.config/containers && \ - mkdir -p /var/lib/containers - -# for rootfull podman -COPY dockerfiles/podman-conf/rootfull/containers.conf /etc/containers/containers.conf -COPY dockerfiles/podman-conf/rootfull/storage.conf /etc/containers/storage.conf -# for rootless podman -COPY --chown=1000:1000 dockerfiles/podman-conf/rootless/containers.conf /home/plural/.config/containers/containers.conf -COPY --chown=1000:1000 dockerfiles/podman-conf/rootless/storage.conf /home/plural/.config/containers/storage.conf -# rootless podman still needs to read these -RUN chmod 644 /etc/containers/containers.conf && \ - chmod 644 /etc/containers/storage.conf - -# circumvent overlayfs req? -RUN chown plural:plural -R /home/plural && chown root:root /var/lib/containers && chmod g+s /var/lib/containers - -VOLUME /var/lib/containers -VOLUME /home/plural/.local/share/containers - -ENV _CONTAINERS_USERNS_CONFIGURED="" - -RUN mkdir -p /var/lib/shared/overlay-images \ - /var/lib/shared/overlay-layers \ - /var/lib/shared/vfs-images \ - /var/lib/shared/vfs-layers && \ - touch /var/lib/shared/overlay-images/images.lock && \ - touch /var/lib/shared/overlay-layers/layers.lock && \ - touch /var/lib/shared/vfs-images/images.lock && \ - touch /var/lib/shared/vfs-layers/layers.lock - - -# Alias "docker" to "podman" -RUN ln -s /usr/bin/podman /usr/bin/docker - -#RUN chsh -s /bin/bash podman +################################# +######## install podman ######### +################################# + +#RUN mkdir -p /etc/apt/keyrings +#RUN curl -fsSL "https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/xUbuntu_$(lsb_release -rs)/Release.key" \ +# | gpg --dearmor \ +# | tee /etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg > /dev/null +#RUN echo \ +# "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg]\ +# https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/xUbuntu_$(lsb_release -rs)/ /" \ +# | tee /etc/apt/sources.list.d/devel:kubic:libcontainers:unstable.list > /dev/null +#RUN apt-get update -qq +#RUN apt-get -qq -y install podman +# +# +#RUN setcap cap_setuid+ep /usr/bin/newuidmap +#RUN setcap cap_setgid+ep /usr/bin/newgidmap +#RUN chmod 0777 /usr/bin/newuidmap +#RUN chmod 0777 /usr/bin/newgidmap +# +#RUN printf "plural:1:999\nplural:1001:64535" > /etc/subuid +#RUN printf "plural:1:999\nplural:1001:64535" > /etc/subgid +# +## setup dirs +#RUN mkdir -p /home/plural/.local/share/containers && \ +# mkdir -p /home/plural/.config/containers && \ +# mkdir -p /var/lib/containers +# +## for rootfull podman +#COPY dockerfiles/podman-conf/rootfull/containers.conf /etc/containers/containers.conf +#COPY dockerfiles/podman-conf/rootfull/storage.conf /etc/containers/storage.conf +## for rootless podman +#COPY --chown=1000:1000 dockerfiles/podman-conf/rootless/containers.conf /home/plural/.config/containers/containers.conf +#COPY --chown=1000:1000 dockerfiles/podman-conf/rootless/storage.conf /home/plural/.config/containers/storage.conf +## rootless podman still needs to read these +#RUN chmod 644 /etc/containers/containers.conf && \ +# chmod 644 /etc/containers/storage.conf +# +## circumvent overlayfs req? +#RUN chown plural:plural -R /home/plural && chown root:root /var/lib/containers && chmod g+s /var/lib/containers +# +#VOLUME /var/lib/containers +#VOLUME /home/plural/.local/share/containers +# +#ENV _CONTAINERS_USERNS_CONFIGURED="" +# +#RUN mkdir -p /var/lib/shared/overlay-images \ +# /var/lib/shared/overlay-layers \ +# /var/lib/shared/vfs-images \ +# /var/lib/shared/vfs-layers && \ +# touch /var/lib/shared/overlay-images/images.lock && \ +# touch /var/lib/shared/overlay-layers/layers.lock && \ +# touch /var/lib/shared/vfs-images/images.lock && \ +# touch /var/lib/shared/vfs-layers/layers.lock +# +# +## Alias "docker" to "podman" +#RUN ln -s /usr/bin/podman /usr/bin/docker +# +##RUN chsh -s /bin/bash podman # install kind # K8s.io KinD @@ -227,7 +219,17 @@ WORKDIR /home/plural #ENV XDG_RUNTIME_DIR=/home/plural/.docker #RUN mkdir -p $XDG_RUNTIME_DIR && \ # chown 1000:0 $XDG_RUNTIME_DIR && \ -RUN echo "kernel.unprivileged_userns_clone=1" >> /etc/sysctl.conf && sysctl --system +#RUN echo "kernel.unprivileged_userns_clone=1" >> /etc/sysctl.conf && sysctl --system + + +# install docker cli +RUN install -m 0755 -d /etc/apt/keyrings && \ + curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg && \ + chmod a+r /etc/apt/keyrings/docker.gpg && \ + echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null + +RUN apt-get -yq update && apt-get -yq install docker-ce-cli + USER plural #ENV DOCKER_VERSION=24.0.0 @@ -257,6 +259,7 @@ RUN printf "\nexport PATH=$PATH:/sbin" >> /home/plural/.zshrc && \ ENV GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" ENV GOOGLE_APPLICATION_CREDENTIALS=/home/plural/gcp.json +#USER plural USER root #ENTRYPOINT [ "/init" ] ENTRYPOINT [ "/bin/bash" ] From 3f77ba2bdbfa59d9e77b6233c392e28236651460 Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Mon, 21 Aug 2023 16:11:41 +0200 Subject: [PATCH 43/57] dind sidecar approach --- dockerfiles/dind_sidecar.yaml | 43 +++++++++++++++++++++++++++++++++++ dockerfiles/pod_sysbox.yaml | 2 +- 2 files changed, 44 insertions(+), 1 deletion(-) create mode 100644 dockerfiles/dind_sidecar.yaml diff --git a/dockerfiles/dind_sidecar.yaml b/dockerfiles/dind_sidecar.yaml new file mode 100644 index 00000000..ac95a681 --- /dev/null +++ b/dockerfiles/dind_sidecar.yaml @@ -0,0 +1,43 @@ +apiVersion: v1 +kind: Pod +metadata: + name: plural-cli-dind-sidecar + namespace: sysbox + annotations: + io.kubernetes.cri-o.userns-mode: "auto:size=65536" +spec: + runtimeClassName: sysbox-runc + tolerations: + - key: plural.sh/sysbox + operator: Exists + - key: plural.sh/capacityType + operator: Exists + restartPolicy: Never + containers: + - name: plural-cli + image: ghcr.io/pluralsh/plural-cli-cloud:sha-0ea22d0 + command: ["sh", "-c", "while true; do sleep 3600; done"] + resources: + requests: + cpu: 10m + memory: 256Mi + env: + - name: DOCKER_HOST + value: tcp://localhost:2375 + volumeMounts: + - name: docker + mountPath: /var/lib/docker + - name: sysbox-dind + image: ghcr.io/nestybox/ubuntu-jammy-systemd-docker:rodny-new + resources: + requests: + cpu: 20m + memory: 512Mi + securityContext: + privileged: false + volumeMounts: + - name: docker + mountPath: /var/lib/docker + volumes: + - name: docker + emptyDir: {} \ No newline at end of file diff --git a/dockerfiles/pod_sysbox.yaml b/dockerfiles/pod_sysbox.yaml index 27dfc11a..be4ad452 100644 --- a/dockerfiles/pod_sysbox.yaml +++ b/dockerfiles/pod_sysbox.yaml @@ -9,7 +9,7 @@ spec: runtimeClassName: sysbox-runc containers: - name: plural-cloud-sysbox - image: ghcr.io/pluralsh/plural-cli-cloud:sha-04eebbd + image: ghcr.io/pluralsh/plural-cli-cloud:sha-f09a09f command: ["sh", "-c", "while true; do sleep 3600; done"] resources: requests: From bf87efed926bbbd7e49eb32b8cc98c861df15b32 Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Mon, 21 Aug 2023 16:35:59 +0200 Subject: [PATCH 44/57] clean up --- dockerfiles/log-prepare/dependencies.d/base | 0 dockerfiles/log-prepare/type | 1 - dockerfiles/log-prepare/up | 3 - .../podman-conf/rootfull/containers.conf | 12 - dockerfiles/podman-conf/rootfull/storage.conf | 234 ------------------ .../podman-conf/rootless/containers.conf | 5 - dockerfiles/podman-conf/rootless/storage.conf | 234 ------------------ dockerfiles/s6-rc.d/plural/run | 4 - dockerfiles/s6-rc.d/plural/type | 1 - dockerfiles/s6-rc.d/ssh/run | 4 - dockerfiles/s6-rc.d/ssh/type | 1 - dockerfiles/s6-rc.d/user/contents.d/plural | 0 dockerfiles/s6-rc.d/user/contents.d/ssh | 0 13 files changed, 499 deletions(-) delete mode 100644 dockerfiles/log-prepare/dependencies.d/base delete mode 100644 dockerfiles/log-prepare/type delete mode 100644 dockerfiles/log-prepare/up delete mode 100644 dockerfiles/podman-conf/rootfull/containers.conf delete mode 100644 dockerfiles/podman-conf/rootfull/storage.conf delete mode 100644 dockerfiles/podman-conf/rootless/containers.conf delete mode 100644 dockerfiles/podman-conf/rootless/storage.conf delete mode 100644 dockerfiles/s6-rc.d/plural/run delete mode 100644 dockerfiles/s6-rc.d/plural/type delete mode 100644 dockerfiles/s6-rc.d/ssh/run delete mode 100644 dockerfiles/s6-rc.d/ssh/type delete mode 100644 dockerfiles/s6-rc.d/user/contents.d/plural delete mode 100644 dockerfiles/s6-rc.d/user/contents.d/ssh diff --git a/dockerfiles/log-prepare/dependencies.d/base b/dockerfiles/log-prepare/dependencies.d/base deleted file mode 100644 index e69de29b..00000000 diff --git a/dockerfiles/log-prepare/type b/dockerfiles/log-prepare/type deleted file mode 100644 index 3d92b15f..00000000 --- a/dockerfiles/log-prepare/type +++ /dev/null @@ -1 +0,0 @@ -oneshot \ No newline at end of file diff --git a/dockerfiles/log-prepare/up b/dockerfiles/log-prepare/up deleted file mode 100644 index 6a0484e2..00000000 --- a/dockerfiles/log-prepare/up +++ /dev/null @@ -1,3 +0,0 @@ -if { mkdir -p /var/log/dind } -if { chown nobody:nogroup /var/log/dind } -chmod 02755 /var/log/dind \ No newline at end of file diff --git a/dockerfiles/podman-conf/rootfull/containers.conf b/dockerfiles/podman-conf/rootfull/containers.conf deleted file mode 100644 index 220c1f85..00000000 --- a/dockerfiles/podman-conf/rootfull/containers.conf +++ /dev/null @@ -1,12 +0,0 @@ -[containers] -netns="host" -userns="host" -ipcns="host" -utsns="host" -cgroupns="host" -cgroups="disabled" -log_driver = "k8s-file" -[engine] -cgroup_manager = "cgroupfs" -events_logger="file" -runtime="crun" diff --git a/dockerfiles/podman-conf/rootfull/storage.conf b/dockerfiles/podman-conf/rootfull/storage.conf deleted file mode 100644 index 5a9530b8..00000000 --- a/dockerfiles/podman-conf/rootfull/storage.conf +++ /dev/null @@ -1,234 +0,0 @@ -# This file is the configuration file for all tools -# that use the containers/storage library. The storage.conf file -# overrides all other storage.conf files. Container engines using the -# container/storage library do not inherit fields from other storage.conf -# files. -# -# Note: The storage.conf file overrides other storage.conf files based on this precedence: -# /usr/containers/storage.conf -# /etc/containers/storage.conf -# $HOME/.config/containers/storage.conf -# $XDG_CONFIG_HOME/containers/storage.conf (If XDG_CONFIG_HOME is set) -# See man 5 containers-storage.conf for more information -# The "container storage" table contains all of the server options. -[storage] - -# Default Storage Driver, Must be set for proper operation. -driver = "vfs" - -# for rootless runroot and graphroot should be ignored as per https://github.com/containers/podman/blob/53b2b0222d318c9111797a961ce995b1227d16e3/docs/tutorials/rootless_tutorial.md -# Temporary storage location -runroot = "/run/containers/storage" - -# Primary Read/Write location of container storage -# When changing the graphroot location on an SELINUX system, you must -# ensure the labeling matches the default locations labels with the -# following commands: -# semanage fcontext -a -e /var/lib/containers/storage /NEWSTORAGEPATH -# restorecon -R -v /NEWSTORAGEPATH -graphroot = "/var/lib/containers/storage" - - -# Storage path for rootless users -# -#rootless_storage_path = "/home/plural/.local/share/containers/storage" - -[storage.options] -# Storage options to be passed to underlying storage drivers - -# AdditionalImageStores is used to pass paths to additional Read/Only image stores -# Must be comma separated list. -additionalimagestores = [ - "/var/lib/shared", -] - -# Allows specification of how storage is populated when pulling images. This -# option can speed the pulling process of images compressed with format -# zstd:chunked. Containers/storage looks for files within images that are being -# pulled from a container registry that were previously pulled to the host. It -# can copy or create a hard link to the existing file when it finds them, -# eliminating the need to pull them from the container registry. These options -# can deduplicate pulling of content, disk storage of content and can allow the -# kernel to use less memory when running containers. - -# containers/storage supports four keys -# * enable_partial_images="true" | "false" -# Tells containers/storage to look for files previously pulled in storage -# rather then always pulling them from the container registry. -# * use_hard_links = "false" | "true" -# Tells containers/storage to use hard links rather then create new files in -# the image, if an identical file already existed in storage. -# * ostree_repos = "" -# Tells containers/storage where an ostree repository exists that might have -# previously pulled content which can be used when attempting to avoid -# pulling content from the container registry -pull_options = {enable_partial_images = "false", use_hard_links = "false", ostree_repos=""} - -# Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of -# a container, to the UIDs/GIDs as they should appear outside of the container, -# and the length of the range of UIDs/GIDs. Additional mapped sets can be -# listed and will be needed by libraries, but there are limits to the number of -# mappings which the kernel will allow when you later attempt to run a -# container. -# -# remap-uids = 0:1668442479:65536 -# remap-gids = 0:1668442479:65536 - -# Remap-User/Group is a user name which can be used to look up one or more UID/GID -# ranges in the /etc/subuid or /etc/subgid file. Mappings are set up starting -# with an in-container ID of 0 and then a host-level ID taken from the lowest -# range that matches the specified name, and using the length of that range. -# Additional ranges are then assigned, using the ranges which specify the -# lowest host-level IDs first, to the lowest not-yet-mapped in-container ID, -# until all of the entries have been used for maps. -# -# remap-user = "containers" -# remap-group = "containers" - -# Root-auto-userns-user is a user name which can be used to look up one or more UID/GID -# ranges in the /etc/subuid and /etc/subgid file. These ranges will be partitioned -# to containers configured to create automatically a user namespace. Containers -# configured to automatically create a user namespace can still overlap with containers -# having an explicit mapping set. -# This setting is ignored when running as rootless. -# root-auto-userns-user = "storage" -# -# Auto-userns-min-size is the minimum size for a user namespace created automatically. -# auto-userns-min-size=1024 -# -# Auto-userns-max-size is the minimum size for a user namespace created automatically. -# auto-userns-max-size=65536 - -[storage.options.overlay] -# ignore_chown_errors can be set to allow a non privileged user running with -# a single UID within a user namespace to run containers. The user can pull -# and use any image even those with multiple uids. Note multiple UIDs will be -# squashed down to the default uid in the container. These images will have no -# separation between the users in the container. Only supported for the overlay -# and vfs drivers. -#ignore_chown_errors = "false" - -# Inodes is used to set a maximum inodes of the container image. -# inodes = "" - -# Path to an helper program to use for mounting the file system instead of mounting it -# directly. -#mount_program = "/usr/bin/fuse-overlayfs" - -# mountopt specifies comma separated list of extra mount options -mountopt = "nodev" - -# Set to skip a PRIVATE bind mount on the storage home directory. -# skip_mount_home = "false" - -# Size is used to set a maximum size of the container image. -# size = "" - -# ForceMask specifies the permissions mask that is used for new files and -# directories. -# -# The values "shared" and "private" are accepted. -# Octal permission masks are also accepted. -# -# "": No value specified. -# All files/directories, get set with the permissions identified within the -# image. -# "private": it is equivalent to 0700. -# All files/directories get set with 0700 permissions. The owner has rwx -# access to the files. No other users on the system can access the files. -# This setting could be used with networked based homedirs. -# "shared": it is equivalent to 0755. -# The owner has rwx access to the files and everyone else can read, access -# and execute them. This setting is useful for sharing containers storage -# with other users. For instance have a storage owned by root but shared -# to rootless users as an additional store. -# NOTE: All files within the image are made readable and executable by any -# user on the system. Even /etc/shadow within your image is now readable by -# any user. -# -# OCTAL: Users can experiment with other OCTAL Permissions. -# -# Note: The force_mask Flag is an experimental feature, it could change in the -# future. When "force_mask" is set the original permission mask is stored in -# the "user.containers.override_stat" xattr and the "mount_program" option must -# be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the -# extended attribute permissions to processes within containers rather than the -# "force_mask" permissions. -# -# force_mask = "" - -[storage.options.thinpool] -# Storage Options for thinpool - -# autoextend_percent determines the amount by which pool needs to be -# grown. This is specified in terms of % of pool size. So a value of 20 means -# that when threshold is hit, pool will be grown by 20% of existing -# pool size. -# autoextend_percent = "20" - -# autoextend_threshold determines the pool extension threshold in terms -# of percentage of pool size. For example, if threshold is 60, that means when -# pool is 60% full, threshold has been hit. -# autoextend_threshold = "80" - -# basesize specifies the size to use when creating the base device, which -# limits the size of images and containers. -# basesize = "10G" - -# blocksize specifies a custom blocksize to use for the thin pool. -# blocksize="64k" - -# directlvm_device specifies a custom block storage device to use for the -# thin pool. Required if you setup devicemapper. -# directlvm_device = "" - -# directlvm_device_force wipes device even if device already has a filesystem. -# directlvm_device_force = "True" - -# fs specifies the filesystem type to use for the base device. -# fs="xfs" - -# log_level sets the log level of devicemapper. -# 0: LogLevelSuppress 0 (Default) -# 2: LogLevelFatal -# 3: LogLevelErr -# 4: LogLevelWarn -# 5: LogLevelNotice -# 6: LogLevelInfo -# 7: LogLevelDebug -# log_level = "7" - -# min_free_space specifies the min free space percent in a thin pool require for -# new device creation to succeed. Valid values are from 0% - 99%. -# Value 0% disables -# min_free_space = "10%" - -# mkfsarg specifies extra mkfs arguments to be used when creating the base -# device. -# mkfsarg = "" - -# metadata_size is used to set the `pvcreate --metadatasize` options when -# creating thin devices. Default is 128k -# metadata_size = "" - -# Size is used to set a maximum size of the container image. -# size = "" - -# use_deferred_removal marks devicemapper block device for deferred removal. -# If the thinpool is in use when the driver attempts to remove it, the driver -# tells the kernel to remove it as soon as possible. Note this does not free -# up the disk space, use deferred deletion to fully remove the thinpool. -# use_deferred_removal = "True" - -# use_deferred_deletion marks thinpool device for deferred deletion. -# If the device is busy when the driver attempts to delete it, the driver -# will attempt to delete device every 30 seconds until successful. -# If the program using the driver exits, the driver will continue attempting -# to cleanup the next time the driver is used. Deferred deletion permanently -# deletes the device and all data stored in device will be lost. -# use_deferred_deletion = "True" - -# xfs_nospace_max_retries specifies the maximum number of retries XFS should -# attempt to complete IO when ENOSPC (no space) error is returned by -# underlying storage device. -# xfs_nospace_max_retries = "0" \ No newline at end of file diff --git a/dockerfiles/podman-conf/rootless/containers.conf b/dockerfiles/podman-conf/rootless/containers.conf deleted file mode 100644 index 46349640..00000000 --- a/dockerfiles/podman-conf/rootless/containers.conf +++ /dev/null @@ -1,5 +0,0 @@ -[containers] -volumes = [ - "/proc:/proc", -] -default_sysctls = [] \ No newline at end of file diff --git a/dockerfiles/podman-conf/rootless/storage.conf b/dockerfiles/podman-conf/rootless/storage.conf deleted file mode 100644 index 94b87a13..00000000 --- a/dockerfiles/podman-conf/rootless/storage.conf +++ /dev/null @@ -1,234 +0,0 @@ -# This file is the configuration file for all tools -# that use the containers/storage library. The storage.conf file -# overrides all other storage.conf files. Container engines using the -# container/storage library do not inherit fields from other storage.conf -# files. -# -# Note: The storage.conf file overrides other storage.conf files based on this precedence: -# /usr/containers/storage.conf -# /etc/containers/storage.conf -# $HOME/.config/containers/storage.conf -# $XDG_CONFIG_HOME/containers/storage.conf (If XDG_CONFIG_HOME is set) -# See man 5 containers-storage.conf for more information -# The "container storage" table contains all of the server options. -[storage] - -# Default Storage Driver, Must be set for proper operation. -driver = "vfs" - -# runroot and graphroot should be ignored as per https://github.com/containers/podman/blob/53b2b0222d318c9111797a961ce995b1227d16e3/docs/tutorials/rootless_tutorial.md -# Temporary storage location -#runroot = "/run/containers/storage" -runroot = "/run/user/1000/containers/storage" - -# Primary Read/Write location of container storage -# When changing the graphroot location on an SELINUX system, you must -# ensure the labeling matches the default locations labels with the -# following commands: -# semanage fcontext -a -e /var/lib/containers/storage /NEWSTORAGEPATH -# restorecon -R -v /NEWSTORAGEPATH -#graphroot = "/var/lib/containers/storage" -graphroot = "/home/plural/.local/share/containers/storage" - - -# Storage path for rootless users -# -#rootless_storage_path = "/home/plural/.local/share/containers/storage" - -[storage.options] -# Storage options to be passed to underlying storage drivers - -# AdditionalImageStores is used to pass paths to additional Read/Only image stores -# Must be comma separated list. -#additionalimagestores = ["/var/lib/shared"] - -# Allows specification of how storage is populated when pulling images. This -# option can speed the pulling process of images compressed with format -# zstd:chunked. Containers/storage looks for files within images that are being -# pulled from a container registry that were previously pulled to the host. It -# can copy or create a hard link to the existing file when it finds them, -# eliminating the need to pull them from the container registry. These options -# can deduplicate pulling of content, disk storage of content and can allow the -# kernel to use less memory when running containers. - -# containers/storage supports four keys -# * enable_partial_images="true" | "false" -# Tells containers/storage to look for files previously pulled in storage -# rather then always pulling them from the container registry. -# * use_hard_links = "false" | "true" -# Tells containers/storage to use hard links rather then create new files in -# the image, if an identical file already existed in storage. -# * ostree_repos = "" -# Tells containers/storage where an ostree repository exists that might have -# previously pulled content which can be used when attempting to avoid -# pulling content from the container registry -pull_options = {enable_partial_images = "false", use_hard_links = "false", ostree_repos=""} - -# Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of -# a container, to the UIDs/GIDs as they should appear outside of the container, -# and the length of the range of UIDs/GIDs. Additional mapped sets can be -# listed and will be needed by libraries, but there are limits to the number of -# mappings which the kernel will allow when you later attempt to run a -# container. -# -# remap-uids = 0:1668442479:65536 -# remap-gids = 0:1668442479:65536 - -# Remap-User/Group is a user name which can be used to look up one or more UID/GID -# ranges in the /etc/subuid or /etc/subgid file. Mappings are set up starting -# with an in-container ID of 0 and then a host-level ID taken from the lowest -# range that matches the specified name, and using the length of that range. -# Additional ranges are then assigned, using the ranges which specify the -# lowest host-level IDs first, to the lowest not-yet-mapped in-container ID, -# until all of the entries have been used for maps. -# -# remap-user = "containers" -# remap-group = "containers" - -# Root-auto-userns-user is a user name which can be used to look up one or more UID/GID -# ranges in the /etc/subuid and /etc/subgid file. These ranges will be partitioned -# to containers configured to create automatically a user namespace. Containers -# configured to automatically create a user namespace can still overlap with containers -# having an explicit mapping set. -# This setting is ignored when running as rootless. -# root-auto-userns-user = "storage" -# -# Auto-userns-min-size is the minimum size for a user namespace created automatically. -# auto-userns-min-size=1024 -# -# Auto-userns-max-size is the minimum size for a user namespace created automatically. -# auto-userns-max-size=65536 - -[storage.options.overlay] -# ignore_chown_errors can be set to allow a non privileged user running with -# a single UID within a user namespace to run containers. The user can pull -# and use any image even those with multiple uids. Note multiple UIDs will be -# squashed down to the default uid in the container. These images will have no -# separation between the users in the container. Only supported for the overlay -# and vfs drivers. -#ignore_chown_errors = "false" - -# Inodes is used to set a maximum inodes of the container image. -# inodes = "" - -# Path to an helper program to use for mounting the file system instead of mounting it -# directly. -#mount_program = "/usr/bin/fuse-overlayfs" - -# mountopt specifies comma separated list of extra mount options -mountopt = "" - -# Set to skip a PRIVATE bind mount on the storage home directory. -# skip_mount_home = "false" - -# Size is used to set a maximum size of the container image. -# size = "" - -# ForceMask specifies the permissions mask that is used for new files and -# directories. -# -# The values "shared" and "private" are accepted. -# Octal permission masks are also accepted. -# -# "": No value specified. -# All files/directories, get set with the permissions identified within the -# image. -# "private": it is equivalent to 0700. -# All files/directories get set with 0700 permissions. The owner has rwx -# access to the files. No other users on the system can access the files. -# This setting could be used with networked based homedirs. -# "shared": it is equivalent to 0755. -# The owner has rwx access to the files and everyone else can read, access -# and execute them. This setting is useful for sharing containers storage -# with other users. For instance have a storage owned by root but shared -# to rootless users as an additional store. -# NOTE: All files within the image are made readable and executable by any -# user on the system. Even /etc/shadow within your image is now readable by -# any user. -# -# OCTAL: Users can experiment with other OCTAL Permissions. -# -# Note: The force_mask Flag is an experimental feature, it could change in the -# future. When "force_mask" is set the original permission mask is stored in -# the "user.containers.override_stat" xattr and the "mount_program" option must -# be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the -# extended attribute permissions to processes within containers rather than the -# "force_mask" permissions. -# -# force_mask = "" - -[storage.options.thinpool] -# Storage Options for thinpool - -# autoextend_percent determines the amount by which pool needs to be -# grown. This is specified in terms of % of pool size. So a value of 20 means -# that when threshold is hit, pool will be grown by 20% of existing -# pool size. -# autoextend_percent = "20" - -# autoextend_threshold determines the pool extension threshold in terms -# of percentage of pool size. For example, if threshold is 60, that means when -# pool is 60% full, threshold has been hit. -# autoextend_threshold = "80" - -# basesize specifies the size to use when creating the base device, which -# limits the size of images and containers. -# basesize = "10G" - -# blocksize specifies a custom blocksize to use for the thin pool. -# blocksize="64k" - -# directlvm_device specifies a custom block storage device to use for the -# thin pool. Required if you setup devicemapper. -# directlvm_device = "" - -# directlvm_device_force wipes device even if device already has a filesystem. -# directlvm_device_force = "True" - -# fs specifies the filesystem type to use for the base device. -# fs="xfs" - -# log_level sets the log level of devicemapper. -# 0: LogLevelSuppress 0 (Default) -# 2: LogLevelFatal -# 3: LogLevelErr -# 4: LogLevelWarn -# 5: LogLevelNotice -# 6: LogLevelInfo -# 7: LogLevelDebug -# log_level = "7" - -# min_free_space specifies the min free space percent in a thin pool require for -# new device creation to succeed. Valid values are from 0% - 99%. -# Value 0% disables -# min_free_space = "10%" - -# mkfsarg specifies extra mkfs arguments to be used when creating the base -# device. -# mkfsarg = "" - -# metadata_size is used to set the `pvcreate --metadatasize` options when -# creating thin devices. Default is 128k -# metadata_size = "" - -# Size is used to set a maximum size of the container image. -# size = "" - -# use_deferred_removal marks devicemapper block device for deferred removal. -# If the thinpool is in use when the driver attempts to remove it, the driver -# tells the kernel to remove it as soon as possible. Note this does not free -# up the disk space, use deferred deletion to fully remove the thinpool. -# use_deferred_removal = "True" - -# use_deferred_deletion marks thinpool device for deferred deletion. -# If the device is busy when the driver attempts to delete it, the driver -# will attempt to delete device every 30 seconds until successful. -# If the program using the driver exits, the driver will continue attempting -# to cleanup the next time the driver is used. Deferred deletion permanently -# deletes the device and all data stored in device will be lost. -# use_deferred_deletion = "True" - -# xfs_nospace_max_retries specifies the maximum number of retries XFS should -# attempt to complete IO when ENOSPC (no space) error is returned by -# underlying storage device. -# xfs_nospace_max_retries = "0" \ No newline at end of file diff --git a/dockerfiles/s6-rc.d/plural/run b/dockerfiles/s6-rc.d/plural/run deleted file mode 100644 index cf08450e..00000000 --- a/dockerfiles/s6-rc.d/plural/run +++ /dev/null @@ -1,4 +0,0 @@ -#!/command/execlineb -P -with-contenv -s6-setuidgid plural -eval $(ssh-agent -s) \ No newline at end of file diff --git a/dockerfiles/s6-rc.d/plural/type b/dockerfiles/s6-rc.d/plural/type deleted file mode 100644 index 1780f9f4..00000000 --- a/dockerfiles/s6-rc.d/plural/type +++ /dev/null @@ -1 +0,0 @@ -longrun \ No newline at end of file diff --git a/dockerfiles/s6-rc.d/ssh/run b/dockerfiles/s6-rc.d/ssh/run deleted file mode 100644 index e21a573c..00000000 --- a/dockerfiles/s6-rc.d/ssh/run +++ /dev/null @@ -1,4 +0,0 @@ -#!/command/execlineb -P -with-contenv -s6-setuidgid plural -plural serve \ No newline at end of file diff --git a/dockerfiles/s6-rc.d/ssh/type b/dockerfiles/s6-rc.d/ssh/type deleted file mode 100644 index 1780f9f4..00000000 --- a/dockerfiles/s6-rc.d/ssh/type +++ /dev/null @@ -1 +0,0 @@ -longrun \ No newline at end of file diff --git a/dockerfiles/s6-rc.d/user/contents.d/plural b/dockerfiles/s6-rc.d/user/contents.d/plural deleted file mode 100644 index e69de29b..00000000 diff --git a/dockerfiles/s6-rc.d/user/contents.d/ssh b/dockerfiles/s6-rc.d/user/contents.d/ssh deleted file mode 100644 index e69de29b..00000000 From b5986ad1f2c1e2877b322046d65ccb0fcc3ef23d Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Mon, 21 Aug 2023 16:36:15 +0200 Subject: [PATCH 45/57] create dind dockerfile with systemd conf --- dockerfiles/Dockerfile.dind | 58 ++++++++++++++++++++++++++ dockerfiles/dind-config/daemon.json | 3 ++ dockerfiles/dind-config/docker.service | 50 ++++++++++++++++++++++ dockerfiles/dind-config/override.conf | 3 ++ 4 files changed, 114 insertions(+) create mode 100644 dockerfiles/Dockerfile.dind create mode 100644 dockerfiles/dind-config/daemon.json create mode 100644 dockerfiles/dind-config/docker.service create mode 100644 dockerfiles/dind-config/override.conf diff --git a/dockerfiles/Dockerfile.dind b/dockerfiles/Dockerfile.dind new file mode 100644 index 00000000..b51cd3b9 --- /dev/null +++ b/dockerfiles/Dockerfile.dind @@ -0,0 +1,58 @@ +FROM ubuntu:jammy + +# +# Systemd installation +# +RUN apt-get update && \ + apt-get install -y --no-install-recommends \ + systemd \ + systemd-sysv \ + libsystemd0 \ + ca-certificates \ + dbus \ + iptables \ + iproute2 \ + kmod \ + locales \ + sudo \ + udev && \ + \ + # Prevents journald from reading kernel messages from /dev/kmsg + echo "ReadKMsg=no" >> /etc/systemd/journald.conf && \ + \ + # Housekeeping + apt-get clean -y && \ + rm -rf \ + /var/cache/debconf/* \ + /var/lib/apt/lists/* \ + /var/log/* \ + /tmp/* \ + /var/tmp/* \ + /usr/share/doc/* \ + /usr/share/man/* \ + /usr/share/local/* + +# Disable systemd services/units that are unnecessary within a container. +RUN systemctl mask systemd-udevd.service \ + systemd-udevd-kernel.socket \ + systemd-udevd-control.socket \ + systemd-modules-load.service \ + sys-kernel-debug.mount \ + sys-kernel-tracing.mount + +# Make use of stopsignal (instead of sigterm) to stop systemd containers. +STOPSIGNAL SIGRTMIN+3 + + +# Install Docker +RUN apt-get update && apt-get install -y curl \ + && rm -rf /var/lib/apt/lists/* \ + && curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh \ +ADD https://raw.githubusercontent.com/docker/docker-ce/master/components/cli/contrib/completion/bash/docker /etc/bash_completion.d/docker.sh + +COPY dockerfiles/dind-config/docker.service /lib/systemd/system/docker.service +COPY dockerfiles/dind-config/daemon.json /etc/docker/daemon.json + + +# Set systemd as entrypoint. +ENTRYPOINT [ "/sbin/init", "--log-level=err" ] \ No newline at end of file diff --git a/dockerfiles/dind-config/daemon.json b/dockerfiles/dind-config/daemon.json new file mode 100644 index 00000000..0ad835f0 --- /dev/null +++ b/dockerfiles/dind-config/daemon.json @@ -0,0 +1,3 @@ +{ + "hosts": ["tcp://0.0.0.0:2375", "unix:///var/run/docker.sock"] +} diff --git a/dockerfiles/dind-config/docker.service b/dockerfiles/dind-config/docker.service new file mode 100644 index 00000000..5832e2e2 --- /dev/null +++ b/dockerfiles/dind-config/docker.service @@ -0,0 +1,50 @@ +[Unit] +Description=Docker Application Container Engine +Documentation=https://docs.docker.com +After=network-online.target docker.socket firewalld.service containerd.service time-set.target +Wants=network-online.target containerd.service +Requires=docker.socket + +[Service] +Type=notify +# the default is not to use systemd for cgroups because the delegate issues still +# exists and systemd currently does not support the cgroup feature set required +# for containers run by docker +#ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock +#### BEGIN MOD #### +ExecStart=/usr/bin/dockerd --config-file /etc/docker/daemon.json --containerd=/run/containerd/containerd.sock +#### END MOD ###### +ExecReload=/bin/kill -s HUP $MAINPID +TimeoutStartSec=0 +RestartSec=2 +Restart=always + +# Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229. +# Both the old, and new location are accepted by systemd 229 and up, so using the old location +# to make them work for either version of systemd. +StartLimitBurst=3 + +# Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230. +# Both the old, and new name are accepted by systemd 230 and up, so using the old name to make +# this option work for either version of systemd. +StartLimitInterval=60s + +# Having non-zero Limit*s causes performance problems due to accounting overhead +# in the kernel. We recommend using cgroups to do container-local accounting. +LimitNOFILE=infinity +LimitNPROC=infinity +LimitCORE=infinity + +# Comment TasksMax if your systemd version does not support it. +# Only systemd 226 and above support this option. +TasksMax=infinity + +# set delegate yes so that systemd does not reset the cgroups of docker containers +Delegate=yes + +# kill only the docker process, not all processes in the cgroup +KillMode=process +OOMScoreAdjust=-500 + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/dockerfiles/dind-config/override.conf b/dockerfiles/dind-config/override.conf new file mode 100644 index 00000000..16572bc1 --- /dev/null +++ b/dockerfiles/dind-config/override.conf @@ -0,0 +1,3 @@ +[Service] +ExecStart= +ExecStart=/usr/bin/dockerd --config-file /etc/docker/daemon.json \ No newline at end of file From 21d6bf320542c28684d086fa0a69208a5a36ead6 Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Mon, 21 Aug 2023 16:36:28 +0200 Subject: [PATCH 46/57] add make target --- Makefile | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/Makefile b/Makefile index 6c2cf370..29e32423 100644 --- a/Makefile +++ b/Makefile @@ -101,15 +101,16 @@ build-cloud: ## build the cloud docker image -t gcr.io/$(GCP_PROJECT)/$(APP_NAME)-cloud:$(APP_VSN) \ -t $(DKR_HOST)/plural/$(APP_NAME)-cloud:$(APP_VSN) -f dockerfiles/Dockerfile.cloud . -.PHONY: build-test -build-test: ## build the cloud docker image - docker build --progress=plain --build-arg APP_NAME=$(APP_NAME) \ +.PHONY: build-dind +build-dind: ## build the dind docker image + docker build --build-arg APP_NAME=$(APP_NAME) \ --build-arg APP_VSN=$(APP_VSN) \ --build-arg APP_DATE=$(APP_DATE) \ --build-arg APP_COMMIT=$(BUILD) \ - -t $(APP_NAME)-test:$(APP_VSN) \ - -t $(APP_NAME)-test:latest \ - -t $(DKR_HOST)/plural/$(APP_NAME)-test:$(APP_VSN) -f dockerfiles/Dockerfile.test . + -t $(APP_NAME)-cloud:$(APP_VSN) \ + -t $(APP_NAME)-cloud:latest \ + -t gcr.io/$(GCP_PROJECT)/$(APP_NAME)-cloud:$(APP_VSN) \ + -t $(DKR_HOST)/plural/$(APP_NAME)-dind:$(APP_VSN) -f dockerfiles/Dockerfile.dind . .PHONY: push push: ## push to gcr From 765086e8363e1b3d971b91e52f3cc234e55595f4 Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Mon, 21 Aug 2023 16:36:36 +0200 Subject: [PATCH 47/57] dont ignore systemd files --- .dockerignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.dockerignore b/.dockerignore index 3a70eb61..afe84816 100644 --- a/.dockerignore +++ b/.dockerignore @@ -19,5 +19,6 @@ dockerfiles dockerfiles/s6-rc.d/user/contents.d/dockerd dockerfiles/s6-rc.d/user/contents.d/plural dockerfiles/s6-rc.d/user/contents.d/ssh +!dockerfiles/dind-config !dockerfiles/s6-rc.d !dockerfiles/podman-conf \ No newline at end of file From 8caac46ba7304a8189402216a35445fc5a3f958b Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Mon, 21 Aug 2023 16:42:12 +0200 Subject: [PATCH 48/57] add dind build gh wf step --- .github/workflows/ci.yaml | 101 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 101 insertions(+) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 8e3a6268..271a10d3 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -206,6 +206,107 @@ jobs: uses: github/codeql-action/upload-sarif@v2 with: sarif_file: 'trivy-results.sarif' + dind: + name: Build dind image + runs-on: ubuntu-latest + permissions: + contents: 'read' + id-token: 'write' + packages: 'write' + security-events: write + actions: read + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-region: us-east-2 + role-to-assume: arn:aws:iam::312272277431:role/github-actions/buildx-deployments + role-session-name: PluralCLI + - name: setup kubectl + uses: azure/setup-kubectl@v3 + - name: Get EKS credentials + run: aws eks update-kubeconfig --name pluraldev + - name: Docker meta + id: meta + uses: docker/metadata-action@v4 + with: + # list of Docker images to use as base name for tags + images: | + ghcr.io/pluralsh/plural-dind + # generate Docker tags based on the following events/attributes + tags: | + type=sha + type=ref,event=pr + type=ref,event=branch + - name: Set up Docker Buildx + id: builder + uses: docker/setup-buildx-action@v2 + with: + driver: kubernetes + platforms: linux/amd64 + driver-opts: | + namespace=buildx + requests.cpu=1.5 + requests.memory=3.5Gi + "nodeselector=plural.sh/scalingGroup=buildx-spot-x86" + "tolerations=key=plural.sh/capacityType,value=SPOT,effect=NoSchedule;key=plural.sh/reserved,value=BUILDX,effect=NoSchedule" + - name: Append ARM buildx builder from AWS + run: | + docker buildx create \ + --append \ + --bootstrap \ + --name ${{ steps.builder.outputs.name }} \ + --driver=kubernetes \ + --platform linux/arm64 \ + --node=${{ steps.builder.outputs.name }}-arm64 \ + --buildkitd-flags "--allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host" \ + --driver-opt namespace=buildx \ + --driver-opt requests.cpu=1.5 \ + --driver-opt requests.memory=3.5Gi \ + '--driver-opt="nodeselector=plural.sh/scalingGroup=buildx-spot-arm64"' \ + '--driver-opt="tolerations=key=plural.sh/capacityType,value=SPOT,effect=NoSchedule;key=plural.sh/reserved,value=BUILDX,effect=NoSchedule"' + - name: Login to GHCR + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Get current date + id: date + run: echo "date=$(date -u +'%Y-%m-%dT%H:%M:%S%z')" >> $GITHUB_OUTPUT + - uses: docker/build-push-action@v4 + with: + context: . + file: ./dockerfiles/Dockerfile.dind + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + platforms: linux/amd64,linux/arm64 + # cache-from: type=gha + # cache-to: type=gha,mode=max + build-args: | + APP_VSN=dev + APP_COMMIT=${{ github.sha }} + APP_DATE=${{ steps.date.outputs.date }} + - name: Run Trivy vulnerability scanner on dind image + uses: aquasecurity/trivy-action@master + with: + scan-type: 'image' + image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }} + hide-progress: false + format: 'sarif' + output: 'trivy-results.sarif' + scanners: 'vuln' + timeout: 10m + ignore-unfixed: true + #severity: 'CRITICAL,HIGH' + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' + trivy-scan: name: Trivy fs scan runs-on: ubuntu-latest From 0ea8413361eafe02165b80829a91b9c4c4dae492 Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Mon, 21 Aug 2023 16:42:53 +0200 Subject: [PATCH 49/57] rm trest image dockerfile --- dockerfiles/Dockerfile.test | 66 ------------------------------------- 1 file changed, 66 deletions(-) delete mode 100644 dockerfiles/Dockerfile.test diff --git a/dockerfiles/Dockerfile.test b/dockerfiles/Dockerfile.test deleted file mode 100644 index 488fd993..00000000 --- a/dockerfiles/Dockerfile.test +++ /dev/null @@ -1,66 +0,0 @@ -FROM ghcr.io/nestybox/ubuntu-jammy-systemd:latest - -RUN apt-get -yq update \ - && apt-get -yq install --no-install-recommends \ - apt-transport-https \ - ca-certificates \ - gnupg \ - unzip \ - git \ - openssl \ - curl \ - zsh \ - emacs \ - vim \ - python3 \ - locales-all\ - screen \ - tree \ - less \ - lsb-release \ - openssh-client \ - xz-utils \ - uidmap \ - dbus-user-session \ - iptables \ - kmod \ - fuse-overlayfs \ - iproute2 \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* - -RUN cat /etc/passwd -RUN useradd -u 1001 -ms /bin/bash plural && echo "plural:plural" | chpasswd && adduser admin sudo - -WORKDIR /home/plural -ENV XDG_RUNTIME_DIR=/home/plural/.docker -RUN mkdir -p $XDG_RUNTIME_DIR && \ - chown 1001:0 $XDG_RUNTIME_DIR && \ - echo "kernel.unprivileged_userns_clone=1" >> /etc/sysctl.conf && \ - sysctl --system - -USER plural -#ENV DOCKER_VERSION=24.0.0 -#RUN apt-get -yq update && apt-get install -y curl && rm -rf /var/lib/apt/lists/* \ && curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh \ -#RUN curl -fsSL https://get.docker.com/rootless -o get-docker.sh && sh get-docker.sh --version ${DOCKER_VERSION} && usermod -a -G docker plural -ENV SKIP_IPTABLES=1 -RUN curl -fsSL https://get.docker.com/rootless -o get-docker.sh && sh get-docker.sh -#&& usermod -a -G docker plural -ADD https://raw.githubusercontent.com/docker/docker-ce/master/components/cli/contrib/completion/bash/docker /etc/bash_completion.d/docker.sh - - -## Install Docker -#RUN apt-get update && apt-get install -y curl \ -# && rm -rf /var/lib/apt/lists/* \ -# && curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh \ -# # Add user "admin" to the Docker group -# && usermod -a -G docker admin -#ADD https://raw.githubusercontent.com/docker/docker-ce/master/components/cli/contrib/completion/bash/docker /etc/bash_completion.d/docker.sh -# - - -USER root - -EXPOSE 22 -# Set systemd as entrypoint. -ENTRYPOINT [ "/sbin/init", "--log-level=err" ] \ No newline at end of file From bd7ddd18773113ca2eba31a32e1eecb634fae8d9 Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Mon, 21 Aug 2023 17:00:13 +0200 Subject: [PATCH 50/57] rm debug yamnls --- dockerfiles/pod_priv.yaml | 26 ------------------------- dockerfiles/pod_priv2.yaml | 38 ------------------------------------- dockerfiles/pod_sysbox.yaml | 32 ------------------------------- dockerfiles/pod_unpriv.yaml | 26 ------------------------- 4 files changed, 122 deletions(-) delete mode 100644 dockerfiles/pod_priv.yaml delete mode 100644 dockerfiles/pod_priv2.yaml delete mode 100644 dockerfiles/pod_sysbox.yaml delete mode 100644 dockerfiles/pod_unpriv.yaml diff --git a/dockerfiles/pod_priv.yaml b/dockerfiles/pod_priv.yaml deleted file mode 100644 index c5d7ba7d..00000000 --- a/dockerfiles/pod_priv.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: plural-cloud-priv - namespace: sysbox - #annotations: - # io.kubernetes.cri-o.userns-mode: "auto:size=65536" -spec: - #runtimeClassName: sysbox-runc - containers: - - name: plural-cloud-priv - #image: ghcr.io/pluralsh/plural-cli-cloud:sha-fcf2725 - image: ghcr.io/pluralsh/plural-cli-cloud:sha-791720e - #command: ["/sbin/init", "--log-level=err"] - resources: - requests: - memory: "256Mi" - cpu: "1m" - securityContext: - privileged: true - tolerations: - - key: plural.sh/sysbox - operator: Exists - - key: plural.sh/capacityType - operator: Exists - restartPolicy: Never \ No newline at end of file diff --git a/dockerfiles/pod_priv2.yaml b/dockerfiles/pod_priv2.yaml deleted file mode 100644 index 048de695..00000000 --- a/dockerfiles/pod_priv2.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: plural-cloud-priv2 - namespace: sysbox - #annotations: - # io.kubernetes.cri-o.userns-mode: "auto:size=65536" -spec: - #runtimeClassName: sysbox-runc - containers: - - name: plural-cloud-priv2 - image: ghcr.io/pluralsh/plural-cli-cloud:sha-0ea2f1a - resources: - requests: - memory: "256Mi" - cpu: "1m" - securityContext: - runAsUser: 1000 - capabilities: - add: - - "SYS_ADMIN" - - "MKNOD" - - "SYS_CHROOT" - - "SETFCAP" - #allowPrivilegeEscalation: false - volumeMounts: - - name: containers-volume - mountPath: /var/lib/containers - volumes: - - name: containers-volume - hostPath: - path: /var/lib/containers - tolerations: - - key: plural.sh/sysbox - operator: Exists - - key: plural.sh/capacityType - operator: Exists - restartPolicy: Never \ No newline at end of file diff --git a/dockerfiles/pod_sysbox.yaml b/dockerfiles/pod_sysbox.yaml deleted file mode 100644 index be4ad452..00000000 --- a/dockerfiles/pod_sysbox.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: plural-cloud-sysbox - namespace: sysbox - annotations: - io.kubernetes.cri-o.userns-mode: "auto:size=65536" -spec: - runtimeClassName: sysbox-runc - containers: - - name: plural-cloud-sysbox - image: ghcr.io/pluralsh/plural-cli-cloud:sha-f09a09f - command: ["sh", "-c", "while true; do sleep 3600; done"] - resources: - requests: - memory: "256Mi" - cpu: "1m" - securityContext: - #runAsUser: 1000 - capabilities: - add: - - "SYS_ADMIN" - - "MKNOD" - - "SYS_CHROOT" - - "SETFCAP" - #allowPrivilegeEscalation: false - tolerations: - - key: plural.sh/sysbox - operator: Exists - - key: plural.sh/capacityType - operator: Exists - restartPolicy: Never \ No newline at end of file diff --git a/dockerfiles/pod_unpriv.yaml b/dockerfiles/pod_unpriv.yaml deleted file mode 100644 index 0b02cfb1..00000000 --- a/dockerfiles/pod_unpriv.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: plural-cloud-unpriv - namespace: sysbox - #annotations: - # io.kubernetes.cri-o.userns-mode: "auto:size=65536" -spec: - #runtimeClassName: sysbox-runc - containers: - - name: plural-cloud-unpriv - #image: ghcr.io/pluralsh/plural-cli-cloud:sha-fcf2725 - image: ghcr.io/pluralsh/plural-cli-cloud:sha-791720e - #command: ["/sbin/init", "--log-level=err"] - resources: - requests: - memory: "256Mi" - cpu: "1m" - securityContext: - privileged: false - tolerations: - - key: plural.sh/sysbox - operator: Exists - - key: plural.sh/capacityType - operator: Exists - restartPolicy: Never \ No newline at end of file From b42445fb1e27dd67f4385305c3c6a3708f74388b Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Mon, 21 Aug 2023 17:58:33 +0200 Subject: [PATCH 51/57] clean up --- dockerfiles/Dockerfile.cloud | 103 +---------------------------------- 1 file changed, 3 insertions(+), 100 deletions(-) diff --git a/dockerfiles/Dockerfile.cloud b/dockerfiles/Dockerfile.cloud index 07df0aca..d04cb5d6 100644 --- a/dockerfiles/Dockerfile.cloud +++ b/dockerfiles/Dockerfile.cloud @@ -80,7 +80,6 @@ RUN apt-get -yq update \ dbus-user-session \ iptables \ kmod \ - #fuse-overlayfs \ iproute2 \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* @@ -121,77 +120,6 @@ RUN echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages. # create plural user RUN useradd -u 1000 -ms /bin/bash plural -# install s6 -# notes: https://github.com/just-containers/s6-overlay/blob/master/MOVING-TO-V3.md -ENV S6_OVERLAY_VERSION=3.1.5.0 -ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-noarch.tar.xz /tmp -RUN tar -C / -Jxpf /tmp/s6-overlay-noarch.tar.xz -ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-x86_64.tar.xz /tmp -RUN tar -C / -Jxpf /tmp/s6-overlay-x86_64.tar.xz -COPY dockerfiles/s6-rc.d /etc/s6-overlay/s6-rc.d - -################################# -######## install podman ######### -################################# - -#RUN mkdir -p /etc/apt/keyrings -#RUN curl -fsSL "https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/xUbuntu_$(lsb_release -rs)/Release.key" \ -# | gpg --dearmor \ -# | tee /etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg > /dev/null -#RUN echo \ -# "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg]\ -# https://download.opensuse.org/repositories/devel:kubic:libcontainers:unstable/xUbuntu_$(lsb_release -rs)/ /" \ -# | tee /etc/apt/sources.list.d/devel:kubic:libcontainers:unstable.list > /dev/null -#RUN apt-get update -qq -#RUN apt-get -qq -y install podman -# -# -#RUN setcap cap_setuid+ep /usr/bin/newuidmap -#RUN setcap cap_setgid+ep /usr/bin/newgidmap -#RUN chmod 0777 /usr/bin/newuidmap -#RUN chmod 0777 /usr/bin/newgidmap -# -#RUN printf "plural:1:999\nplural:1001:64535" > /etc/subuid -#RUN printf "plural:1:999\nplural:1001:64535" > /etc/subgid -# -## setup dirs -#RUN mkdir -p /home/plural/.local/share/containers && \ -# mkdir -p /home/plural/.config/containers && \ -# mkdir -p /var/lib/containers -# -## for rootfull podman -#COPY dockerfiles/podman-conf/rootfull/containers.conf /etc/containers/containers.conf -#COPY dockerfiles/podman-conf/rootfull/storage.conf /etc/containers/storage.conf -## for rootless podman -#COPY --chown=1000:1000 dockerfiles/podman-conf/rootless/containers.conf /home/plural/.config/containers/containers.conf -#COPY --chown=1000:1000 dockerfiles/podman-conf/rootless/storage.conf /home/plural/.config/containers/storage.conf -## rootless podman still needs to read these -#RUN chmod 644 /etc/containers/containers.conf && \ -# chmod 644 /etc/containers/storage.conf -# -## circumvent overlayfs req? -#RUN chown plural:plural -R /home/plural && chown root:root /var/lib/containers && chmod g+s /var/lib/containers -# -#VOLUME /var/lib/containers -#VOLUME /home/plural/.local/share/containers -# -#ENV _CONTAINERS_USERNS_CONFIGURED="" -# -#RUN mkdir -p /var/lib/shared/overlay-images \ -# /var/lib/shared/overlay-layers \ -# /var/lib/shared/vfs-images \ -# /var/lib/shared/vfs-layers && \ -# touch /var/lib/shared/overlay-images/images.lock && \ -# touch /var/lib/shared/overlay-layers/layers.lock && \ -# touch /var/lib/shared/vfs-images/images.lock && \ -# touch /var/lib/shared/vfs-layers/layers.lock -# -# -## Alias "docker" to "podman" -#RUN ln -s /usr/bin/podman /usr/bin/docker -# -##RUN chsh -s /bin/bash podman - # install kind # K8s.io KinD ENV KIND_VERSION=v0.20.0 @@ -216,32 +144,15 @@ RUN chmod +x /usr/local/bin/start-session.sh && \ chmod +x /home/plural/boot.sh WORKDIR /home/plural -#ENV XDG_RUNTIME_DIR=/home/plural/.docker -#RUN mkdir -p $XDG_RUNTIME_DIR && \ -# chown 1000:0 $XDG_RUNTIME_DIR && \ -#RUN echo "kernel.unprivileged_userns_clone=1" >> /etc/sysctl.conf && sysctl --system - # install docker cli RUN install -m 0755 -d /etc/apt/keyrings && \ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg && \ chmod a+r /etc/apt/keyrings/docker.gpg && \ - echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null - -RUN apt-get -yq update && apt-get -yq install docker-ce-cli - + echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null && \ + apt-get -yq update && apt-get -yq install docker-ce-cli USER plural -#ENV DOCKER_VERSION=24.0.0 -#RUN apt-get -yq update && apt-get install -y curl && rm -rf /var/lib/apt/lists/* \ && curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh \ -#RUN curl -fsSL https://get.docker.com/rootless -o get-docker.sh && sh get-docker.sh --version ${DOCKER_VERSION} && usermod -a -G docker plural -#ENV SKIP_IPTABLES=1 -#RUN curl -fsSL https://get.docker.com/rootless -o get-docker.sh && sh get-docker.sh -#&& usermod -a -G docker plural -#ADD https://raw.githubusercontent.com/docker/docker-ce/master/components/cli/contrib/completion/bash/docker /etc/bash_completion.d/docker.sh - -# setup rootless docker -#RUN dockerd-rootless-setuptool.sh install --skip-iptables COPY tmux /home/plural/tmux COPY welcome.txt /home/plural/welcome.txt @@ -251,15 +162,7 @@ RUN sh -c "$(curl -fsSL https://raw.github.com/ohmyzsh/ohmyzsh/master/tools/inst cat tmux/.zshrc.local >> /home/plural/.zshrc && \ helm plugin install https://github.com/databus23/helm-diff -RUN printf "\nexport PATH=$PATH:/sbin" >> /home/plural/.zshrc && \ - printf "\nexport PATH=$PATH:/home/plural/bin" >> /home/plural/.zshrc - #&& \ -# printf "\nexport DOCKER_HOST=unix:///${XDG_RUNTIME_DIR}/docker.sock" >> /home/plural/.zshrc - ENV GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" ENV GOOGLE_APPLICATION_CREDENTIALS=/home/plural/gcp.json -#USER plural -USER root -#ENTRYPOINT [ "/init" ] -ENTRYPOINT [ "/bin/bash" ] +CMD eval $(ssh-agent -s); plural serve From d2fd7b4b09e18746a1efe04795ae700d1c67fee7 Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Mon, 21 Aug 2023 18:31:32 +0200 Subject: [PATCH 52/57] clean up, not needed with correct unit file --- dockerfiles/dind-config/override.conf | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 dockerfiles/dind-config/override.conf diff --git a/dockerfiles/dind-config/override.conf b/dockerfiles/dind-config/override.conf deleted file mode 100644 index 16572bc1..00000000 --- a/dockerfiles/dind-config/override.conf +++ /dev/null @@ -1,3 +0,0 @@ -[Service] -ExecStart= -ExecStart=/usr/bin/dockerd --config-file /etc/docker/daemon.json \ No newline at end of file From 6ae1e7534a8c00c2300ba012e829f697ed690f33 Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Mon, 21 Aug 2023 18:31:49 +0200 Subject: [PATCH 53/57] rm dependencies of podman --- dockerfiles/Dockerfile.cloud | 24 +++++++++--------------- 1 file changed, 9 insertions(+), 15 deletions(-) diff --git a/dockerfiles/Dockerfile.cloud b/dockerfiles/Dockerfile.cloud index d04cb5d6..de446ac2 100644 --- a/dockerfiles/Dockerfile.cloud +++ b/dockerfiles/Dockerfile.cloud @@ -75,12 +75,6 @@ RUN apt-get -yq update \ less \ lsb-release \ openssh-client \ - xz-utils \ - uidmap \ - dbus-user-session \ - iptables \ - kmod \ - iproute2 \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* @@ -117,8 +111,6 @@ RUN echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages. google-cloud-sdk-gke-gcloud-auth-plugin && \ gcloud --help -# create plural user -RUN useradd -u 1000 -ms /bin/bash plural # install kind # K8s.io KinD @@ -127,6 +119,14 @@ RUN curl -Lo ./kind https://kind.sigs.k8s.io/dl/${KIND_VERSION}/kind-linux-amd64 && chmod +x ./kind \ && mv ./kind /usr/bin/kind +# install docker cli +RUN install -m 0755 -d /etc/apt/keyrings && \ + curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg && \ + chmod a+r /etc/apt/keyrings/docker.gpg && \ + echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null && \ + apt-get -yq update && apt-get -yq install docker-ce-cli + + WORKDIR /root ENV TERM=xterm-256color @@ -137,6 +137,7 @@ RUN git clone https://github.com/powerline/fonts.git --depth=1 && \ rm -rf fonts WORKDIR $GOPATH/src/plural/ +RUN useradd -ms /bin/bash plural COPY start-session.sh /usr/local/bin/start-session.sh COPY boot.sh /home/plural/boot.sh @@ -145,13 +146,6 @@ RUN chmod +x /usr/local/bin/start-session.sh && \ WORKDIR /home/plural -# install docker cli -RUN install -m 0755 -d /etc/apt/keyrings && \ - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg && \ - chmod a+r /etc/apt/keyrings/docker.gpg && \ - echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null && \ - apt-get -yq update && apt-get -yq install docker-ce-cli - USER plural COPY tmux /home/plural/tmux From ad2796a69814b58cf79ef910ec9b22655e316d17 Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Mon, 21 Aug 2023 18:40:57 +0200 Subject: [PATCH 54/57] clean up --- .dockerignore | 7 +------ .gitignore | 1 - dockerfiles/Dockerfile.cloud | 3 --- dockerfiles/dind_sidecar.yaml | 8 ++++---- 4 files changed, 5 insertions(+), 14 deletions(-) diff --git a/.dockerignore b/.dockerignore index afe84816..9bb53457 100644 --- a/.dockerignore +++ b/.dockerignore @@ -16,9 +16,4 @@ hack/ Makefile Dockerfile dockerfiles -dockerfiles/s6-rc.d/user/contents.d/dockerd -dockerfiles/s6-rc.d/user/contents.d/plural -dockerfiles/s6-rc.d/user/contents.d/ssh -!dockerfiles/dind-config -!dockerfiles/s6-rc.d -!dockerfiles/podman-conf \ No newline at end of file +!dockerfiles/dind-config \ No newline at end of file diff --git a/.gitignore b/.gitignore index d9e3db70..5140c33f 100644 --- a/.gitignore +++ b/.gitignore @@ -8,7 +8,6 @@ # Test binary, built with `go test -c` *.test -!Dockerfile.test # Output of the go coverage tool, specifically when used with LiteIDE *.out diff --git a/dockerfiles/Dockerfile.cloud b/dockerfiles/Dockerfile.cloud index de446ac2..15f08ad7 100644 --- a/dockerfiles/Dockerfile.cloud +++ b/dockerfiles/Dockerfile.cloud @@ -40,7 +40,6 @@ ENV TERRAFORM_VERSION=v1.2.9 # renovate: datasource=github-tags depName=kubernetes/kubernetes ENV KUBECTL_VERSION=v1.25.5 - RUN apk add --update --no-cache curl ca-certificates unzip wget openssl build-base && \ curl -L https://get.helm.sh/helm-${HELM_VERSION}-linux-${TARGETARCH}.tar.gz | tar xvz && \ mv linux-${TARGETARCH}/helm /usr/local/bin/helm && \ @@ -145,7 +144,6 @@ RUN chmod +x /usr/local/bin/start-session.sh && \ chmod +x /home/plural/boot.sh WORKDIR /home/plural - USER plural COPY tmux /home/plural/tmux @@ -158,5 +156,4 @@ RUN sh -c "$(curl -fsSL https://raw.github.com/ohmyzsh/ohmyzsh/master/tools/inst ENV GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" ENV GOOGLE_APPLICATION_CREDENTIALS=/home/plural/gcp.json - CMD eval $(ssh-agent -s); plural serve diff --git a/dockerfiles/dind_sidecar.yaml b/dockerfiles/dind_sidecar.yaml index ac95a681..133e1147 100644 --- a/dockerfiles/dind_sidecar.yaml +++ b/dockerfiles/dind_sidecar.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: Pod metadata: - name: plural-cli-dind-sidecar + name: plural-cli-dind-sidecar-2 namespace: sysbox annotations: io.kubernetes.cri-o.userns-mode: "auto:size=65536" @@ -15,7 +15,7 @@ spec: restartPolicy: Never containers: - name: plural-cli - image: ghcr.io/pluralsh/plural-cli-cloud:sha-0ea22d0 + image: ghcr.io/pluralsh/plural-cli-cloud:sha-993c518 command: ["sh", "-c", "while true; do sleep 3600; done"] resources: requests: @@ -28,7 +28,7 @@ spec: - name: docker mountPath: /var/lib/docker - name: sysbox-dind - image: ghcr.io/nestybox/ubuntu-jammy-systemd-docker:rodny-new + image: ghcr.io/pluralsh/plural-dind:sha-993c518 resources: requests: cpu: 20m @@ -40,4 +40,4 @@ spec: mountPath: /var/lib/docker volumes: - name: docker - emptyDir: {} \ No newline at end of file + emptyDir: {} From 19228685103654d6dd62f4157569391767cf7bc2 Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Mon, 21 Aug 2023 18:55:27 +0200 Subject: [PATCH 55/57] rm get-docker.sh was need for debugging --- get-docker.sh | 743 -------------------------------------------------- 1 file changed, 743 deletions(-) delete mode 100644 get-docker.sh diff --git a/get-docker.sh b/get-docker.sh deleted file mode 100644 index 8284dd88..00000000 --- a/get-docker.sh +++ /dev/null @@ -1,743 +0,0 @@ -#!/bin/sh -set -e -# Docker Engine for Linux installation script. -# -# This script is intended as a convenient way to configure docker's package -# repositories and to install Docker Engine, This script is not recommended -# for production environments. Before running this script, make yourself familiar -# with potential risks and limitations, and refer to the installation manual -# at https://docs.docker.com/engine/install/ for alternative installation methods. -# -# The script: -# -# - Requires `root` or `sudo` privileges to run. -# - Attempts to detect your Linux distribution and version and configure your -# package management system for you. -# - Doesn't allow you to customize most installation parameters. -# - Installs dependencies and recommendations without asking for confirmation. -# - Installs the latest stable release (by default) of Docker CLI, Docker Engine, -# Docker Buildx, Docker Compose, containerd, and runc. When using this script -# to provision a machine, this may result in unexpected major version upgrades -# of these packages. Always test upgrades in a test environment before -# deploying to your production systems. -# - Isn't designed to upgrade an existing Docker installation. When using the -# script to update an existing installation, dependencies may not be updated -# to the expected version, resulting in outdated versions. -# -# Source code is available at https://github.com/docker/docker-install/ -# -# Usage -# ============================================================================== -# -# To install the latest stable versions of Docker CLI, Docker Engine, and their -# dependencies: -# -# 1. download the script -# -# $ curl -fsSL https://get.docker.com -o install-docker.sh -# -# 2. verify the script's content -# -# $ cat install-docker.sh -# -# 3. run the script with --dry-run to verify the steps it executes -# -# $ sh install-docker.sh --dry-run -# -# 4. run the script either as root, or using sudo to perform the installation. -# -# $ sudo sh install-docker.sh -# -# Command-line options -# ============================================================================== -# -# --version -# Use the --version option to install a specific version, for example: -# -# $ sudo sh install-docker.sh --version 23.0 -# -# --channel -# -# Use the --channel option to install from an alternative installation channel. -# The following example installs the latest versions from the "test" channel, -# which includes pre-releases (alpha, beta, rc): -# -# $ sudo sh install-docker.sh --channel test -# -# Alternatively, use the script at https://test.docker.com, which uses the test -# channel as default. -# -# --mirror -# -# Use the --mirror option to install from a mirror supported by this script. -# Available mirrors are "Aliyun" (https://mirrors.aliyun.com/docker-ce), and -# "AzureChinaCloud" (https://mirror.azure.cn/docker-ce), for example: -# -# $ sudo sh install-docker.sh --mirror AzureChinaCloud -# -# ============================================================================== - - -# Git commit from https://github.com/docker/docker-install when -# the script was uploaded (Should only be modified by upload job): -SCRIPT_COMMIT_SHA="c2de0811708b6d9015ed1a2c80f02c9b70c8ce7b" - -# strip "v" prefix if present -VERSION="${VERSION#v}" - -# The channel to install from: -# * stable -# * test -# * edge (deprecated) -# * nightly (unmaintained) -DEFAULT_CHANNEL_VALUE="stable" -if [ -z "$CHANNEL" ]; then - CHANNEL=$DEFAULT_CHANNEL_VALUE -fi - -DEFAULT_DOWNLOAD_URL="https://download.docker.com" -if [ -z "$DOWNLOAD_URL" ]; then - DOWNLOAD_URL=$DEFAULT_DOWNLOAD_URL -fi - -DEFAULT_REPO_FILE="docker-ce.repo" -if [ -z "$REPO_FILE" ]; then - REPO_FILE="$DEFAULT_REPO_FILE" -fi - -mirror='' -DRY_RUN=${DRY_RUN:-} -while [ $# -gt 0 ]; do - case "$1" in - --channel) - CHANNEL="$2" - shift - ;; - --dry-run) - DRY_RUN=1 - ;; - --mirror) - mirror="$2" - shift - ;; - --version) - VERSION="${2#v}" - shift - ;; - --*) - echo "Illegal option $1" - ;; - esac - shift $(( $# > 0 ? 1 : 0 )) -done - -case "$mirror" in - Aliyun) - DOWNLOAD_URL="https://mirrors.aliyun.com/docker-ce" - ;; - AzureChinaCloud) - DOWNLOAD_URL="https://mirror.azure.cn/docker-ce" - ;; - "") - ;; - *) - >&2 echo "unknown mirror '$mirror': use either 'Aliyun', or 'AzureChinaCloud'." - exit 1 - ;; -esac - -case "$CHANNEL" in - stable|test) - ;; - edge|nightly) - >&2 echo "DEPRECATED: the $CHANNEL channel has been deprecated and no longer supported by this script." - exit 1 - ;; - *) - >&2 echo "unknown CHANNEL '$CHANNEL': use either stable or test." - exit 1 - ;; -esac - -command_exists() { - command -v "$@" > /dev/null 2>&1 -} - -# version_gte checks if the version specified in $VERSION is at least the given -# SemVer (Maj.Minor[.Patch]), or CalVer (YY.MM) version.It returns 0 (success) -# if $VERSION is either unset (=latest) or newer or equal than the specified -# version, or returns 1 (fail) otherwise. -# -# examples: -# -# VERSION=23.0 -# version_gte 23.0 // 0 (success) -# version_gte 20.10 // 0 (success) -# version_gte 19.03 // 0 (success) -# version_gte 21.10 // 1 (fail) -version_gte() { - if [ -z "$VERSION" ]; then - return 0 - fi - eval version_compare "$VERSION" "$1" -} - -# version_compare compares two version strings (either SemVer (Major.Minor.Path), -# or CalVer (YY.MM) version strings. It returns 0 (success) if version A is newer -# or equal than version B, or 1 (fail) otherwise. Patch releases and pre-release -# (-alpha/-beta) are not taken into account -# -# examples: -# -# version_compare 23.0.0 20.10 // 0 (success) -# version_compare 23.0 20.10 // 0 (success) -# version_compare 20.10 19.03 // 0 (success) -# version_compare 20.10 20.10 // 0 (success) -# version_compare 19.03 20.10 // 1 (fail) -version_compare() ( - set +x - - yy_a="$(echo "$1" | cut -d'.' -f1)" - yy_b="$(echo "$2" | cut -d'.' -f1)" - if [ "$yy_a" -lt "$yy_b" ]; then - return 1 - fi - if [ "$yy_a" -gt "$yy_b" ]; then - return 0 - fi - mm_a="$(echo "$1" | cut -d'.' -f2)" - mm_b="$(echo "$2" | cut -d'.' -f2)" - - # trim leading zeros to accommodate CalVer - mm_a="${mm_a#0}" - mm_b="${mm_b#0}" - - if [ "${mm_a:-0}" -lt "${mm_b:-0}" ]; then - return 1 - fi - - return 0 -) - -is_dry_run() { - if [ -z "$DRY_RUN" ]; then - return 1 - else - return 0 - fi -} - -is_wsl() { - case "$(uname -r)" in - *microsoft* ) true ;; # WSL 2 - *Microsoft* ) true ;; # WSL 1 - * ) false;; - esac -} - -is_darwin() { - case "$(uname -s)" in - *darwin* ) true ;; - *Darwin* ) true ;; - * ) false;; - esac -} - -deprecation_notice() { - distro=$1 - distro_version=$2 - echo - printf "\033[91;1mDEPRECATION WARNING\033[0m\n" - printf " This Linux distribution (\033[1m%s %s\033[0m) reached end-of-life and is no longer supported by this script.\n" "$distro" "$distro_version" - echo " No updates or security fixes will be released for this distribution, and users are recommended" - echo " to upgrade to a currently maintained version of $distro." - echo - printf "Press \033[1mCtrl+C\033[0m now to abort this script, or wait for the installation to continue." - echo - sleep 10 -} - -get_distribution() { - lsb_dist="" - # Every system that we officially support has /etc/os-release - if [ -r /etc/os-release ]; then - lsb_dist="$(. /etc/os-release && echo "$ID")" - fi - # Returning an empty string here should be alright since the - # case statements don't act unless you provide an actual value - echo "$lsb_dist" -} - -echo_docker_as_nonroot() { - if is_dry_run; then - return - fi - if command_exists docker && [ -e /var/run/docker.sock ]; then - ( - set -x - $sh_c 'docker version' - ) || true - fi - - # intentionally mixed spaces and tabs here -- tabs are stripped by "<<-EOF", spaces are kept in the output - echo - echo "================================================================================" - echo - if version_gte "20.10"; then - echo "To run Docker as a non-privileged user, consider setting up the" - echo "Docker daemon in rootless mode for your user:" - echo - echo " dockerd-rootless-setuptool.sh install" - echo - echo "Visit https://docs.docker.com/go/rootless/ to learn about rootless mode." - echo - fi - echo - echo "To run the Docker daemon as a fully privileged service, but granting non-root" - echo "users access, refer to https://docs.docker.com/go/daemon-access/" - echo - echo "WARNING: Access to the remote API on a privileged Docker daemon is equivalent" - echo " to root access on the host. Refer to the 'Docker daemon attack surface'" - echo " documentation for details: https://docs.docker.com/go/attack-surface/" - echo - echo "================================================================================" - echo -} - -# Check if this is a forked Linux distro -check_forked() { - - # Check for lsb_release command existence, it usually exists in forked distros - if command_exists lsb_release; then - # Check if the `-u` option is supported - set +e - lsb_release -a -u > /dev/null 2>&1 - lsb_release_exit_code=$? - set -e - - # Check if the command has exited successfully, it means we're in a forked distro - if [ "$lsb_release_exit_code" = "0" ]; then - # Print info about current distro - cat <<-EOF - You're using '$lsb_dist' version '$dist_version'. - EOF - - # Get the upstream release info - lsb_dist=$(lsb_release -a -u 2>&1 | tr '[:upper:]' '[:lower:]' | grep -E 'id' | cut -d ':' -f 2 | tr -d '[:space:]') - dist_version=$(lsb_release -a -u 2>&1 | tr '[:upper:]' '[:lower:]' | grep -E 'codename' | cut -d ':' -f 2 | tr -d '[:space:]') - - # Print info about upstream distro - cat <<-EOF - Upstream release is '$lsb_dist' version '$dist_version'. - EOF - else - if [ -r /etc/debian_version ] && [ "$lsb_dist" != "ubuntu" ] && [ "$lsb_dist" != "raspbian" ]; then - if [ "$lsb_dist" = "osmc" ]; then - # OSMC runs Raspbian - lsb_dist=raspbian - else - # We're Debian and don't even know it! - lsb_dist=debian - fi - dist_version="$(sed 's/\/.*//' /etc/debian_version | sed 's/\..*//')" - case "$dist_version" in - 12) - dist_version="bookworm" - ;; - 11) - dist_version="bullseye" - ;; - 10) - dist_version="buster" - ;; - 9) - dist_version="stretch" - ;; - 8) - dist_version="jessie" - ;; - esac - fi - fi - fi -} - -do_install() { - echo "# Executing docker install script, commit: $SCRIPT_COMMIT_SHA" - - if command_exists docker; then - cat >&2 <<-'EOF' - Warning: the "docker" command appears to already exist on this system. - - If you already have Docker installed, this script can cause trouble, which is - why we're displaying this warning and provide the opportunity to cancel the - installation. - - If you installed the current Docker package using this script and are using it - again to update Docker, you can safely ignore this message. - - You may press Ctrl+C now to abort this script. - EOF - ( set -x; sleep 20 ) - fi - - user="$(id -un 2>/dev/null || true)" - - sh_c='sh -c' - if [ "$user" != 'root' ]; then - if command_exists sudo; then - sh_c='sudo -E sh -c' - elif command_exists su; then - sh_c='su -c' - else - cat >&2 <<-'EOF' - Error: this installer needs the ability to run commands as root. - We are unable to find either "sudo" or "su" available to make this happen. - EOF - exit 1 - fi - fi - - if is_dry_run; then - sh_c="echo" - fi - - # perform some very rudimentary platform detection - lsb_dist=$( get_distribution ) - lsb_dist="$(echo "$lsb_dist" | tr '[:upper:]' '[:lower:]')" - - if is_wsl; then - echo - echo "WSL DETECTED: We recommend using Docker Desktop for Windows." - echo "Please get Docker Desktop from https://www.docker.com/products/docker-desktop/" - echo - cat >&2 <<-'EOF' - - You may press Ctrl+C now to abort this script. - EOF - ( set -x; sleep 20 ) - fi - - case "$lsb_dist" in - - ubuntu) - if command_exists lsb_release; then - dist_version="$(lsb_release --codename | cut -f2)" - fi - if [ -z "$dist_version" ] && [ -r /etc/lsb-release ]; then - dist_version="$(. /etc/lsb-release && echo "$DISTRIB_CODENAME")" - fi - ;; - - debian|raspbian) - dist_version="$(sed 's/\/.*//' /etc/debian_version | sed 's/\..*//')" - case "$dist_version" in - 12) - dist_version="bookworm" - ;; - 11) - dist_version="bullseye" - ;; - 10) - dist_version="buster" - ;; - 9) - dist_version="stretch" - ;; - 8) - dist_version="jessie" - ;; - esac - ;; - - centos|rhel|sles) - if [ -z "$dist_version" ] && [ -r /etc/os-release ]; then - dist_version="$(. /etc/os-release && echo "$VERSION_ID")" - fi - ;; - - *) - if command_exists lsb_release; then - dist_version="$(lsb_release --release | cut -f2)" - fi - if [ -z "$dist_version" ] && [ -r /etc/os-release ]; then - dist_version="$(. /etc/os-release && echo "$VERSION_ID")" - fi - ;; - - esac - - # Check if this is a forked Linux distro - check_forked - - # Print deprecation warnings for distro versions that recently reached EOL, - # but may still be commonly used (especially LTS versions). - case "$lsb_dist.$dist_version" in - debian.stretch|debian.jessie) - deprecation_notice "$lsb_dist" "$dist_version" - ;; - raspbian.stretch|raspbian.jessie) - deprecation_notice "$lsb_dist" "$dist_version" - ;; - ubuntu.xenial|ubuntu.trusty) - deprecation_notice "$lsb_dist" "$dist_version" - ;; - ubuntu.impish|ubuntu.hirsute|ubuntu.groovy|ubuntu.eoan|ubuntu.disco|ubuntu.cosmic) - deprecation_notice "$lsb_dist" "$dist_version" - ;; - fedora.*) - if [ "$dist_version" -lt 36 ]; then - deprecation_notice "$lsb_dist" "$dist_version" - fi - ;; - esac - - # Run setup for each distro accordingly - case "$lsb_dist" in - ubuntu|debian|raspbian) - pre_reqs="apt-transport-https ca-certificates curl" - if ! command -v gpg > /dev/null; then - pre_reqs="$pre_reqs gnupg" - fi - apt_repo="deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] $DOWNLOAD_URL/linux/$lsb_dist $dist_version $CHANNEL" - ( - if ! is_dry_run; then - set -x - fi - $sh_c 'apt-get update -qq >/dev/null' - $sh_c "DEBIAN_FRONTEND=noninteractive apt-get install -y -qq $pre_reqs >/dev/null" - $sh_c 'install -m 0755 -d /etc/apt/keyrings' - $sh_c "curl -fsSL \"$DOWNLOAD_URL/linux/$lsb_dist/gpg\" | gpg --dearmor --yes -o /etc/apt/keyrings/docker.gpg" - $sh_c "chmod a+r /etc/apt/keyrings/docker.gpg" - $sh_c "echo \"$apt_repo\" > /etc/apt/sources.list.d/docker.list" - $sh_c 'apt-get update -qq >/dev/null' - ) - pkg_version="" - if [ -n "$VERSION" ]; then - if is_dry_run; then - echo "# WARNING: VERSION pinning is not supported in DRY_RUN" - else - # Will work for incomplete versions IE (17.12), but may not actually grab the "latest" if in the test channel - pkg_pattern="$(echo "$VERSION" | sed 's/-ce-/~ce~.*/g' | sed 's/-/.*/g')" - search_command="apt-cache madison docker-ce | grep '$pkg_pattern' | head -1 | awk '{\$1=\$1};1' | cut -d' ' -f 3" - pkg_version="$($sh_c "$search_command")" - echo "INFO: Searching repository for VERSION '$VERSION'" - echo "INFO: $search_command" - if [ -z "$pkg_version" ]; then - echo - echo "ERROR: '$VERSION' not found amongst apt-cache madison results" - echo - exit 1 - fi - if version_gte "18.09"; then - search_command="apt-cache madison docker-ce-cli | grep '$pkg_pattern' | head -1 | awk '{\$1=\$1};1' | cut -d' ' -f 3" - echo "INFO: $search_command" - cli_pkg_version="=$($sh_c "$search_command")" - fi - pkg_version="=$pkg_version" - fi - fi - ( - pkgs="docker-ce${pkg_version%=}" - if version_gte "18.09"; then - # older versions didn't ship the cli and containerd as separate packages - pkgs="$pkgs docker-ce-cli${cli_pkg_version%=} containerd.io" - fi - if version_gte "20.10"; then - pkgs="$pkgs docker-compose-plugin docker-ce-rootless-extras$pkg_version" - fi - if version_gte "23.0"; then - pkgs="$pkgs docker-buildx-plugin" - fi - if ! is_dry_run; then - set -x - fi - $sh_c "DEBIAN_FRONTEND=noninteractive apt-get install -y -qq $pkgs >/dev/null" - ) - echo_docker_as_nonroot - exit 0 - ;; - centos|fedora|rhel) - if [ "$(uname -m)" != "s390x" ] && [ "$lsb_dist" = "rhel" ]; then - echo "Packages for RHEL are currently only available for s390x." - exit 1 - fi - if [ "$lsb_dist" = "fedora" ]; then - pkg_manager="dnf" - config_manager="dnf config-manager" - enable_channel_flag="--set-enabled" - disable_channel_flag="--set-disabled" - pre_reqs="dnf-plugins-core" - pkg_suffix="fc$dist_version" - else - pkg_manager="yum" - config_manager="yum-config-manager" - enable_channel_flag="--enable" - disable_channel_flag="--disable" - pre_reqs="yum-utils" - pkg_suffix="el" - fi - repo_file_url="$DOWNLOAD_URL/linux/$lsb_dist/$REPO_FILE" - ( - if ! is_dry_run; then - set -x - fi - $sh_c "$pkg_manager install -y -q $pre_reqs" - $sh_c "$config_manager --add-repo $repo_file_url" - - if [ "$CHANNEL" != "stable" ]; then - $sh_c "$config_manager $disable_channel_flag 'docker-ce-*'" - $sh_c "$config_manager $enable_channel_flag 'docker-ce-$CHANNEL'" - fi - $sh_c "$pkg_manager makecache" - ) - pkg_version="" - if [ -n "$VERSION" ]; then - if is_dry_run; then - echo "# WARNING: VERSION pinning is not supported in DRY_RUN" - else - pkg_pattern="$(echo "$VERSION" | sed 's/-ce-/\\\\.ce.*/g' | sed 's/-/.*/g').*$pkg_suffix" - search_command="$pkg_manager list --showduplicates docker-ce | grep '$pkg_pattern' | tail -1 | awk '{print \$2}'" - pkg_version="$($sh_c "$search_command")" - echo "INFO: Searching repository for VERSION '$VERSION'" - echo "INFO: $search_command" - if [ -z "$pkg_version" ]; then - echo - echo "ERROR: '$VERSION' not found amongst $pkg_manager list results" - echo - exit 1 - fi - if version_gte "18.09"; then - # older versions don't support a cli package - search_command="$pkg_manager list --showduplicates docker-ce-cli | grep '$pkg_pattern' | tail -1 | awk '{print \$2}'" - cli_pkg_version="$($sh_c "$search_command" | cut -d':' -f 2)" - fi - # Cut out the epoch and prefix with a '-' - pkg_version="-$(echo "$pkg_version" | cut -d':' -f 2)" - fi - fi - ( - pkgs="docker-ce$pkg_version" - if version_gte "18.09"; then - # older versions didn't ship the cli and containerd as separate packages - if [ -n "$cli_pkg_version" ]; then - pkgs="$pkgs docker-ce-cli-$cli_pkg_version containerd.io" - else - pkgs="$pkgs docker-ce-cli containerd.io" - fi - fi - if version_gte "20.10"; then - pkgs="$pkgs docker-compose-plugin docker-ce-rootless-extras$pkg_version" - fi - if version_gte "23.0"; then - pkgs="$pkgs docker-buildx-plugin" - fi - if ! is_dry_run; then - set -x - fi - $sh_c "$pkg_manager install -y -q $pkgs" - ) - echo_docker_as_nonroot - exit 0 - ;; - sles) - if [ "$(uname -m)" != "s390x" ]; then - echo "Packages for SLES are currently only available for s390x" - exit 1 - fi - if [ "$dist_version" = "15.3" ]; then - sles_version="SLE_15_SP3" - else - sles_minor_version="${dist_version##*.}" - sles_version="15.$sles_minor_version" - fi - repo_file_url="$DOWNLOAD_URL/linux/$lsb_dist/$REPO_FILE" - pre_reqs="ca-certificates curl libseccomp2 awk" - ( - if ! is_dry_run; then - set -x - fi - $sh_c "zypper install -y $pre_reqs" - $sh_c "zypper addrepo $repo_file_url" - if ! is_dry_run; then - cat >&2 <<-'EOF' - WARNING!! - openSUSE repository (https://download.opensuse.org/repositories/security:SELinux) will be enabled now. - Do you wish to continue? - You may press Ctrl+C now to abort this script. - EOF - ( set -x; sleep 30 ) - fi - opensuse_repo="https://download.opensuse.org/repositories/security:SELinux/$sles_version/security:SELinux.repo" - $sh_c "zypper addrepo $opensuse_repo" - $sh_c "zypper --gpg-auto-import-keys refresh" - $sh_c "zypper lr -d" - ) - pkg_version="" - if [ -n "$VERSION" ]; then - if is_dry_run; then - echo "# WARNING: VERSION pinning is not supported in DRY_RUN" - else - pkg_pattern="$(echo "$VERSION" | sed 's/-ce-/\\\\.ce.*/g' | sed 's/-/.*/g')" - search_command="zypper search -s --match-exact 'docker-ce' | grep '$pkg_pattern' | tail -1 | awk '{print \$6}'" - pkg_version="$($sh_c "$search_command")" - echo "INFO: Searching repository for VERSION '$VERSION'" - echo "INFO: $search_command" - if [ -z "$pkg_version" ]; then - echo - echo "ERROR: '$VERSION' not found amongst zypper list results" - echo - exit 1 - fi - search_command="zypper search -s --match-exact 'docker-ce-cli' | grep '$pkg_pattern' | tail -1 | awk '{print \$6}'" - # It's okay for cli_pkg_version to be blank, since older versions don't support a cli package - cli_pkg_version="$($sh_c "$search_command")" - pkg_version="-$pkg_version" - fi - fi - ( - pkgs="docker-ce$pkg_version" - if version_gte "18.09"; then - if [ -n "$cli_pkg_version" ]; then - # older versions didn't ship the cli and containerd as separate packages - pkgs="$pkgs docker-ce-cli-$cli_pkg_version containerd.io" - else - pkgs="$pkgs docker-ce-cli containerd.io" - fi - fi - if version_gte "20.10"; then - pkgs="$pkgs docker-compose-plugin docker-ce-rootless-extras$pkg_version" - fi - if version_gte "23.0"; then - pkgs="$pkgs docker-buildx-plugin" - fi - if ! is_dry_run; then - set -x - fi - $sh_c "zypper -q install -y $pkgs" - ) - echo_docker_as_nonroot - exit 0 - ;; - *) - if [ -z "$lsb_dist" ]; then - if is_darwin; then - echo - echo "ERROR: Unsupported operating system 'macOS'" - echo "Please get Docker Desktop from https://www.docker.com/products/docker-desktop" - echo - exit 1 - fi - fi - echo - echo "ERROR: Unsupported distribution '$lsb_dist'" - echo - exit 1 - ;; - esac - exit 1 -} - -# wrapped up in a function so that we have some protection against only getting -# half the file during "curl | sh" -do_install From 6643090d98f33c8d895be8bb7f6b6a390043bad5 Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Mon, 21 Aug 2023 18:55:39 +0200 Subject: [PATCH 56/57] update yaml --- dockerfiles/dind_sidecar.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/dockerfiles/dind_sidecar.yaml b/dockerfiles/dind_sidecar.yaml index 133e1147..17df2ead 100644 --- a/dockerfiles/dind_sidecar.yaml +++ b/dockerfiles/dind_sidecar.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: Pod metadata: - name: plural-cli-dind-sidecar-2 + name: plural-cli-dind-sidecar namespace: sysbox annotations: io.kubernetes.cri-o.userns-mode: "auto:size=65536" @@ -15,8 +15,8 @@ spec: restartPolicy: Never containers: - name: plural-cli - image: ghcr.io/pluralsh/plural-cli-cloud:sha-993c518 - command: ["sh", "-c", "while true; do sleep 3600; done"] + image: ghcr.io/pluralsh/plural-cli-cloud:pr-428 + #command: ["sh", "-c", "while true; do sleep 3600; done"] resources: requests: cpu: 10m @@ -28,7 +28,7 @@ spec: - name: docker mountPath: /var/lib/docker - name: sysbox-dind - image: ghcr.io/pluralsh/plural-dind:sha-993c518 + image: ghcr.io/pluralsh/plural-dind:pr-428 resources: requests: cpu: 20m From e7f71274f561b5a98c86ca9044526f63897d0bb8 Mon Sep 17 00:00:00 2001 From: Hans Rauer Date: Mon, 21 Aug 2023 18:56:27 +0200 Subject: [PATCH 57/57] delete sidecar yaml example, not needed in repo --- dockerfiles/dind_sidecar.yaml | 43 ----------------------------------- 1 file changed, 43 deletions(-) delete mode 100644 dockerfiles/dind_sidecar.yaml diff --git a/dockerfiles/dind_sidecar.yaml b/dockerfiles/dind_sidecar.yaml deleted file mode 100644 index 17df2ead..00000000 --- a/dockerfiles/dind_sidecar.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: plural-cli-dind-sidecar - namespace: sysbox - annotations: - io.kubernetes.cri-o.userns-mode: "auto:size=65536" -spec: - runtimeClassName: sysbox-runc - tolerations: - - key: plural.sh/sysbox - operator: Exists - - key: plural.sh/capacityType - operator: Exists - restartPolicy: Never - containers: - - name: plural-cli - image: ghcr.io/pluralsh/plural-cli-cloud:pr-428 - #command: ["sh", "-c", "while true; do sleep 3600; done"] - resources: - requests: - cpu: 10m - memory: 256Mi - env: - - name: DOCKER_HOST - value: tcp://localhost:2375 - volumeMounts: - - name: docker - mountPath: /var/lib/docker - - name: sysbox-dind - image: ghcr.io/pluralsh/plural-dind:pr-428 - resources: - requests: - cpu: 20m - memory: 512Mi - securityContext: - privileged: false - volumeMounts: - - name: docker - mountPath: /var/lib/docker - volumes: - - name: docker - emptyDir: {}