Adjust bits per review

Author: tianon

18.09-rc/Dockerfile

@@ -54,6 +54,9 @@ COPY docker-entrypoint.sh /usr/local/bin/
 #   docker-entrypoint.sh uses DOCKER_TLS_CERTDIR for auto-setting DOCKER_TLS_VERIFY and DOCKER_CERT_PATH
 # (For this to work, at least the "client" subdirectory of this path needs to be shared between the client and server containers via a volume, "docker cp", or other means of data sharing.)
 ENV DOCKER_TLS_CERTDIR=
+# also, ensure the directory pre-exists and has wide enough permissions for "dockerd-entrypoint.sh" to create subdirectories, even when run in "rootless" mode
+RUN mkdir /certs /certs/client && chmod 1777 /certs /certs/client
+# (doing both /certs and /certs/client so that if Docker does a "copy-up" into a volume defined on /certs/client, it will "do the right thing" by default in a way that still works for rootless users)
 
 ENTRYPOINT ["docker-entrypoint.sh"]
 CMD ["sh"]

18.09-rc/dind/dockerd-entrypoint.sh

@@ -173,13 +173,11 @@ if [ "$1" = 'dockerd' ]; then
 			--port-driver=builtin \
 			--copy-up=/etc --copy-up=/run \
 			${DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS:-} \
-			sh -c '
-				rm -f /run/docker /run/xtables.lock
-				exec "$@" --userland-proxy-path=rootlesskit-docker-proxy
-			' -- "$@"
+			"$@" --userland-proxy-path=rootlesskit-docker-proxy
 	fi
-elif [ "$1" = 'docker' ]; then
-	exec docker-entrypoint.sh "$@"
+else
+	# if it isn't `dockerd` we're trying to run, pass it through `docker-entrypoint.sh` so it gets `DOCKER_HOST` set appropriately too
+	set -- docker-entrypoint.sh "$@"
 fi
 
 exec "$@"

18.09/Dockerfile

@@ -54,6 +54,9 @@ COPY docker-entrypoint.sh /usr/local/bin/
 #   docker-entrypoint.sh uses DOCKER_TLS_CERTDIR for auto-setting DOCKER_TLS_VERIFY and DOCKER_CERT_PATH
 # (For this to work, at least the "client" subdirectory of this path needs to be shared between the client and server containers via a volume, "docker cp", or other means of data sharing.)
 ENV DOCKER_TLS_CERTDIR=
+# also, ensure the directory pre-exists and has wide enough permissions for "dockerd-entrypoint.sh" to create subdirectories, even when run in "rootless" mode
+RUN mkdir /certs /certs/client && chmod 1777 /certs /certs/client
+# (doing both /certs and /certs/client so that if Docker does a "copy-up" into a volume defined on /certs/client, it will "do the right thing" by default in a way that still works for rootless users)
 
 ENTRYPOINT ["docker-entrypoint.sh"]
 CMD ["sh"]

18.09/dind/dockerd-entrypoint.sh

@@ -173,13 +173,11 @@ if [ "$1" = 'dockerd' ]; then
 			--port-driver=builtin \
 			--copy-up=/etc --copy-up=/run \
 			${DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS:-} \
-			sh -c '
-				rm -f /run/docker /run/xtables.lock
-				exec "$@" --userland-proxy-path=rootlesskit-docker-proxy
-			' -- "$@"
+			"$@" --userland-proxy-path=rootlesskit-docker-proxy
 	fi
-elif [ "$1" = 'docker' ]; then
-	exec docker-entrypoint.sh "$@"
+else
+	# if it isn't `dockerd` we're trying to run, pass it through `docker-entrypoint.sh` so it gets `DOCKER_HOST` set appropriately too
+	set -- docker-entrypoint.sh "$@"
 fi
 
 exec "$@"

19.03-rc/Dockerfile

@@ -54,6 +54,9 @@ COPY docker-entrypoint.sh /usr/local/bin/
 #   docker-entrypoint.sh uses DOCKER_TLS_CERTDIR for auto-setting DOCKER_TLS_VERIFY and DOCKER_CERT_PATH
 # (For this to work, at least the "client" subdirectory of this path needs to be shared between the client and server containers via a volume, "docker cp", or other means of data sharing.)
 ENV DOCKER_TLS_CERTDIR=/certs
+# also, ensure the directory pre-exists and has wide enough permissions for "dockerd-entrypoint.sh" to create subdirectories, even when run in "rootless" mode
+RUN mkdir /certs /certs/client && chmod 1777 /certs /certs/client
+# (doing both /certs and /certs/client so that if Docker does a "copy-up" into a volume defined on /certs/client, it will "do the right thing" by default in a way that still works for rootless users)
 
 ENTRYPOINT ["docker-entrypoint.sh"]
 CMD ["sh"]

19.03-rc/dind-rootless/Dockerfile

@@ -65,17 +65,9 @@ RUN set -eux; \
 	apk del --no-network .rootlesskit-build-deps; \
 	rootlesskit --version
 
-# pre-create a few useful directories for our rootless user
+# pre-create "/var/lib/docker" for our rootless user
 RUN set -eux; \
-	mkdir -p \
-		/home/rootless/.local/share/docker \
-		/home/rootless/certs/ca \
-		/home/rootless/certs/client \
-		/home/rootless/certs/server \
-	; \
-	chown -R rootless:rootless \
-		/home/rootless/.local/share/docker \
-		/home/rootless/certs
-ENV DOCKER_TLS_CERTDIR=/home/rootless/certs
+	mkdir -p /home/rootless/.local/share/docker; \
+	chown -R rootless:rootless /home/rootless/.local/share/docker
 VOLUME /home/rootless/.local/share/docker
 USER rootless

19.03-rc/dind/dockerd-entrypoint.sh

@@ -173,13 +173,11 @@ if [ "$1" = 'dockerd' ]; then
 			--port-driver=builtin \
 			--copy-up=/etc --copy-up=/run \
 			${DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS:-} \
-			sh -c '
-				rm -f /run/docker /run/xtables.lock
-				exec "$@" --userland-proxy-path=rootlesskit-docker-proxy
-			' -- "$@"
+			"$@" --userland-proxy-path=rootlesskit-docker-proxy
 	fi
-elif [ "$1" = 'docker' ]; then
-	exec docker-entrypoint.sh "$@"
+else
+	# if it isn't `dockerd` we're trying to run, pass it through `docker-entrypoint.sh` so it gets `DOCKER_HOST` set appropriately too
+	set -- docker-entrypoint.sh "$@"
 fi
 
 exec "$@"

19.03/Dockerfile

@@ -54,6 +54,9 @@ COPY docker-entrypoint.sh /usr/local/bin/
 #   docker-entrypoint.sh uses DOCKER_TLS_CERTDIR for auto-setting DOCKER_TLS_VERIFY and DOCKER_CERT_PATH
 # (For this to work, at least the "client" subdirectory of this path needs to be shared between the client and server containers via a volume, "docker cp", or other means of data sharing.)
 ENV DOCKER_TLS_CERTDIR=/certs
+# also, ensure the directory pre-exists and has wide enough permissions for "dockerd-entrypoint.sh" to create subdirectories, even when run in "rootless" mode
+RUN mkdir /certs /certs/client && chmod 1777 /certs /certs/client
+# (doing both /certs and /certs/client so that if Docker does a "copy-up" into a volume defined on /certs/client, it will "do the right thing" by default in a way that still works for rootless users)
 
 ENTRYPOINT ["docker-entrypoint.sh"]
 CMD ["sh"]

19.03/dind-rootless/Dockerfile

@@ -65,17 +65,9 @@ RUN set -eux; \
 	apk del --no-network .rootlesskit-build-deps; \
 	rootlesskit --version
 
-# pre-create a few useful directories for our rootless user
+# pre-create "/var/lib/docker" for our rootless user
 RUN set -eux; \
-	mkdir -p \
-		/home/rootless/.local/share/docker \
-		/home/rootless/certs/ca \
-		/home/rootless/certs/client \
-		/home/rootless/certs/server \
-	; \
-	chown -R rootless:rootless \
-		/home/rootless/.local/share/docker \
-		/home/rootless/certs
-ENV DOCKER_TLS_CERTDIR=/home/rootless/certs
+	mkdir -p /home/rootless/.local/share/docker; \
+	chown -R rootless:rootless /home/rootless/.local/share/docker
 VOLUME /home/rootless/.local/share/docker
 USER rootless

19.03/dind/dockerd-entrypoint.sh

@@ -173,13 +173,11 @@ if [ "$1" = 'dockerd' ]; then
 			--port-driver=builtin \
 			--copy-up=/etc --copy-up=/run \
 			${DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS:-} \
-			sh -c '
-				rm -f /run/docker /run/xtables.lock
-				exec "$@" --userland-proxy-path=rootlesskit-docker-proxy
-			' -- "$@"
+			"$@" --userland-proxy-path=rootlesskit-docker-proxy
 	fi
-elif [ "$1" = 'docker' ]; then
-	exec docker-entrypoint.sh "$@"
+else
+	# if it isn't `dockerd` we're trying to run, pass it through `docker-entrypoint.sh` so it gets `DOCKER_HOST` set appropriately too
+	set -- docker-entrypoint.sh "$@"
 fi
 
 exec "$@"