mirror of
https://github.com/docker/actions-toolkit.git
synced 2024-11-26 22:26:08 +08:00
docker/install: Support rootless
Add support for running a rootless daemon. Currently only Linux host is supported. Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
This commit is contained in:
parent
8c97b0d9b4
commit
2d2bc848fe
@ -48,35 +48,77 @@ aarch64:https://cloud.debian.org/images/cloud/bookworm/20231013-1532/debian-12-g
|
|||||||
{type: 'archive', version: 'latest', channel: 'stable'} as InstallSourceArchive,
|
{type: 'archive', version: 'latest', channel: 'stable'} as InstallSourceArchive,
|
||||||
])(
|
])(
|
||||||
'install docker %s', async (source) => {
|
'install docker %s', async (source) => {
|
||||||
if (process.env.ImageOS && process.env.ImageOS.startsWith('ubuntu')) {
|
await ensureNoSystemContainerd();
|
||||||
// Remove containerd first on ubuntu runners to make sure it takes
|
|
||||||
// ones packaged with docker
|
|
||||||
await Exec.exec('sudo', ['apt-get', 'remove', '-y', 'containerd.io'], {
|
|
||||||
env: Object.assign({}, process.env, {
|
|
||||||
DEBIAN_FRONTEND: 'noninteractive'
|
|
||||||
}) as {
|
|
||||||
[key: string]: string;
|
|
||||||
}
|
|
||||||
});
|
|
||||||
}
|
|
||||||
const install = new Install({
|
const install = new Install({
|
||||||
source: source,
|
source: source,
|
||||||
runDir: tmpDir,
|
runDir: tmpDir,
|
||||||
contextName: 'foo',
|
contextName: 'foo',
|
||||||
daemonConfig: `{"debug":true,"features":{"containerd-snapshotter":true}}`
|
daemonConfig: `{"debug":true,"features":{"containerd-snapshotter":true}}`
|
||||||
});
|
});
|
||||||
await expect((async () => {
|
await expect(tryInstall(install)).resolves.not.toThrow();
|
||||||
try {
|
|
||||||
await install.download();
|
|
||||||
await install.install();
|
|
||||||
await Docker.printVersion();
|
|
||||||
await Docker.printInfo();
|
|
||||||
} catch (error) {
|
|
||||||
console.error(error);
|
|
||||||
throw error;
|
|
||||||
} finally {
|
|
||||||
await install.tearDown();
|
|
||||||
}
|
|
||||||
})()).resolves.not.toThrow();
|
|
||||||
}, 30 * 60 * 1000);
|
}, 30 * 60 * 1000);
|
||||||
});
|
});
|
||||||
|
|
||||||
|
describe('rootless', () => {
|
||||||
|
// prettier-ignore
|
||||||
|
test.each([
|
||||||
|
{type: 'image', tag: 'latest'} as InstallSourceImage,
|
||||||
|
{type: 'archive', version: 'latest', channel: 'stable'} as InstallSourceArchive,
|
||||||
|
])(
|
||||||
|
'install %s', async (source) => {
|
||||||
|
// Skip on non linux
|
||||||
|
if (os.platform() !== 'linux') {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
await ensureNoSystemContainerd();
|
||||||
|
const install = new Install({
|
||||||
|
source: source,
|
||||||
|
runDir: tmpDir,
|
||||||
|
contextName: 'foo',
|
||||||
|
daemonConfig: `{"debug":true}`,
|
||||||
|
rootless: true
|
||||||
|
});
|
||||||
|
await expect(
|
||||||
|
tryInstall(install, async () => {
|
||||||
|
const out = await Docker.getExecOutput(['info', '-f', '{{json .SecurityOptions}}']);
|
||||||
|
expect(out.exitCode).toBe(0);
|
||||||
|
expect(out.stderr.trim()).toBe('');
|
||||||
|
expect(out.stdout.trim()).toContain('rootless');
|
||||||
|
})
|
||||||
|
).resolves.not.toThrow();
|
||||||
|
},
|
||||||
|
30 * 60 * 1000
|
||||||
|
);
|
||||||
|
});
|
||||||
|
|
||||||
|
async function tryInstall(install: Install, extraCheck?: () => Promise<void>): Promise<void> {
|
||||||
|
try {
|
||||||
|
await install.download();
|
||||||
|
await install.install();
|
||||||
|
await Docker.printVersion();
|
||||||
|
await Docker.printInfo();
|
||||||
|
if (extraCheck) {
|
||||||
|
await extraCheck();
|
||||||
|
}
|
||||||
|
} catch (error) {
|
||||||
|
console.error(error);
|
||||||
|
throw error;
|
||||||
|
} finally {
|
||||||
|
await install.tearDown();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
async function ensureNoSystemContainerd() {
|
||||||
|
if (process.env.ImageOS && process.env.ImageOS.startsWith('ubuntu')) {
|
||||||
|
// Remove containerd first on ubuntu runners to make sure it takes
|
||||||
|
// ones packaged with docker
|
||||||
|
await Exec.exec('sudo', ['apt-get', 'remove', '-y', 'containerd.io'], {
|
||||||
|
env: Object.assign({}, process.env, {
|
||||||
|
DEBIAN_FRONTEND: 'noninteractive'
|
||||||
|
}) as {
|
||||||
|
[key: string]: string;
|
||||||
|
}
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@ -21,7 +21,6 @@ import os from 'os';
|
|||||||
import path from 'path';
|
import path from 'path';
|
||||||
import retry from 'async-retry';
|
import retry from 'async-retry';
|
||||||
import * as handlebars from 'handlebars';
|
import * as handlebars from 'handlebars';
|
||||||
import * as util from 'util';
|
|
||||||
import * as core from '@actions/core';
|
import * as core from '@actions/core';
|
||||||
import * as httpm from '@actions/http-client';
|
import * as httpm from '@actions/http-client';
|
||||||
import * as io from '@actions/io';
|
import * as io from '@actions/io';
|
||||||
@ -56,6 +55,7 @@ export interface InstallOpts {
|
|||||||
runDir: string;
|
runDir: string;
|
||||||
contextName?: string;
|
contextName?: string;
|
||||||
daemonConfig?: string;
|
daemonConfig?: string;
|
||||||
|
rootless?: boolean;
|
||||||
}
|
}
|
||||||
|
|
||||||
interface LimaImage {
|
interface LimaImage {
|
||||||
@ -65,12 +65,13 @@ interface LimaImage {
|
|||||||
}
|
}
|
||||||
|
|
||||||
export class Install {
|
export class Install {
|
||||||
private readonly runDir: string;
|
private runDir: string;
|
||||||
private readonly source: InstallSource;
|
private readonly source: InstallSource;
|
||||||
private readonly contextName: string;
|
private readonly contextName: string;
|
||||||
private readonly daemonConfig?: string;
|
private readonly daemonConfig?: string;
|
||||||
private _version: string | undefined;
|
private _version: string | undefined;
|
||||||
private _toolDir: string | undefined;
|
private _toolDir: string | undefined;
|
||||||
|
private rootless: boolean;
|
||||||
|
|
||||||
private gitCommit: string | undefined;
|
private gitCommit: string | undefined;
|
||||||
|
|
||||||
@ -78,6 +79,7 @@ export class Install {
|
|||||||
|
|
||||||
constructor(opts: InstallOpts) {
|
constructor(opts: InstallOpts) {
|
||||||
this.runDir = opts.runDir;
|
this.runDir = opts.runDir;
|
||||||
|
this.rootless = opts.rootless || false;
|
||||||
this.source = opts.source || {
|
this.source = opts.source || {
|
||||||
type: 'archive',
|
type: 'archive',
|
||||||
version: 'latest',
|
version: 'latest',
|
||||||
@ -91,25 +93,25 @@ export class Install {
|
|||||||
return this._toolDir || Context.tmpDir();
|
return this._toolDir || Context.tmpDir();
|
||||||
}
|
}
|
||||||
|
|
||||||
async downloadStaticArchive(src: InstallSourceArchive): Promise<string> {
|
async downloadStaticArchive(component: 'docker' | 'docker-rootless-extras', src: InstallSourceArchive): Promise<string> {
|
||||||
const release: GitHubRelease = await Install.getRelease(src.version);
|
const release: GitHubRelease = await Install.getRelease(src.version);
|
||||||
this._version = release.tag_name.replace(/^v+|v+$/g, '');
|
this._version = release.tag_name.replace(/^v+|v+$/g, '');
|
||||||
core.debug(`docker.Install.download version: ${this._version}`);
|
core.debug(`docker.Install.download version: ${this._version}`);
|
||||||
|
|
||||||
const downloadURL = this.downloadURL(this._version, src.channel);
|
const downloadURL = this.downloadURL(component, this._version, src.channel);
|
||||||
core.info(`Downloading ${downloadURL}`);
|
core.info(`Downloading ${downloadURL}`);
|
||||||
|
|
||||||
const downloadPath = await tc.downloadTool(downloadURL);
|
const downloadPath = await tc.downloadTool(downloadURL);
|
||||||
core.debug(`docker.Install.download downloadPath: ${downloadPath}`);
|
core.debug(`docker.Install.download downloadPath: ${downloadPath}`);
|
||||||
|
|
||||||
let extractFolder: string;
|
let extractFolder;
|
||||||
if (os.platform() == 'win32') {
|
if (os.platform() == 'win32') {
|
||||||
extractFolder = await tc.extractZip(downloadPath);
|
extractFolder = await tc.extractZip(downloadPath, extractFolder);
|
||||||
} else {
|
} else {
|
||||||
extractFolder = await tc.extractTar(downloadPath);
|
extractFolder = await tc.extractTar(downloadPath, extractFolder);
|
||||||
}
|
}
|
||||||
if (Util.isDirectory(path.join(extractFolder, 'docker'))) {
|
if (Util.isDirectory(path.join(extractFolder, component))) {
|
||||||
extractFolder = path.join(extractFolder, 'docker');
|
extractFolder = path.join(extractFolder, component);
|
||||||
}
|
}
|
||||||
core.debug(`docker.Install.download extractFolder: ${extractFolder}`);
|
core.debug(`docker.Install.download extractFolder: ${extractFolder}`);
|
||||||
return extractFolder;
|
return extractFolder;
|
||||||
@ -164,7 +166,12 @@ export class Install {
|
|||||||
this._version = version;
|
this._version = version;
|
||||||
|
|
||||||
core.info(`Downloading Docker ${version} from ${this.source.channel} at download.docker.com`);
|
core.info(`Downloading Docker ${version} from ${this.source.channel} at download.docker.com`);
|
||||||
extractFolder = await this.downloadStaticArchive(this.source);
|
extractFolder = await this.downloadStaticArchive('docker', this.source);
|
||||||
|
if (this.rootless) {
|
||||||
|
core.info(`Downloading Docker rootless extras ${version} from ${this.source.channel} at download.docker.com`);
|
||||||
|
const extrasFolder = await this.downloadStaticArchive('docker-rootless-extras', this.source);
|
||||||
|
fs.copyFileSync(path.join(extrasFolder, 'dockerd-rootless.sh'), path.join(extractFolder, 'dockerd-rootless.sh'));
|
||||||
|
}
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -195,7 +202,13 @@ export class Install {
|
|||||||
if (!this.runDir) {
|
if (!this.runDir) {
|
||||||
throw new Error('runDir must be set');
|
throw new Error('runDir must be set');
|
||||||
}
|
}
|
||||||
switch (os.platform()) {
|
|
||||||
|
const platform = os.platform();
|
||||||
|
if (this.rootless && platform != 'linux') {
|
||||||
|
// TODO: Support on macOS (via lima)
|
||||||
|
throw new Error(`rootless is only supported on linux`);
|
||||||
|
}
|
||||||
|
switch (platform) {
|
||||||
case 'darwin': {
|
case 'darwin': {
|
||||||
return await this.installDarwin();
|
return await this.installDarwin();
|
||||||
}
|
}
|
||||||
@ -339,21 +352,34 @@ export class Install {
|
|||||||
}
|
}
|
||||||
|
|
||||||
const envs = Object.assign({}, process.env, {
|
const envs = Object.assign({}, process.env, {
|
||||||
PATH: `${this.toolDir}:${process.env.PATH}`
|
PATH: `${this.toolDir}:${process.env.PATH}`,
|
||||||
|
XDG_RUNTIME_DIR: (this.rootless && this.runDir) || undefined
|
||||||
}) as {
|
}) as {
|
||||||
[key: string]: string;
|
[key: string]: string;
|
||||||
};
|
};
|
||||||
|
|
||||||
await core.group('Start Docker daemon', async () => {
|
await core.group('Start Docker daemon', async () => {
|
||||||
const bashPath: string = await io.which('bash', true);
|
const bashPath: string = await io.which('bash', true);
|
||||||
const cmd = `${this.toolDir}/dockerd --host="${dockerHost}" --config-file="${daemonConfigPath}" --exec-root="${this.runDir}/execroot" --data-root="${this.runDir}/data" --pidfile="${this.runDir}/docker.pid" --userland-proxy=false`;
|
let dockerPath = `${this.toolDir}/dockerd`;
|
||||||
|
if (this.rootless) {
|
||||||
|
dockerPath = `${this.toolDir}/dockerd-rootless.sh`;
|
||||||
|
if (fs.existsSync('/proc/sys/kernel/apparmor_restrict_unprivileged_userns')) {
|
||||||
|
await Exec.exec('sudo', ['sh', '-c', 'echo 0 > /proc/sys/kernel/apparmor_restrict_unprivileged_userns']);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
const cmd = `${dockerPath} --host="${dockerHost}" --config-file="${daemonConfigPath}" --exec-root="${this.runDir}/execroot" --data-root="${this.runDir}/data" --pidfile="${this.runDir}/docker.pid"`;
|
||||||
core.info(`[command] ${cmd}`); // https://github.com/actions/toolkit/blob/3d652d3133965f63309e4b2e1c8852cdbdcb3833/packages/exec/src/toolrunner.ts#L47
|
core.info(`[command] ${cmd}`); // https://github.com/actions/toolkit/blob/3d652d3133965f63309e4b2e1c8852cdbdcb3833/packages/exec/src/toolrunner.ts#L47
|
||||||
|
let sudo = 'sudo';
|
||||||
|
if (this.rootless) {
|
||||||
|
sudo += ' -u \\#1001';
|
||||||
|
}
|
||||||
const proc = await child_process.spawn(
|
const proc = await child_process.spawn(
|
||||||
// We can't use Exec.exec here because we need to detach the process to
|
// We can't use Exec.exec here because we need to detach the process to
|
||||||
// avoid killing it when the action finishes running. Even if detached,
|
// avoid killing it when the action finishes running. Even if detached,
|
||||||
// we also need to run dockerd in a subshell and unref the process so
|
// we also need to run dockerd in a subshell and unref the process so
|
||||||
// GitHub Action doesn't wait for it to finish.
|
// GitHub Action doesn't wait for it to finish.
|
||||||
`sudo env "PATH=$PATH" ${bashPath} << EOF
|
`${sudo} env "PATH=$PATH" ${bashPath} << EOF
|
||||||
( ${cmd} 2>&1 | tee "${this.runDir}/dockerd.log" ) &
|
( ${cmd} 2>&1 | tee "${this.runDir}/dockerd.log" ) &
|
||||||
EOF`,
|
EOF`,
|
||||||
[],
|
[],
|
||||||
@ -517,11 +543,11 @@ EOF`,
|
|||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
private downloadURL(version: string, channel: string): string {
|
private downloadURL(component: 'docker' | 'docker-rootless-extras', version: string, channel: string): string {
|
||||||
const platformOS = Install.platformOS();
|
const platformOS = Install.platformOS();
|
||||||
const platformArch = Install.platformArch();
|
const platformArch = Install.platformArch();
|
||||||
const ext = platformOS === 'win' ? '.zip' : '.tgz';
|
const ext = platformOS === 'win' ? '.zip' : '.tgz';
|
||||||
return util.format('https://download.docker.com/%s/static/%s/%s/docker-%s%s', platformOS, channel, platformArch, version, ext);
|
return `https://download.docker.com/${platformOS}/static/${channel}/${platformArch}/${component}-${version}${ext}`;
|
||||||
}
|
}
|
||||||
|
|
||||||
private static platformOS(): string {
|
private static platformOS(): string {
|
||||||
|
Loading…
Reference in New Issue
Block a user