diff --git a/Dockerfile b/Dockerfile index 38d8341..8f1cfe9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -245,6 +245,7 @@ ENV DISPLAY=:1 \ OMP_WAIT_POLICY=PASSIVE \ GOMP_SPINCOUNT=0 \ HOME=/config \ + START_DOCKER=true \ NVIDIA_DRIVER_CAPABILITIES=${NVIDIA_DRIVER_CAPABILITIES:+$NVIDIA_DRIVER_CAPABILITIES,}graphics,compat32,utility # copy over build output @@ -257,8 +258,11 @@ RUN \ bash \ ca-certificates \ dbus-x11 \ + docker \ + docker-cli-compose \ ffmpeg \ font-noto \ + fuse-overlayfs \ gcompat \ libgcc \ libgomp \ @@ -330,6 +334,17 @@ RUN \ | tar xzvf - -C /kasmbins/ && \ chmod +x /kasmbins/* && \ chown -R 1000:1000 /kasmbins && \ + echo "**** dind support ****" && \ + addgroup -S dockremap && \ + adduser -S -G dockremap dockremap && \ + echo 'dockremap:165536:65536' >> /etc/subuid && \ + echo 'dockremap:165536:65536' >> /etc/subgid && \ + curl -o \ + /usr/local/bin/dind -L \ + https://raw.githubusercontent.com/moby/moby/master/hack/dind && \ + chmod +x /usr/local/bin/dind && \ + usermod -aG docker abc && \ + echo 'hosts: files dns' > /etc/nsswitch.conf && \ echo "**** cleanup ****" && \ rm -rf \ /tmp/* diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index 0170501..d18f505 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -119,7 +119,6 @@ RUN \ make && \ make install - RUN \ echo "**** build kasmvnc ****" && \ git clone https://github.com/kasmtech/KasmVNC.git src && \ @@ -263,8 +262,11 @@ RUN \ bash \ ca-certificates \ dbus-x11 \ + docker \ + docker-cli-compose \ ffmpeg \ font-noto \ + fuse-overlayfs \ gcompat \ libgcc \ libgomp \ @@ -334,6 +336,17 @@ RUN \ | tar xzvf - -C /kasmbins/ && \ chmod +x /kasmbins/* && \ chown -R 1000:1000 /kasmbins && \ + echo "**** dind support ****" && \ + addgroup -S dockremap && \ + adduser -S -G dockremap dockremap && \ + echo 'dockremap:165536:65536' >> /etc/subuid && \ + echo 'dockremap:165536:65536' >> /etc/subgid && \ + curl -o \ + /usr/local/bin/dind -L \ + https://raw.githubusercontent.com/moby/moby/master/hack/dind && \ + chmod +x /usr/local/bin/dind && \ + usermod -aG docker abc && \ + echo 'hosts: files dns' > /etc/nsswitch.conf && \ echo "**** cleanup ****" && \ rm -rf \ /tmp/* diff --git a/README.md b/README.md index d60a1b8..3bcab62 100644 --- a/README.md +++ b/README.md @@ -1,20 +1,174 @@ -[linuxserverurl]: https://linuxserver.io -[forumurl]: https://forum.linuxserver.io -[ircurl]: https://www.linuxserver.io/irc/ -[![linuxserver.io](https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/linuxserver_medium.png?v=4&s=4000)][linuxserverurl] -## Contact information:- -| Type | Address/Details | -| :---: | --- | -| Discord | [Discord](https://discord.gg/YWrKVTn) | -| IRC | freenode at `#linuxserver.io` more information at:- [IRC][ircurl] -| Forum | [LinuxServer.io forum][forumurl] | -  -  -[![](https://images.microbadger.com/badges/image/lsiobase/kasmvnc.svg)](https://microbadger.com/images/lsiobase/kasmvnc "Get your own image badge on microbadger.com") -[![](https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/Dockerfile-Link-green.png)](https://github.com/linuxserver/docker-baseimage-kasmvnc/blob/master/Dockerfile) -A custom base image built with [Alpine Linux](https://www.ubuntu.com/) and [KasmVNC](https://github.com/kasmtech/KasmVNC) +# KasmVNC Base Images from LinuxServer + +The purpose of these images is to provide a full featured web native Linux desktop experience for any Linux application or desktop environment. These images replace our old base images at [Rdesktop Web](https://github.com/linuxserver/docker-baseimage-rdesktop-web) for greatly increased performance, fidelity, and feature set. They ship with passwordless sudo to allow easy package installation, testing, and customization. By default they have no logic to mount out anything but the users home directory, meaning on image updates anything outside of `/config` will be lost. + +These images contain the following services: + +* [KasmVNC](https://www.kasmweb.com/kasmvnc) - The core technology for interacting with a containerized desktop from a web browser. +* [Kclient](https://github.com/linuxserver/kclient) - NodeJS Iframe wrapper for KasmVNC providing audio and file access. +* [NGINX](https://www.nginx.com/) - Used to serve the mix of KasmVNC and Kclient with the appropriate headers and provide basic auth. +* [Docker](https://www.docker.com/) - Can be used for interacting with a mounted in Docker socket or if the container is run in privileged mode will start a [DinD](https://www.docker.com/blog/docker-can-now-run-within-docker/) setup. +* [PulseAudio](https://www.freedesktop.org/wiki/Software/PulseAudio/) - Sound subsystem used to capture audio from the active desktop session and send it to the browser via the Kclient helper application. + +# Options + +**Authentication for these containers is included as a convenience and to keep in sync with the previous xrdp containers they replace. We use bash to substitute in settings user/password and some strings might break that. In general this authentication mechanism should be used to keep the kids out not the internet** + +If you are looking for a robust secure application gateway please check out [SWAG](https://github.com/linuxserver/docker-swag). + +All application settings are passed via environment variables: + +| Variable | Description | +| :----: | --- | +| CUSTOM_PORT | Internal port the container listens on for http if it needs to be swapped from the default 3000. | +| CUSTOM_HTTPS_PORT | Internal port the container listens on for https if it needs to be swapped from the default 3001. | +| CUSTOM_USER | HTTP Basic auth username, abc is default. | +| PASSWORD | HTTP Basic auth password, abc is default. If unset there will be no auth | +| SUBFOLDER | Subfolder for the application if running a subfolder reverse proxy, need both slashes IE `/subfolder/` | +| TITLE | The page title displayed on the web browser, default "KasmVNC Client". | +| FM_HOME | This is the home directory (landing) for the file manager, default "/config". | +| START_DOCKER | If set to false a container with privilege will not automatically start the DinD Docker setup. | +| DRINODE | If mounting in /dev/dri for [DRI3 GPU Acceleration](https://www.kasmweb.com/kasmvnc/docs/master/gpu_acceleration.html) allows you to specify the device to use | + +# Available Distros + +All base images are built for x86_64 and aarch64 platforms. + +| Distro | Current Tag | +| :----: | --- | +| Alpine | alpine317 | +| Arch | arch | +| Debian | debianbullseye | +| Fedora | fedora37 | +| Ubuntu | ubuntujammy | + +# I like to read documentation + +## Building images + +### Application containers + +Included in these base images is a simple [Openbox DE](http://openbox.org/) and the accompanying logic needed to launch a single application. Lets look at the bare minimum needed to create an application container starting with a Dockerfile: + +``` +FROM ghcr.io/linuxserver/baseimage-kasmvnc:alpine317 +RUN apk add --no-cache firefox +COPY /root / +``` + +And we can define the application to start using: + +``` +mkdir -p root/defaults +echo "firefox" > /root/defaults/autostart +``` + +Resulting in a folder that looks like this: + +``` +├── Dockerfile +└── root + └── defaults + └── autostart +``` + +Now build and test: + +``` +docker build -t firefox . +docker run --rm -it -p 3000:3000 firefox bash +``` + +On http://localhost:3000 you should be presented with a Firefox web browser interface. + +This similar setup can be used to embed any Linux Desktop application in a web accesible container. + +**If building images it is important to note that many application will not work inside of Docker without `--security-opt seccomp=unconfined`, they may have launch flags to not use syscalls blocked by Docker like with chromium based applications and `--no-sandbox`. In general do not expect every application will simply work like a native Linux installation without some modifications** + +#### In container application launching + +Also included in the init logic is the ability to define application launchers. As the user has the ability to close the application or if they want to open multiple instances of it this can be useful. Here is an example of a menu definition file for Firefox: + +``` + + + +/usr/bin/xterm +/usr/bin/firefox + + +``` + +Simply create this file and add it to your defaults folder as `menu.xml`: + +``` +├── Dockerfile +└── root + └── defaults + └── autostart + └── menu.xml +``` + +This allows users to right click the desktop background to launch the application. + + +### Full Desktop environments + +When building an application container we are leveraging the Openbox DE to handle window management, but it is also possible to completely replace the DE that is launched on container init using the `startwm.sh` script, located again in defaults: + +``` +├── Dockerfile +└── root + └── defaults + └── startwm.sh +``` + +If included in the build logic it will be launched in place of Openbox. Examples for this kind of configuration can be found in our [Webtop repository](https://github.com/linuxserver/docker-webtop) + +### Kasm Workspaces compatibility + +Included in these base images are binary blobs `/kasmbins` and a special init process `/kasminit` to maintain compatibility with [Kasm Workspaces](https://www.kasmweb.com/), If using this base image as reccomended with the `startwm.sh` or `autostart` entrypoints. They will be able to be used on that platform without issue. + +## Docker in Docker (DinD) + +These base images include an installation of Docker that can be used in two ways. The simple method is simply leveraging the Docker/Docker Compose cli bins to manage the host level Docker installation by mounting in `-v /var/run/docker.sock:/var/run/docker.sock`. + +The base images can also run an isolated in container DinD setup simply by passing `--privileged` to the container when launching. If for any reason the application needs privilege but Docker is not wanted the `-e START_DOCKER=false` can be set at runtime or in the Dockerfile. +In container Docker (DinD) will most likely use the fuse-overlayfs driver for storage which is not as fast as native overlay2. To increase perormance the `/var/lib/docker/` directory in the container can be mounted out to a Linux host and will use overlay2. Keep in mind Docker runs as root and the contents of this directory will not respect the PUID/PGID environment variables available on all LinuxServer.io containers. + +## DRI3 GPU Acceleration + +For accelerated apps or games, render devices can be mounted into the container and leveraged by applications using: + +`--device /dev/dri:/dev/dri` + +This feature only supports **Open Source** GPU drivers: + +| Driver | Description | +| :----: | --- | +| Intel | i965 and i915 drivers for Intel iGPU chipsets | +| AMD | AMDGPU, Radeon, and ATI drivers for AMD dedicated or APU chipsets | +| NVIDIA | nouveau2 drivers only, closed source NVIDIA drivers lack DRI3 support | + +The `DRINODE` environment variable can be used to point to a specific GPU. +Up to date information can be found [here](https://www.kasmweb.com/kasmvnc/docs/master/gpu_acceleration.html) + +## Lossless + +These images support all the native KasmVNC encoding methods including a true 24 bit RGB lossless mode using the [Quite OK Image Format](https://qoiformat.org/). This mode will use all the bandwidth you give it so just keep that in mind for remote sessions. This mode also might require special configuration depending on how you are accessing the container. Lossless will only work over http (default port 3000) on localhost, when accessing remotely or even over a local network you need to use https (default port 3001) to support [SharedArrayBuffer](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/SharedArrayBuffer). This is needed to leverage a fast memory pipeline in the browser during the threaded WebAssembly based decoding. This can be enabled in the sidebar under settings>stream quality>lossless. + +If putting this container behind a proxy of some kind some headers will need to be set to again support SharedArrayBuffers here is a default NGINX configuration format: + +``` +add_header 'Cross-Origin-Embedder-Policy' 'require-corp'; +add_header 'Cross-Origin-Opener-Policy' 'same-origin'; +add_header 'Cross-Origin-Resource-Policy' 'same-site'; +``` + +More information [here](https://www.kasmweb.com/docs/latest/how_to/lossless.html) + The following line is only in this repo for loop testing: - { date: "01.01.50:", desc: "I am the release message for this internal repo." } diff --git a/readme-vars.yml b/readme-vars.yml index 7d8b8a6..a7bf74d 100644 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -4,21 +4,175 @@ project_name: baseimage-kasmvnc full_custom_readme: | {% raw -%} - [linuxserverurl]: https://linuxserver.io - [forumurl]: https://forum.linuxserver.io - [ircurl]: https://www.linuxserver.io/irc/ - [![linuxserver.io](https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/linuxserver_medium.png?v=4&s=4000)][linuxserverurl] - ## Contact information:- - | Type | Address/Details | - | :---: | --- | - | Discord | [Discord](https://discord.gg/YWrKVTn) | - | IRC | freenode at `#linuxserver.io` more information at:- [IRC][ircurl] - | Forum | [LinuxServer.io forum][forumurl] | -   -   - [![](https://images.microbadger.com/badges/image/lsiobase/kasmvnc.svg)](https://microbadger.com/images/lsiobase/kasmvnc "Get your own image badge on microbadger.com") - [![](https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/Dockerfile-Link-green.png)](https://github.com/linuxserver/docker-baseimage-kasmvnc/blob/master/Dockerfile) - A custom base image built with [Alpine Linux](https://www.ubuntu.com/) and [KasmVNC](https://github.com/kasmtech/KasmVNC) + # KasmVNC Base Images from LinuxServer + + The purpose of these images is to provide a full featured web native Linux desktop experience for any Linux application or desktop environment. These images replace our old base images at [Rdesktop Web](https://github.com/linuxserver/docker-baseimage-rdesktop-web) for greatly increased performance, fidelity, and feature set. They ship with passwordless sudo to allow easy package installation, testing, and customization. By default they have no logic to mount out anything but the users home directory, meaning on image updates anything outside of `/config` will be lost. + + These images contain the following services: + + * [KasmVNC](https://www.kasmweb.com/kasmvnc) - The core technology for interacting with a containerized desktop from a web browser. + * [Kclient](https://github.com/linuxserver/kclient) - NodeJS Iframe wrapper for KasmVNC providing audio and file access. + * [NGINX](https://www.nginx.com/) - Used to serve the mix of KasmVNC and Kclient with the appropriate headers and provide basic auth. + * [Docker](https://www.docker.com/) - Can be used for interacting with a mounted in Docker socket or if the container is run in privileged mode will start a [DinD](https://www.docker.com/blog/docker-can-now-run-within-docker/) setup. + * [PulseAudio](https://www.freedesktop.org/wiki/Software/PulseAudio/) - Sound subsystem used to capture audio from the active desktop session and send it to the browser via the Kclient helper application. + + # Options + + **Authentication for these containers is included as a convenience and to keep in sync with the previous xrdp containers they replace. We use bash to substitute in settings user/password and some strings might break that. In general this authentication mechanism should be used to keep the kids out not the internet** + + If you are looking for a robust secure application gateway please check out [SWAG](https://github.com/linuxserver/docker-swag). + + All application settings are passed via environment variables: + + | Variable | Description | + | :----: | --- | + | CUSTOM_PORT | Internal port the container listens on for http if it needs to be swapped from the default 3000. | + | CUSTOM_HTTPS_PORT | Internal port the container listens on for https if it needs to be swapped from the default 3001. | + | CUSTOM_USER | HTTP Basic auth username, abc is default. | + | PASSWORD | HTTP Basic auth password, abc is default. If unset there will be no auth | + | SUBFOLDER | Subfolder for the application if running a subfolder reverse proxy, need both slashes IE `/subfolder/` | + | TITLE | The page title displayed on the web browser, default "KasmVNC Client". | + | FM_HOME | This is the home directory (landing) for the file manager, default "/config". | + | START_DOCKER | If set to false a container with privilege will not automatically start the DinD Docker setup. | + | DRINODE | If mounting in /dev/dri for [DRI3 GPU Acceleration](https://www.kasmweb.com/kasmvnc/docs/master/gpu_acceleration.html) allows you to specify the device to use | + + # Available Distros + + All base images are built for x86_64 and aarch64 platforms. + + | Distro | Current Tag | + | :----: | --- | + | Alpine | alpine317 | + | Arch | arch | + | Debian | debianbullseye | + | Fedora | fedora37 | + | Ubuntu | ubuntujammy | + + # I like to read documentation + + ## Building images + + ### Application containers + + Included in these base images is a simple [Openbox DE](http://openbox.org/) and the accompanying logic needed to launch a single application. Lets look at the bare minimum needed to create an application container starting with a Dockerfile: + + ``` + FROM ghcr.io/linuxserver/baseimage-kasmvnc:alpine317 + RUN apk add --no-cache firefox + COPY /root / + ``` + + And we can define the application to start using: + + ``` + mkdir -p root/defaults + echo "firefox" > /root/defaults/autostart + ``` + + Resulting in a folder that looks like this: + + ``` + ├── Dockerfile + └── root + └── defaults + └── autostart + ``` + + Now build and test: + + ``` + docker build -t firefox . + docker run --rm -it -p 3000:3000 firefox bash + ``` + + On http://localhost:3000 you should be presented with a Firefox web browser interface. + + This similar setup can be used to embed any Linux Desktop application in a web accesible container. + + **If building images it is important to note that many application will not work inside of Docker without `--security-opt seccomp=unconfined`, they may have launch flags to not use syscalls blocked by Docker like with chromium based applications and `--no-sandbox`. In general do not expect every application will simply work like a native Linux installation without some modifications** + + #### In container application launching + + Also included in the init logic is the ability to define application launchers. As the user has the ability to close the application or if they want to open multiple instances of it this can be useful. Here is an example of a menu definition file for Firefox: + + ``` + + + + /usr/bin/xterm + /usr/bin/firefox + + + ``` + + Simply create this file and add it to your defaults folder as `menu.xml`: + + ``` + ├── Dockerfile + └── root + └── defaults + └── autostart + └── menu.xml + ``` + + This allows users to right click the desktop background to launch the application. + + + ### Full Desktop environments + + When building an application container we are leveraging the Openbox DE to handle window management, but it is also possible to completely replace the DE that is launched on container init using the `startwm.sh` script, located again in defaults: + + ``` + ├── Dockerfile + └── root + └── defaults + └── startwm.sh + ``` + + If included in the build logic it will be launched in place of Openbox. Examples for this kind of configuration can be found in our [Webtop repository](https://github.com/linuxserver/docker-webtop) + + ### Kasm Workspaces compatibility + + Included in these base images are binary blobs `/kasmbins` and a special init process `/kasminit` to maintain compatibility with [Kasm Workspaces](https://www.kasmweb.com/), If using this base image as reccomended with the `startwm.sh` or `autostart` entrypoints. They will be able to be used on that platform without issue. + + ## Docker in Docker (DinD) + + These base images include an installation of Docker that can be used in two ways. The simple method is simply leveraging the Docker/Docker Compose cli bins to manage the host level Docker installation by mounting in `-v /var/run/docker.sock:/var/run/docker.sock`. + + The base images can also run an isolated in container DinD setup simply by passing `--privileged` to the container when launching. If for any reason the application needs privilege but Docker is not wanted the `-e START_DOCKER=false` can be set at runtime or in the Dockerfile. + In container Docker (DinD) will most likely use the fuse-overlayfs driver for storage which is not as fast as native overlay2. To increase perormance the `/var/lib/docker/` directory in the container can be mounted out to a Linux host and will use overlay2. Keep in mind Docker runs as root and the contents of this directory will not respect the PUID/PGID environment variables available on all LinuxServer.io containers. + + ## DRI3 GPU Acceleration + + For accelerated apps or games, render devices can be mounted into the container and leveraged by applications using: + + `--device /dev/dri:/dev/dri` + + This feature only supports **Open Source** GPU drivers: + + | Driver | Description | + | :----: | --- | + | Intel | i965 and i915 drivers for Intel iGPU chipsets | + | AMD | AMDGPU, Radeon, and ATI drivers for AMD dedicated or APU chipsets | + | NVIDIA | nouveau2 drivers only, closed source NVIDIA drivers lack DRI3 support | + + The `DRINODE` environment variable can be used to point to a specific GPU. + Up to date information can be found [here](https://www.kasmweb.com/kasmvnc/docs/master/gpu_acceleration.html) + + ## Lossless + + These images support all the native KasmVNC encoding methods including a true 24 bit RGB lossless mode using the [Quite OK Image Format](https://qoiformat.org/). This mode will use all the bandwidth you give it so just keep that in mind for remote sessions. This mode also might require special configuration depending on how you are accessing the container. Lossless will only work over http (default port 3000) on localhost, when accessing remotely or even over a local network you need to use https (default port 3001) to support [SharedArrayBuffer](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/SharedArrayBuffer). This is needed to leverage a fast memory pipeline in the browser during the threaded WebAssembly based decoding. This can be enabled in the sidebar under settings>stream quality>lossless. + + If putting this container behind a proxy of some kind some headers will need to be set to again support SharedArrayBuffers here is a default NGINX configuration format: + + ``` + add_header 'Cross-Origin-Embedder-Policy' 'require-corp'; + add_header 'Cross-Origin-Opener-Policy' 'same-origin'; + add_header 'Cross-Origin-Resource-Policy' 'same-site'; + ``` + + More information [here](https://www.kasmweb.com/docs/latest/how_to/lossless.html) + The following line is only in this repo for loop testing: - { date: "01.01.50:", desc: "I am the release message for this internal repo." } {%- endraw %} diff --git a/root/etc/s6-overlay/s6-rc.d/svc-docker/dependencies.d/init-services b/root/etc/s6-overlay/s6-rc.d/svc-docker/dependencies.d/init-services new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/s6-overlay/s6-rc.d/svc-docker/dependencies.d/svc-de b/root/etc/s6-overlay/s6-rc.d/svc-docker/dependencies.d/svc-de new file mode 100644 index 0000000..e69de29 diff --git a/root/etc/s6-overlay/s6-rc.d/svc-docker/run b/root/etc/s6-overlay/s6-rc.d/svc-docker/run new file mode 100644 index 0000000..09cd71c --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/svc-docker/run @@ -0,0 +1,15 @@ +#!/usr/bin/with-contenv bash + +# We need to wait for kclient to be full up as docker init breaks audio +sleep 5 + +# Make sure this is a priv container +if unshare; then + if [ "${START_DOCKER}" == "true" ]; then + exec /usr/local/bin/dockerd-entrypoint.sh -l error + else + sleep infinity + fi +fi +# if anything goes wrong with Docker don't loop +sleep infinity diff --git a/root/etc/s6-overlay/s6-rc.d/svc-docker/type b/root/etc/s6-overlay/s6-rc.d/svc-docker/type new file mode 100644 index 0000000..5883cff --- /dev/null +++ b/root/etc/s6-overlay/s6-rc.d/svc-docker/type @@ -0,0 +1 @@ +longrun diff --git a/root/etc/s6-overlay/s6-rc.d/user/contents.d/svc-docker b/root/etc/s6-overlay/s6-rc.d/user/contents.d/svc-docker new file mode 100644 index 0000000..e69de29 diff --git a/root/usr/local/bin/dockerd-entrypoint.sh b/root/usr/local/bin/dockerd-entrypoint.sh new file mode 100755 index 0000000..0f843e0 --- /dev/null +++ b/root/usr/local/bin/dockerd-entrypoint.sh @@ -0,0 +1,196 @@ +#!/bin/sh +set -eu + +_tls_ensure_private() { + local f="$1"; shift + [ -s "$f" ] || openssl genrsa -out "$f" 4096 +} +_tls_san() { + { + ip -oneline address | awk '{ gsub(/\/.+$/, "", $4); print "IP:" $4 }' + { + cat /etc/hostname + echo 'docker' + echo 'localhost' + hostname -f + hostname -s + } | sed 's/^/DNS:/' + [ -z "${DOCKER_TLS_SAN:-}" ] || echo "$DOCKER_TLS_SAN" + } | sort -u | xargs printf '%s,' | sed "s/,\$//" +} +_tls_generate_certs() { + local dir="$1"; shift + + # if ca/key.pem || !ca/cert.pem, generate CA public if necessary + # if ca/key.pem, generate server public + # if ca/key.pem, generate client public + # (regenerating public certs every startup to account for SAN/IP changes and/or expiration) + + # https://github.com/FiloSottile/mkcert/issues/174 + local certValidDays='825' + + if [ -s "$dir/ca/key.pem" ] || [ ! -s "$dir/ca/cert.pem" ]; then + # if we either have a CA private key or do *not* have a CA public key, then we should create/manage the CA + mkdir -p "$dir/ca" + _tls_ensure_private "$dir/ca/key.pem" + openssl req -new -key "$dir/ca/key.pem" \ + -out "$dir/ca/cert.pem" \ + -subj '/CN=docker:dind CA' -x509 -days "$certValidDays" + fi + + if [ -s "$dir/ca/key.pem" ]; then + # if we have a CA private key, we should create/manage a server key + mkdir -p "$dir/server" + _tls_ensure_private "$dir/server/key.pem" + openssl req -new -key "$dir/server/key.pem" \ + -out "$dir/server/csr.pem" \ + -subj '/CN=docker:dind server' + cat > "$dir/server/openssl.cnf" <<-EOF + [ x509_exts ] + subjectAltName = $(_tls_san) + EOF + openssl x509 -req \ + -in "$dir/server/csr.pem" \ + -CA "$dir/ca/cert.pem" \ + -CAkey "$dir/ca/key.pem" \ + -CAcreateserial \ + -out "$dir/server/cert.pem" \ + -days "$certValidDays" \ + -extfile "$dir/server/openssl.cnf" \ + -extensions x509_exts + cp "$dir/ca/cert.pem" "$dir/server/ca.pem" + openssl verify -CAfile "$dir/server/ca.pem" "$dir/server/cert.pem" + fi + + if [ -s "$dir/ca/key.pem" ]; then + # if we have a CA private key, we should create/manage a client key + mkdir -p "$dir/client" + _tls_ensure_private "$dir/client/key.pem" + chmod 0644 "$dir/client/key.pem" # openssl defaults to 0600 for the private key, but this one needs to be shared with arbitrary client contexts + openssl req -new \ + -key "$dir/client/key.pem" \ + -out "$dir/client/csr.pem" \ + -subj '/CN=docker:dind client' + cat > "$dir/client/openssl.cnf" <<-'EOF' + [ x509_exts ] + extendedKeyUsage = clientAuth + EOF + openssl x509 -req \ + -in "$dir/client/csr.pem" \ + -CA "$dir/ca/cert.pem" \ + -CAkey "$dir/ca/key.pem" \ + -CAcreateserial \ + -out "$dir/client/cert.pem" \ + -days "$certValidDays" \ + -extfile "$dir/client/openssl.cnf" \ + -extensions x509_exts + cp "$dir/ca/cert.pem" "$dir/client/ca.pem" + openssl verify -CAfile "$dir/client/ca.pem" "$dir/client/cert.pem" + fi +} + +# no arguments passed +# or first arg is `-f` or `--some-option` +if [ "$#" -eq 0 ] || [ "${1#-}" != "$1" ]; then + # set "dockerSocket" to the default "--host" *unix socket* value (for both standard or rootless) + uid="$(id -u)" + if [ "$uid" = '0' ]; then + dockerSocket='unix:///var/run/docker.sock' + else + # if we're not root, we must be trying to run rootless + : "${XDG_RUNTIME_DIR:=/run/user/$uid}" + dockerSocket="unix://$XDG_RUNTIME_DIR/docker.sock" + fi + case "${DOCKER_HOST:-}" in + unix://*) + dockerSocket="$DOCKER_HOST" + ;; + esac + + # add our default arguments + if [ -n "${DOCKER_TLS_CERTDIR:-}" ] \ + && _tls_generate_certs "$DOCKER_TLS_CERTDIR" \ + && [ -s "$DOCKER_TLS_CERTDIR/server/ca.pem" ] \ + && [ -s "$DOCKER_TLS_CERTDIR/server/cert.pem" ] \ + && [ -s "$DOCKER_TLS_CERTDIR/server/key.pem" ] \ + ; then + # generate certs and use TLS if requested/possible (default in 19.03+) + set -- dockerd \ + --host="$dockerSocket" \ + --host=tcp://0.0.0.0:2376 \ + --tlsverify \ + --tlscacert "$DOCKER_TLS_CERTDIR/server/ca.pem" \ + --tlscert "$DOCKER_TLS_CERTDIR/server/cert.pem" \ + --tlskey "$DOCKER_TLS_CERTDIR/server/key.pem" \ + "$@" + DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS="${DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS:-} -p 0.0.0.0:2376:2376/tcp" + else + # TLS disabled (-e DOCKER_TLS_CERTDIR='') or missing certs + set -- dockerd \ + --host="$dockerSocket" \ + "$@" + DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS="${DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS:-} -p 0.0.0.0:2375:2375/tcp" + fi +fi + +if [ "$1" = 'dockerd' ]; then + # explicitly remove Docker's default PID file to ensure that it can start properly if it was stopped uncleanly (and thus didn't clean up the PID file) + find /run /var/run -iname 'docker*.pid' -delete || : + + if dockerd --version | grep -qF ' 20.10.'; then + set -- docker-init -- "$@" + fi + + if ! iptables -nL > /dev/null 2>&1; then + # if iptables fails to run, chances are high the necessary kernel modules aren't loaded (perhaps the host is using nftables with the translating "iptables" wrappers, for example) + # https://github.com/docker-library/docker/issues/350 + # https://github.com/moby/moby/issues/26824 + modprobe ip_tables || : + fi + + uid="$(id -u)" + if [ "$uid" != '0' ]; then + # if we're not root, we must be trying to run rootless + if ! command -v rootlesskit > /dev/null; then + echo >&2 "error: attempting to run rootless dockerd but missing 'rootlesskit' (perhaps the 'docker:dind-rootless' image variant is intended?)" + exit 1 + fi + user="$(id -un 2>/dev/null || :)" + if ! grep -qE "^($uid${user:+|$user}):" /etc/subuid || ! grep -qE "^($uid${user:+|$user}):" /etc/subgid; then + echo >&2 "error: attempting to run rootless dockerd but missing necessary entries in /etc/subuid and/or /etc/subgid for $uid" + exit 1 + fi + : "${XDG_RUNTIME_DIR:=/run/user/$uid}" + export XDG_RUNTIME_DIR + if ! mkdir -p "$XDG_RUNTIME_DIR" || [ ! -w "$XDG_RUNTIME_DIR" ] || ! mkdir -p "$HOME/.local/share/docker" || [ ! -w "$HOME/.local/share/docker" ]; then + echo >&2 "error: attempting to run rootless dockerd but need writable HOME ($HOME) and XDG_RUNTIME_DIR ($XDG_RUNTIME_DIR) for user $uid" + exit 1 + fi + if [ -f /proc/sys/kernel/unprivileged_userns_clone ] && unprivClone="$(cat /proc/sys/kernel/unprivileged_userns_clone)" && [ "$unprivClone" != '1' ]; then + echo >&2 "error: attempting to run rootless dockerd but need 'kernel.unprivileged_userns_clone' (/proc/sys/kernel/unprivileged_userns_clone) set to 1" + exit 1 + fi + if [ -f /proc/sys/user/max_user_namespaces ] && maxUserns="$(cat /proc/sys/user/max_user_namespaces)" && [ "$maxUserns" = '0' ]; then + echo >&2 "error: attempting to run rootless dockerd but need 'user.max_user_namespaces' (/proc/sys/user/max_user_namespaces) set to a sufficiently large value" + exit 1 + fi + # TODO overlay support detection? + exec rootlesskit \ + --net="${DOCKERD_ROOTLESS_ROOTLESSKIT_NET:-vpnkit}" \ + --mtu="${DOCKERD_ROOTLESS_ROOTLESSKIT_MTU:-1500}" \ + --disable-host-loopback \ + --port-driver=builtin \ + --copy-up=/etc \ + --copy-up=/run \ + ${DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS:-} \ + "$@" + elif [ -x '/usr/local/bin/dind' ]; then + # if we have the (mostly defunct now) Docker-in-Docker wrapper script, use it + set -- '/usr/local/bin/dind' "$@" + fi +else + # if it isn't `dockerd` we're trying to run, pass it through `docker-entrypoint.sh` so it gets `DOCKER_HOST` set appropriately too + set -- docker-entrypoint.sh "$@" +fi + +exec "$@"