rootless Docker ACAP requiring AllowRoot to install #107
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
madelen-at-work
changed the title
madelen-at-work
commented
Oct 17, 2023
madelen-at-work
force-pushed
the
rootless-preview-pr
branch
from
fee8cb5 to
7e6b37f
Compare
madelen-at-work
commented
Oct 24, 2023
This will signal acapctl to stop and fail the installation process.
This will signal acapctl to stop and fail the uninstallation process.
jojju
reviewed
Oct 26, 2023
killenheladagen
approved these changes
Oct 27, 2023
6 tasks
killenheladagen
added a commit
that referenced
this pull request
Apr 2, 2024
commit 1fbfdee Author: Stephen Garrett <[email protected]> Date: Tue Apr 2 10:28:24 2024 +0200 Allow multiple headers in certs (#162) * Refactor valid_cert() to allow multiple header addition. Change-Id: I13030e24ac1d4077b223b31535bab60f83ee94a7 * Refactor headers & footers. Add PRIVATE_KEY cert_type. Change-Id: I41f1145f46363bdeef96ed7a571c0f8fdbff5c3d * Allow multiple cert_types for uploaded TLS certificates. Change-Id: Ic4da466b3aa5d323b275d23a1ab61ccc86546df1 commit 6996714 Author: Madelen Andersson <[email protected]> Date: Mon Mar 25 16:13:04 2024 +0100 bump Docker Engine to 26.0.0 (#148) * bump Docker Engine to 26.0.0 --------- Co-authored-by: madelen-at-work <[email protected]> commit 48e3971 Author: Madelen Andersson <[email protected]> Date: Fri Mar 22 12:49:34 2024 +0100 TLS cert upload for rootless (#124) * First draft of tls upload * Preliminary functional version including documentation. * Resolve aarch64 compilation errors. Change-Id: I647ef17eeafff9269187051fd3baa8609cc70e6f * Corrections to logging and documentation following review. Change-Id: I694f419ec1e3d8670293b631fb465f0abf639c11 * Functional cert upload to /tmp, copy to ../localdata & cleanup. Change-Id: Ib0bd184a4a38d1f93b750ee932c902080d5aa0e7 * Intial restart on certificate functionality change to allow testing. Change-Id: I71f3d10918ee72c79e7b36948b1bfce5191dc301 * Refactor stop & start to load daemon. Enable pending cgi requests. Change-Id: I96869dd4eb1ed9c796e5a6fe4f813e88383f1cb5 * clang-formatted & logging reduced. Change-Id: Ica457ba1e2cd9cc473ab3bdb7c0cf3b5343a485e * Remove commented out lines from Dockerfile. Change-Id: I0d69febc0691e31d2ff4e5e959e3fa1a6f0dff26 --------- Co-authored-by: madelen-axis <[email protected]> Co-authored-by: Stephen Garrett <[email protected]> commit 6b39d9e Author: Madelen Andersson <[email protected]> Date: Thu Mar 21 09:06:10 2024 +0100 set path for internal storage (#138) Co-authored-by: madelen-at-work <[email protected]> commit ff8055d Author: Madelen Andersson <[email protected]> Date: Thu Mar 7 13:41:29 2024 +0100 don't exclude .vscode commit 74ac468 Merge: 1d829f9 5f7d2af Author: Madelen Andersson <[email protected]> Date: Thu Mar 7 13:37:04 2024 +0100 Merge branch 'main' into rootless_shadow commit 5f7d2af Author: Madelen Andersson <[email protected]> Date: Thu Mar 7 13:31:46 2024 +0100 Add CONTRIBUTING and .vscode (#132) commit 1f42b29 Author: Madelen Andersson <[email protected]> Date: Thu Mar 7 12:07:04 2024 +0100 combined update of depenadbot recomendations (#131) * combined changes for depenadbot and other action updates commit 1d829f9 Author: Madelen Andersson <[email protected]> Date: Thu Mar 7 09:51:55 2024 +0100 fix for SDK change commit 5a076e8 Author: Madelen Andersson <[email protected]> Date: Thu Mar 7 09:28:03 2024 +0100 tweaks after merge to main commit 96a83f7 Merge: 9642900 4781797 Author: Madelen Andersson <[email protected]> Date: Thu Mar 7 09:25:33 2024 +0100 Merge branch 'main' into rootless_shadow commit 4781797 Author: Madelen Andersson <[email protected]> Date: Thu Mar 7 09:19:38 2024 +0100 remove experimental codeql setup commit 9642900 Author: Madelen Andersson <[email protected]> Date: Wed Mar 6 10:34:19 2024 +0100 Remove last root requirements (#130) * remove last root requirements NB! signing will not pass untill manifest schema is updated and available in SDK --------- Co-authored-by: madelen-axis <[email protected]> commit 53082fa Author: Deepika Shanmugam <[email protected]> Date: Mon Mar 4 13:33:51 2024 +0100 Remove the script of handling directories owned by root (#129) commit e7401a7 Author: madelen-axis <[email protected]> Date: Tue Feb 27 11:23:59 2024 +0100 fix to preuninstall script and remove unused binary commit 1d8fcbc Author: Deepika Shanmugam <[email protected]> Date: Mon Feb 12 15:05:48 2024 +0100 Set required environment variables for rootless docker ACAP (#127) commit 1c92226 Author: Madelen Andersson <[email protected]> Date: Thu Feb 8 11:47:55 2024 +0100 backdown SDK version to be LTS 10.12 compliant (#123) Co-authored-by: madelen-axis <[email protected]> commit 0b18ef1 Author: Angelo Delli Santi <[email protected]> Date: Fri Jan 19 17:45:25 2024 +0100 Add note about root requirement (#125) * Add note about root requirement commit 3f6b629 Author: madelen-axis <[email protected]> Date: Fri Jan 5 09:08:15 2024 +0100 remove new[u/g]idmap and user-services commit 6ed70c8 Author: Madelen Andersson <[email protected]> Date: Thu Nov 30 15:54:50 2023 +0100 Added sub-groups for the ACAP user (#118) * Added sub-groups for the ACAP user --------- Co-authored-by: madelen-axis <[email protected]> commit 44ead62 Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon Nov 20 07:23:52 2023 +0000 Bump actions/github-script from 6 to 7 Bumps [actions/github-script](https://github.com/actions/github-script) from 6 to 7. - [Release notes](https://github.com/actions/github-script/releases) - [Commits](actions/github-script@v6...v7) --- updated-dependencies: - dependency-name: actions/github-script dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> commit c2bbc1b Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon Nov 13 07:35:23 2023 +0000 Bump actions/checkout from 3 to 4 Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v3...v4) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> commit 537f11e Author: Madelen Andersson <[email protected]> Date: Fri Nov 24 10:13:23 2023 +0100 Use super-linter/super-linter and activate clang validation (#110) * switched to super-linter/super-linter * Update lint.yml --------- Co-authored-by: madelen-axis <[email protected]> commit 05c8c25 Author: Madelen Andersson <[email protected]> Date: Fri Nov 10 09:54:59 2023 +0100 Documentation for rootless preview (#109) * Added documentation for rootless Docker ACAP Co-authored-by: madelen-axis <[email protected]> commit 313a74d Author: Madelen Andersson <[email protected]> Date: Fri Nov 10 08:46:56 2023 +0100 rootless Docker ACAP requiring AllowRoot to install (#107) rootless implementation --------- Co-authored-by: madelen-axis <[email protected]> Co-authored-by: Mattias Axelsson <[email protected]> commit 1a53e5c Author: Patrik Åkesson <[email protected]> Date: Wed Nov 8 13:30:35 2023 +0100 Correct codeql.yml GitHub action format commit c4b2ab9 Author: Patrik Åkesson <[email protected]> Date: Wed Nov 8 13:23:47 2023 +0100 Correct codeql.yml wrong yaml syntax commit 218e50d Author: Patrik Åkesson <[email protected]> Date: Wed Nov 8 09:54:49 2023 +0100 Update codeql.yml with custom build script commit 8f033ea Author: Patrik Åkesson <[email protected]> Date: Wed Nov 8 09:31:16 2023 +0100 Create codeql.yml with manual trigger
stepheng-axis
added a commit
that referenced
this pull request
Apr 10, 2024
* rootless Docker ACAP requiring AllowRoot to install (#107) rootless implementation --------- Co-authored-by: madelen-axis <[email protected]> Co-authored-by: Mattias Axelsson <[email protected]> * Documentation for rootless preview (#109) * Added documentation for rootless Docker ACAP Co-authored-by: madelen-axis <[email protected]> * Added sub-groups for the ACAP user (#118) * Added sub-groups for the ACAP user --------- Co-authored-by: madelen-axis <[email protected]> * remove new[u/g]idmap and user-services * Set required environment variables for rootless docker ACAP (#127) * fix to preuninstall script and remove unused binary * Remove the script of handling directories owned by root (#129) * Remove last root requirements (#130) * remove last root requirements NB! signing will not pass untill manifest schema is updated and available in SDK --------- Co-authored-by: madelen-axis <[email protected]> * tweaks after merge to main * fix for SDK change * don't exclude .vscode * set path for internal storage (#138) Co-authored-by: madelen-at-work <[email protected]> * TLS cert upload for rootless (#124) * First draft of tls upload * Preliminary functional version including documentation. * Resolve aarch64 compilation errors. Change-Id: I647ef17eeafff9269187051fd3baa8609cc70e6f * Corrections to logging and documentation following review. Change-Id: I694f419ec1e3d8670293b631fb465f0abf639c11 * Functional cert upload to /tmp, copy to ../localdata & cleanup. Change-Id: Ib0bd184a4a38d1f93b750ee932c902080d5aa0e7 * Intial restart on certificate functionality change to allow testing. Change-Id: I71f3d10918ee72c79e7b36948b1bfce5191dc301 * Refactor stop & start to load daemon. Enable pending cgi requests. Change-Id: I96869dd4eb1ed9c796e5a6fe4f813e88383f1cb5 * clang-formatted & logging reduced. Change-Id: Ica457ba1e2cd9cc473ab3bdb7c0cf3b5343a485e * Remove commented out lines from Dockerfile. Change-Id: I0d69febc0691e31d2ff4e5e959e3fa1a6f0dff26 --------- Co-authored-by: madelen-axis <[email protected]> Co-authored-by: Stephen Garrett <[email protected]> * bump Docker Engine to 26.0.0 (#148) * bump Docker Engine to 26.0.0 --------- Co-authored-by: madelen-at-work <[email protected]> * Allow multiple headers in certs (#162) * Refactor valid_cert() to allow multiple header addition. Change-Id: I13030e24ac1d4077b223b31535bab60f83ee94a7 * Refactor headers & footers. Add PRIVATE_KEY cert_type. Change-Id: I41f1145f46363bdeef96ed7a571c0f8fdbff5c3d * Allow multiple cert_types for uploaded TLS certificates. Change-Id: Ic4da466b3aa5d323b275d23a1ab61ccc86546df1 * Cleanup process of exiting main loop on requested shutdown. Change-Id: I183e9e9a39a698f814a1774f89bfe49a4cd380c4 * Disassociate status generation and updating of exit_code. Change-Id: I00e84ca80f4ba5256ab821fbc00a2e99879d777e --------- Co-authored-by: Madelen Andersson <[email protected]> Co-authored-by: madelen-axis <[email protected]> Co-authored-by: Mattias Axelsson <[email protected]> Co-authored-by: Deepika Shanmugam <[email protected]> Co-authored-by: Madelen Andersson <[email protected]> Co-authored-by: madelen-at-work <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changing implementation to run rootless dockerd as described in https://docs.docker.com/engine/security/rootless/ and with this the acap user is changed to dynamic (
acap-dockerdwrapper).Currently this requires changes to the device that can only be done as root user so this application need the
AllowRoottoggle to be set toTrueat installation (and uninstallation) time.Tested to work on Artpec 7 and Artpec 8 from 11.7 but needs more testing to be properly verified.
Seperate PR (#109) for updating the documentation.
Known issues:
Checklist before requesting a review