blob: 488f7543ba46bf5d43d4086b03964081c9a111c8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
|
#!/bin/bash
# ============LICENSE_START=======================================================
# Copyright (C) 2023 Nordix Foundation.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# SPDX-License-Identifier: Apache-2.0
# ============LICENSE_END=========================================================
# Script copied from https://hub.docker.com/r/devopps/kind-cluster-buster
set -o errexit
set -o nounset
set -o pipefail
# This is copied from official dind script:
# https://raw.githubusercontent.com/docker/docker/master/hack/dind
if [ -d /sys/kernel/security ] && ! mountpoint -q /sys/kernel/security; then
mount -t securityfs none /sys/kernel/security || {
echo >&2 'Could not mount /sys/kernel/security.'
echo >&2 'AppArmor detection and --privileged mode might break.'
}
fi
# Mount /tmp (conditionally)
if ! mountpoint -q /tmp; then
mount -t tmpfs none /tmp
fi
# Check cgroupfs.
# Verify the filesystem.
if [ ! -d /sys/fs/cgroup/ ]; then
echo >&2 'Cgroupfs is not mounted'
exit 1
fi
# Determine cgroup parent for docker daemon.
# We need to make sure cgroups created by the docker daemon do not
# interfere with other cgroups on the host, and do not leak after this
# container is terminated.
if [ -f /sys/fs/cgroup/systemd/release_agent ]; then
# This means the user has bind mounted host /sys/fs/cgroup to the
# same location in the container (e.g., using the following docker
# run flags: `-v /sys/fs/cgroup:/sys/fs/cgroup`). In this case, we
# need to make sure the docker daemon in the container does not
# pollute the host cgroups hierarchy.
# Note that `release_agent` file is only created at the root of a
# cgroup hierarchy.
CGROUP_PARENT="$(grep systemd /proc/self/cgroup | cut -d: -f3)/docker"
else
CGROUP_PARENT="/docker"
# For each cgroup subsystem, Docker does a bind mount from the
# current cgroup to the root of the cgroup subsystem. For instance:
# /sys/fs/cgroup/memory/docker/<cid> -> /sys/fs/cgroup/memory
#
# This will confuse some system software that manipulate cgroups
# (e.g., kubelet/cadvisor, etc.) sometimes because
# `/proc/<pid>/cgroup` is not affected by the bind mount. The
# following is a workaround to recreate the original cgroup
# environment by doing another bind mount for each subsystem.
CURRENT_CGROUP=$(grep systemd /proc/self/cgroup | cut -d: -f3)
CGROUP_SUBSYSTEMS=$(findmnt -lun -o source,target -t cgroup | grep "${CURRENT_CGROUP}" | awk '{print $2}')
echo "${CGROUP_SUBSYSTEMS}" |
while IFS= read -r SUBSYSTEM; do
mkdir -p "${SUBSYSTEM}${CURRENT_CGROUP}"
mount --bind "${SUBSYSTEM}" "${SUBSYSTEM}${CURRENT_CGROUP}"
done
fi
setsid dockerd \
--cgroup-parent="${CGROUP_PARENT}" \
--bip="${DOCKERD_BIP:-172.17.1.1/24}" \
--mtu="${DOCKERD_MTU:-1400}" \
--raw-logs \
${DOCKER_ARGS:-} >/var/log/docker/dockerd.log 2>&1 &
# Wait until dockerd is ready.
until docker ps >/dev/null 2>&1
do
echo "Waiting for dockerd..."
sleep 1
done
exec "$@"
|