Fix containerd non-root script to be a proper entrypoint

tianon · Sep 1, 2023 · 33edfb5 · 33edfb5
1 parent b83d388
commit 33edfb5
Show file tree

Hide file tree

Showing 5 changed files with 45 additions and 29 deletions.
diff --git a/containerd/Dockerfile b/containerd/Dockerfile
@@ -43,11 +43,14 @@ RUN set -eux; \
 
 RUN set -eux; \
 	mkdir -p /run/containerd /var/lib/containerd; \
-	chmod 777 /run/containerd /var/lib/containerd
+	chmod 1777 /run/containerd /var/lib/containerd
 
-COPY non-root-containerd.sh /usr/local/bin/
+VOLUME /var/lib/containerd
 
-CMD ["non-root-containerd.sh"]
+# add an entrypoint that does clever things if the container is run as non-root (cannot run containers, but content/image stores should work fine)
+COPY docker-entrypoint.sh /usr/local/bin/
+ENTRYPOINT ["docker-entrypoint.sh"]
+CMD ["containerd"]
 
-# use "dind containerd" if you want to run real containers (with "--privileged" and an appropriate volume at "/var/lib/containerd")
+# use "docker run ... dind containerd" if you want to run real containers (with "--privileged")
 # see also Dockerfile.c8dind (or "tianon/containerd:c8dind")
diff --git a/containerd/Dockerfile.c8dind b/containerd/Dockerfile.c8dind
@@ -1,4 +1,3 @@
 FROM tianon/containerd
-VOLUME /var/lib/containerd
-ENTRYPOINT ["dind"]
+ENTRYPOINT ["dind", "docker-entrypoint.sh"]
 CMD ["containerd"]
diff --git a/containerd/Dockerfile.template b/containerd/Dockerfile.template
@@ -37,11 +37,14 @@ RUN set -eux; \
 
 RUN set -eux; \
 	mkdir -p /run/containerd /var/lib/containerd; \
-	chmod 777 /run/containerd /var/lib/containerd
+	chmod 1777 /run/containerd /var/lib/containerd
 
-COPY non-root-containerd.sh /usr/local/bin/
+VOLUME /var/lib/containerd
 
-CMD ["non-root-containerd.sh"]
+# add an entrypoint that does clever things if the container is run as non-root (cannot run containers, but content/image stores should work fine)
+COPY docker-entrypoint.sh /usr/local/bin/
+ENTRYPOINT ["docker-entrypoint.sh"]
+CMD ["containerd"]
 
-# use "dind containerd" if you want to run real containers (with "--privileged" and an appropriate volume at "/var/lib/containerd")
+# use "docker run ... dind containerd" if you want to run real containers (with "--privileged")
 # see also Dockerfile.c8dind (or "tianon/containerd:c8dind")
diff --git a/containerd/docker-entrypoint.sh b/containerd/docker-entrypoint.sh
@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+# no arguments or first arg is `-f` or `--some-option`
+if [ "$#" -eq 0 ] || [ "${1#-}" != "$1" ]; then
+	set -- containerd "$@"
+fi
+
+# if we're not root, let's adjust all the "uid" and "gid" parameters of the config to whatever our current user is (so we avoid "chown" permission errors)
+uid="$(id -u)"; gid="$(id -g)"
+if [ "$uid" != 0 ] && [ "$1" = 'containerd' ]; then
+	shift
+
+	configDump=( containerd config dump )
+	if ! "${configDump[@]}" &> /dev/null; then
+		configDump=( containerd --config /dev/null config dump )
+		"${configDump[@]}" > /dev/null
+	fi
+
+	exec containerd --config <(
+		"${configDump[@]}" \
+			| awk -v uid="$uid" -v gid="$gid" '
+				$1 == "uid" { gsub(/=.+$/, "= " uid) }
+				$1 == "gid" { gsub(/=.+$/, "= " gid) }
+				{ print }
+			'
+	) "$@"
+fi
+
+exec "$@"
diff --git a/containerd/non-root-containerd.sh b/containerd/non-root-containerd.sh