Update RootlessKit (3.0.0)

- slirp4netns is no longer needed as gvisor-tap-vsock is now embedded in RootlessKit.
  slirp4netns is still used when installed.
- The `builtin` port driver can now correctly propagate the source IP.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

Author: AkihiroSuda

Dockerfile

@@ -28,8 +28,7 @@ ARG STARGZ_SNAPSHOTTER_VERSION=v0.18.1@BINARY
 # Extra deps: Encryption
 ARG IMGCRYPT_VERSION=v2.0.2@6892f4df2405cd15acbefd1dca970f53ba38bfda
 # Extra deps: Rootless
-ARG ROOTLESSKIT_VERSION=v2.3.6@BINARY
-ARG SLIRP4NETNS_VERSION=v1.3.3@BINARY
+ARG ROOTLESSKIT_VERSION=v3.0.0@BINARY
 # Extra deps: bypass4netns
 ARG BYPASS4NETNS_VERSION=v0.4.2@aa04bd3dcc48c6dae6d7327ba219bda8fe2a4634
 # Extra deps: FUSE-OverlayFS
@@ -194,14 +193,6 @@ RUN git clone --quiet --depth 1 --branch "${IMGCRYPT_VERSION%%@*}" https://githu
   git-checkout-tag-with-hash.sh "${IMGCRYPT_VERSION}" && \
   CGO_ENABLED=0 make && DESTDIR=/out make install && \
   echo "- imgcrypt: ${IMGCRYPT_VERSION%%@*}" >> /out/share/doc/nerdctl-full/README.md
-ARG SLIRP4NETNS_VERSION
-RUN SLIRP4NETNS_VERSION=${SLIRP4NETNS_VERSION%%@*}; \
-  fname="slirp4netns-$(cat /target_uname_m)" && \
-  curl -o "${fname}" -fsSL --retry 5 --retry-delay 5 --retry-max-time 120 --connect-timeout 20 --proto '=https' --tlsv1.2 "https://github.com/rootless-containers/slirp4netns/releases/download/${SLIRP4NETNS_VERSION}/${fname}" && \
-  grep "${fname}" "/SHA256SUMS.d/slirp4netns-${SLIRP4NETNS_VERSION}" | sha256sum -c && \
-  mv "${fname}" /out/bin/slirp4netns && \
-  chmod +x /out/bin/slirp4netns && \
-  echo "- slirp4netns: ${SLIRP4NETNS_VERSION}" >> /out/share/doc/nerdctl-full/README.md
 ARG BYPASS4NETNS_VERSION
 COPY --from=build-bypass4netns /out/${TARGETARCH:-amd64}/* /out/bin/
 RUN echo "- bypass4netns: ${BYPASS4NETNS_VERSION%%@*}" >> /out/share/doc/nerdctl-full/README.md
@@ -256,7 +247,6 @@ RUN --mount=type=secret,id=github_token,env=GITHUB_TOKEN \
 
 RUN echo "" >> /out/share/doc/nerdctl-full/README.md && \
   echo "## License" >> /out/share/doc/nerdctl-full/README.md && \
-  echo "- bin/slirp4netns:    [GNU GENERAL PUBLIC LICENSE, Version 2](https://github.com/rootless-containers/slirp4netns/blob/${SLIRP4NETNS_VERSION%%@*}/COPYING)" >> /out/share/doc/nerdctl-full/README.md && \
   echo "- bin/fuse-overlayfs: [GNU GENERAL PUBLIC LICENSE, Version 2](https://github.com/containers/fuse-overlayfs/blob/${FUSE_OVERLAYFS_VERSION%%@*}/COPYING)" >> /out/share/doc/nerdctl-full/README.md && \
   echo "- bin/{runc,bypass4netns,bypass4netnsd}: Apache License 2.0, statically linked with libseccomp ([LGPL 2.1](https://github.com/seccomp/libseccomp/blob/main/LICENSE), source code available at https://github.com/seccomp/libseccomp/)" >> /out/share/doc/nerdctl-full/README.md && \
   echo "- bin/tini: [MIT License](https://github.com/krallin/tini/blob/${TINI_VERSION%%@*}/LICENSE)" >> /out/share/doc/nerdctl-full/README.md && \
@@ -371,6 +361,8 @@ RUN apt-get update -qq && apt-get install -qq --no-install-recommends \
   uidmap \
   openssh-server \
   openssh-client
+# Install slirp4netns only if rootlesskit is prior to v3.0
+RUN if ! rootlesskit --help | grep -q gvisor-tap-vsock; then apt-get install -qq --no-install-recommends slirp4netns; fi
 # TODO: update containerized-systemd to enable sshd by default, or allow `systemctl wants <TARGET> ssh` here
 RUN ssh-keygen -q -t rsa -f /root/.ssh/id_rsa -N '' && \
   useradd -m -s /bin/bash rootless && \
@@ -388,6 +380,8 @@ CMD ["/test-integration-rootless.sh", "./hack/test-integration.sh"]
 
 # test for CONTAINERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=slirp4netns
 FROM test-integration-rootless AS test-integration-rootless-port-slirp4netns
+RUN apt-get update -qq && apt-get install -qq --no-install-recommends \
+  slirp4netns
 COPY ./Dockerfile.d/home_rootless_.config_systemd_user_containerd.service.d_port-slirp4netns.conf /home/rootless/.config/systemd/user/containerd.service.d/port-slirp4netns.conf
 RUN chown -R rootless:rootless /home/rootless/.config
 

Dockerfile.d/SHA256SUMS.d/SHA256SUMS

@@ -0,0 +1,6 @@
+9a6ca1f21c5a21be7738d5cd4cbd287b59fe0c76424750295e10405ca18f0ed5  rootlesskit-aarch64.tar.gz
+925ff9f281f8658376ce0647e0e1703806fbc0c05d15a01408e080692583125b  rootlesskit-armv7l.tar.gz
+d4e8b82fdf104ab1e7bba3059d572b46323ff1da1adcd95cbf9f47a09ed3eb5d  rootlesskit-ppc64le.tar.gz
+5209498ab7c9446a0bcc8ad6b5e77796696da0dede815ef535017fb8412f99ba  rootlesskit-riscv64.tar.gz
+6ded9f92668c7838935a85fff51c664747f55343e279471d8871dfa793e7cbed  rootlesskit-s390x.tar.gz
+9e9e65f11b0a75ffe78f82284fa84528519b94c6c5032a33e6c80ec1924ef8d1  rootlesskit-x86_64.tar.gz

Dockerfile.d/SHA256SUMS.d/rootlesskit-v2.3.6

@@ -134,9 +134,8 @@ In addition to containerd, the following components should be installed:
   - v1.1.0 or later is highly recommended.
 - [BuildKit](https://github.com/moby/buildkit) (OPTIONAL): for using `nerdctl build`. BuildKit daemon (`buildkitd`) needs to be running. See also [the document about setting up BuildKit](./docs/build.md).
   - v0.11.0 or later is highly recommended. Some features, such as pruning caches with `nerdctl system prune`, do not work with older versions.
-- [RootlessKit](https://github.com/rootless-containers/rootlesskit) and [slirp4netns](https://github.com/rootless-containers/slirp4netns) (OPTIONAL): for [Rootless mode](./docs/rootless.md)
-  - RootlessKit needs to be v0.10.0 or later. v2.0.0 or later is recommended.
-  - slirp4netns needs to be v0.4.0 or later. v1.1.7 or later is recommended.
+- [RootlessKit](https://github.com/rootless-containers/rootlesskit) (OPTIONAL): for [Rootless mode](./docs/rootless.md)
+  - RootlessKit needs to be v0.10.0 or later. v3.0.0 or later is recommended.
 
 These dependencies are included in `nerdctl-full-<VERSION>-<OS>-<ARCH>.tar.gz`, but not included in `nerdctl-<VERSION>-<OS>-<ARCH>.tar.gz`.
 

Dockerfile.d/SHA256SUMS.d/rootlesskit-v3.0.0

@@ -311,9 +311,9 @@ See also:
 - https://rootlesscontaine.rs/getting-started/containerd/
 
 ### `nerdctl run -p <PORT>` does not propagate source IP
-Expected behavior with the default `rootlesskit` port driver.
+Make sure that nerdctl is running with RootlessKit v3.0 or later.
 
-The solution is to change the port driver to `slirp4netns` (sacrifices performance).
+For older version of RootlessKit, change the port driver to `slirp4netns` (sacrifices performance).
 
 See https://rootlesscontaine.rs/getting-started/containerd/#changing-the-port-forwarder .
 

Dockerfile.d/SHA256SUMS.d/slirp4netns-v1.3.3

@@ -153,9 +153,9 @@ More detail is available at [https://github.com/rootless-containers/bypass4netns
 Rootless containerd recognizes the following environment variables to configure the behavior of [RootlessKit](https://github.com/rootless-containers/rootlesskit):
 
 * `CONTAINERD_ROOTLESS_ROOTLESSKIT_STATE_DIR=DIR`: the rootlesskit state dir. Defaults to `$XDG_RUNTIME_DIR/containerd-rootless`.
-* `CONTAINERD_ROOTLESS_ROOTLESSKIT_NET=(slirp4netns|vpnkit|lxc-user-nic)`: the rootlesskit network driver. Defaults to "slirp4netns" if slirp4netns (>= v0.4.0) is installed. Otherwise defaults to "vpnkit".
-* `CONTAINERD_ROOTLESS_ROOTLESSKIT_MTU=NUM`: the MTU value for the rootlesskit network driver. Defaults to 65520 for slirp4netns, 1500 for other drivers.
-* `CONTAINERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=(builtin|slirp4netns)`: the rootlesskit port driver. Defaults to "builtin" (this driver does not propagate the container's source IP address and always uses 127.0.0.1. Please check [Port Drivers](https://github.com/rootless-containers/rootlesskit/blob/master/docs/port.md#port-drivers) for more details).
+* `CONTAINERD_ROOTLESS_ROOTLESSKIT_NET=(slirp4netns|vpnkit|pasta|gvisor-tap-vsock|lxc-user-nic)`: the rootlesskit network driver. Defaults to "slirp4netns" if slirp4netns (>= v0.4.0) is installed. Otherwise defaults to "gvisor-tap-vsock".
+* `CONTAINERD_ROOTLESS_ROOTLESSKIT_MTU=NUM`: the MTU value for the rootlesskit network driver. Defaults to 65520 or 1500, depending on the network driver.
+* `CONTAINERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=(builtin|slirp4netns|implicit|gvisor-tap-vsock)`: the rootlesskit port driver. Defaults to "builtin".
 * `CONTAINERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SANDBOX=(auto|true|false)`: whether to protect slirp4netns with a dedicated mount namespace. Defaults to "auto".
 * `CONTAINERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SECCOMP=(auto|true|false)`: whether to protect slirp4netns with seccomp. Defaults to "auto".
 * `CONTAINERD_ROOTLESS_ROOTLESSKIT_DETACH_NETNS=(auto|true|false)`: whether to launch rootlesskit with the "detach-netns" mode.

README.md

@@ -104,7 +104,6 @@ cmd_entrypoint_check() {
 	init
 	INFO "Checking RootlessKit functionality"
 	if ! rootlesskit \
-		--net=slirp4netns \
 		--disable-host-loopback \
 		--copy-up=/etc --copy-up=/run --copy-up=/var/lib \
 		true; then

docs/faq.md

@@ -28,14 +28,13 @@
 # External dependencies:
 # * newuidmap and newgidmap needs to be installed.
 # * /etc/subuid and /etc/subgid needs to be configured for the current user.
-# * RootlessKit (>= v0.10.0) needs to be installed. RootlessKit >= v2.0.0 is recommended.
-# * Either one of slirp4netns (>= v0.4.0), VPNKit, lxc-user-nic needs to be installed. slirp4netns >= v1.1.7 is recommended.
+# * RootlessKit (>= v0.10.0) needs to be installed. RootlessKit >= v3.0.0 is recommended.
 #
 # Recognized environment variables:
 # * CONTAINERD_ROOTLESS_ROOTLESSKIT_STATE_DIR=DIR: the rootlesskit state dir. Defaults to "$XDG_RUNTIME_DIR/containerd-rootless".
-# * CONTAINERD_ROOTLESS_ROOTLESSKIT_NET=(slirp4netns|vpnkit|lxc-user-nic): the rootlesskit network driver. Defaults to "slirp4netns" if slirp4netns (>= v0.4.0) is installed. Otherwise defaults to "vpnkit".
-# * CONTAINERD_ROOTLESS_ROOTLESSKIT_MTU=NUM: the MTU value for the rootlesskit network driver. Defaults to 65520 for slirp4netns, 1500 for other drivers.
-# * CONTAINERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=(builtin|slirp4netns): the rootlesskit port driver. Defaults to "builtin".
+# * CONTAINERD_ROOTLESS_ROOTLESSKIT_NET=(slirp4netns|vpnkit|pasta|gvisor-tap-vsock|lxc-user-nic): the rootlesskit network driver. Defaults to "slirp4netns" if slirp4netns (>= v0.4.0) is installed. Otherwise defaults to "gvisor-tap-vsock".
+# * CONTAINERD_ROOTLESS_ROOTLESSKIT_MTU=NUM: the MTU value for the rootlesskit network driver. Defaults to 65520 or 1500, depending on the network driver.
+# * CONTAINERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=(builtin|slirp4netns|implicit|gvisor-tap-vsock): the rootlesskit port driver. Defaults to "builtin".
 # * CONTAINERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SANDBOX=(auto|true|false): whether to protect slirp4netns with a dedicated mount namespace. Defaults to "auto".
 # * CONTAINERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SECCOMP=(auto|true|false): whether to protect slirp4netns with seccomp. Defaults to "auto".
 # * CONTAINERD_ROOTLESS_ROOTLESSKIT_DETACH_NETNS=(auto|true|false): whether to launch rootlesskit with the "detach-netns" mode.
@@ -90,15 +89,17 @@ if [ -z "$_CONTAINERD_ROOTLESS_CHILD" ]; then
 					mtu=65520
 				fi
 			else
-				echo "slirp4netns found but seems older than v0.4.0. Falling back to VPNKit."
+				echo "slirp4netns found but seems older than v0.4.0. Falling back to other drivers."
 			fi
 		fi
 		if [ -z "$net" ]; then
 			if command -v vpnkit >/dev/null 2>&1; then
 				net=vpnkit
 			else
-				echo "Either slirp4netns (>= v0.4.0) or vpnkit needs to be installed"
-				exit 1
+				net=gvisor-tap-vsock
+				if [ -z "$mtu" ]; then
+					mtu=65520
+				fi
 			fi
 		fi
 	fi