Arch Linux User Repository

The build fails again with a checksum error:

==> ERROR: Integrity checks (sha256) differ in size from the source array.

Fixed, thanks.

Besides the checksum error, some of the files as currently packaged conflict with the docker-rootless and docker-rootless-bin packages: rootlesskit and rootlesskit-docker-proxy are already installed by these packages. The rm invocation at the end removes rootlesskit but not rootlesskit-docker-proxy. This causes a conflict between rootlesskit and docker-rootless-extras-bin.

I'd suggest that we remove the rm invocation and only copy the non-conflicting files in $srcdir/docker-rootless-extras into the $pkgdir, like this:

diff --git a/PKGBUILD b/PKGBUILD
index 93856d5..0232d7a 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -38,11 +38,10 @@ sha256sums_aarch64=(
 package() {
        mkdir -p "$pkgdir/usr/bin/"

-       install -Dm755 "$srcdir/docker-rootless-extras/"* "$pkgdir/usr/bin/"
+       install -Dm755 "$srcdir/docker-rootless-extras/dockerd-rootless-setuptool.sh" "$pkgdir/usr/bin/"
+       install -Dm755 "$srcdir/docker-rootless-extras/dockerd-rootless.sh" "$pkgdir/usr/bin/"
+       install -Dm755 "$srcdir/docker-rootless-extras/vpnkit" "$pkgdir/usr/bin/"
        install -Dm644 "$srcdir/docker.service" "$pkgdir/usr/lib/systemd/user/docker.service"
        install -Dm644 "$srcdir/docker.socket" "$pkgdir/usr/lib/systemd/user/docker.socket"
        install -Dm644 "$srcdir/99-docker-rootless.conf" "$pkgdir/usr/lib/sysctl.d/99-docker-rootless.conf"
-
-        # Delete files provided by `rootlesskit`.
-       rm "$pkgdir/usr/bin/rootlessctl" "$pkgdir/usr/bin/rootlesskit"
 }

You forgot to update the checksum on the 20.10.5 -> 20.10.6 update.

I also get the checksum error when running makepkg.

After looking at the ArchWiki and the source of makepkg a bit I think the correct syntax is:

source=(...the 3 common files...)
source_x86_64=(...the x86_64 specific file...)
source_aarch64=(...the aarch64 specific file...)

sha256sums=(...the checksums for the 3 common files...)
sha256sums_x86_64=(...the checksum for the x86_64 specific file...)
sha256sums_aarch64=(...the checksum for the aarch64 specific file...)

Also, at first sight I don't think the aarch64 build is going to work, since using $arch is going to always give you the first element of the arch array = x86_64.

As far as I understand, merely enabling kernel.unprivileged_userns_clone makes vulnerabilities more exploitable, they don't necessarily have to be vulnerabilities in docker or podman.

@psvoboda @whynothugo While it uses kernel.unprivileged_userns_clone=1, it's far more secure than docker. Podman doesn't use a Client/Server architecture with a root daemon. Also it got developed with rootless mode in mind. Docker-Rootless got added many years later as an still experimental addon.

You could say Docker is the Dinosaur from 2013 where there trying to fix their architecture and Podman the Homo Sapiens Sapiens from 2019.

Here you can read more about it https://www.ti8m.com/blog/Why-Podman-is-worth-a-look-.html

That's correct, podman rootless depends on the samething.

Docker-as-root might be best, with some features (priviledged, etc) disabled. I've been looking into writing a plugin that disabled such features, but it's... hard.

@MartinX3 Podman in rootless mode has the same serious security implications since it relies on kernel.unprivileged_userns_clone=1 as well, doesn't it?

If you're a security aware user, I recommend

to build containers: https://github.com/containers/buildah

to run containers: https://github.com/containers/podman Podman also has podman-compose

Or if you have a network of several servers: https://github.com/kubernetes/kubernetes