Package Details: docker-rootless-extras 28.2.2-1

Git Clone URL: https://aur.archlinux.org/docker-rootless-extras.git (read-only, click to copy)
Package Base: docker-rootless-extras
Description: Extras to run docker as non-root.
Upstream URL: https://docs.docker.com/engine/security/rootless/
Keywords: containers docker isolation rootless
Licenses: Apache
Conflicts: docker-rootless, docker-rootless-extras, docker-rootless-extras-bin
Provides: docker-rootless, docker-rootless-extras, docker-rootless-extras-bin
Submitter: whynothugo
Maintainer: the-k
Last Packager: the-k
Votes: 35
Popularity: 1.57
First Submitted: 2021-04-14 17:58 (UTC)
Last Updated: 2025-05-31 11:31 (UTC)

Pinned Comments

Latest Comments

« First ‹ Previous 1 2 3 4 5 6 7 8 Next › Last »

maximaman commented on 2021-06-19 21:22 (UTC)

The build fails again with a checksum error:

==> ERROR: Integrity checks (sha256) differ in size from the source array.

whynothugo commented on 2021-06-14 22:24 (UTC)

Fixed, thanks.

maximaman commented on 2021-06-14 21:49 (UTC)

Besides the checksum error, some of the files as currently packaged conflict with the docker-rootless and docker-rootless-bin packages: rootlesskit and rootlesskit-docker-proxy are already installed by these packages. The rm invocation at the end removes rootlesskit but not rootlesskit-docker-proxy. This causes a conflict between rootlesskit and docker-rootless-extras-bin.

I'd suggest that we remove the rm invocation and only copy the non-conflicting files in $srcdir/docker-rootless-extras into the $pkgdir, like this:

diff --git a/PKGBUILD b/PKGBUILD
index 93856d5..0232d7a 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -38,11 +38,10 @@ sha256sums_aarch64=(
 package() {
        mkdir -p "$pkgdir/usr/bin/"

-       install -Dm755 "$srcdir/docker-rootless-extras/"* "$pkgdir/usr/bin/"
+       install -Dm755 "$srcdir/docker-rootless-extras/dockerd-rootless-setuptool.sh" "$pkgdir/usr/bin/"
+       install -Dm755 "$srcdir/docker-rootless-extras/dockerd-rootless.sh" "$pkgdir/usr/bin/"
+       install -Dm755 "$srcdir/docker-rootless-extras/vpnkit" "$pkgdir/usr/bin/"
        install -Dm644 "$srcdir/docker.service" "$pkgdir/usr/lib/systemd/user/docker.service"
        install -Dm644 "$srcdir/docker.socket" "$pkgdir/usr/lib/systemd/user/docker.socket"
        install -Dm644 "$srcdir/99-docker-rootless.conf" "$pkgdir/usr/lib/sysctl.d/99-docker-rootless.conf"
-
-        # Delete files provided by `rootlesskit`.
-       rm "$pkgdir/usr/bin/rootlessctl" "$pkgdir/usr/bin/rootlesskit"
 }

gamezelda commented on 2021-06-05 16:55 (UTC)

You forgot to update the checksum on the 20.10.5 -> 20.10.6 update.

gamezelda commented on 2021-06-05 16:47 (UTC)

I also get the checksum error when running makepkg.

After looking at the ArchWiki and the source of makepkg a bit I think the correct syntax is:

source=(...the 3 common files...)
source_x86_64=(...the x86_64 specific file...)
source_aarch64=(...the aarch64 specific file...)

sha256sums=(...the checksums for the 3 common files...)
sha256sums_x86_64=(...the checksum for the x86_64 specific file...)
sha256sums_aarch64=(...the checksum for the aarch64 specific file...)

Also, at first sight I don't think the aarch64 build is going to work, since using $arch is going to always give you the first element of the arch array = x86_64.

whynothugo commented on 2021-05-28 20:07 (UTC)

As far as I understand, merely enabling kernel.unprivileged_userns_clone makes vulnerabilities more exploitable, they don't necessarily have to be vulnerabilities in docker or podman.

MartinX3 commented on 2021-05-27 17:30 (UTC)

@psvoboda @whynothugo While it uses kernel.unprivileged_userns_clone=1, it's far more secure than docker. Podman doesn't use a Client/Server architecture with a root daemon. Also it got developed with rootless mode in mind. Docker-Rootless got added many years later as an still experimental addon.

You could say Docker is the Dinosaur from 2013 where there trying to fix their architecture and Podman the Homo Sapiens Sapiens from 2019.

Here you can read more about it https://www.ti8m.com/blog/Why-Podman-is-worth-a-look-.html

whynothugo commented on 2021-05-27 16:41 (UTC)

That's correct, podman rootless depends on the samething.

Docker-as-root might be best, with some features (priviledged, etc) disabled. I've been looking into writing a plugin that disabled such features, but it's... hard.

psvoboda commented on 2021-05-27 15:04 (UTC)

@MartinX3 Podman in rootless mode has the same serious security implications since it relies on kernel.unprivileged_userns_clone=1 as well, doesn't it?

MartinX3 commented on 2021-05-26 18:58 (UTC)

If you're a security aware user, I recommend

to build containers: https://github.com/containers/buildah

to run containers: https://github.com/containers/podman Podman also has podman-compose

Or if you have a network of several servers: https://github.com/kubernetes/kubernetes