philstrong · September 25, 2024 13:46
diff --git a/gistfile1.txt b/gistfile1.txt
 #!/bin/sh
 set -e

 # DinD: a wrapper script which allows docker to be run inside a docker container.
 # Original version by Jerome Petazzoni <[email protected]>
 # See the blog post: https://www.docker.com/blog/docker-can-now-run-within-docker/
 #
 # This script should be executed inside a docker container in privileged mode
 # ('docker run --privileged', introduced in docker 0.6).

 # Usage: dind CMD [ARG...]

 # apparmor sucks and Docker needs to know that it's in a container (c) @tianon
 #
 # Set the container env-var, so that AppArmor is enabled in the daemon and
 # containerd when running docker-in-docker.
 #
 # see: https://github.com/containerd/containerd/blob/787943dc1027a67f3b52631e084db0d4a6be2ccc/pkg/apparmor/apparmor_linux.go#L29-L45
 # see: https://github.com/moby/moby/commit/de191e86321f7d3136ff42ff75826b8107399497
 export container=docker

 # Allow AppArmor to work inside the container;
 #
 #     aa-status
 #     apparmor filesystem is not mounted.
 #     apparmor module is loaded.
 #
 #     mount -t securityfs none /sys/kernel/security
 #
 #     aa-status
 #     apparmor module is loaded.
 #     30 profiles are loaded.
 #     30 profiles are in enforce mode.
 #       /snap/snapd/18357/usr/lib/snapd/snap-confine
 #       ...
 #
 # Note: https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts#sys-kernel-security
 #
 #     ## /sys/kernel/security
 #
 #     In /sys/kernel/security mounted the securityfs interface, which allows
 #     configuration of Linux Security Modules. This allows configuration of
 #     AppArmor policies, and so access to this may allow a container to disable
 #     its MAC system.
 #
 # Given that we're running privileged already, this should not be an issue.
 if [ -d /sys/kernel/security ] && ! mountpoint -q /sys/kernel/security; then
 	mount -t securityfs none /sys/kernel/security || {
 		echo >&2 'Could not mount /sys/kernel/security.'
 		echo >&2 'AppArmor detection and --privileged mode might break.'
 	}
 fi

 # Mount /tmp (conditionally)
 if ! mountpoint -q /tmp; then
 	mount -t tmpfs none /tmp
 fi

 # cgroup v2: enable nesting
 if [ -f /sys/fs/cgroup/cgroup.controllers ]; then
 	# move the processes from the root group to the /init group,
 	# otherwise writing subtree_control fails with EBUSY.
 	# An error during moving non-existent process (i.e., "cat") is ignored.
 	mkdir -p /sys/fs/cgroup/init
 	xargs -rn1 < /sys/fs/cgroup/cgroup.procs > /sys/fs/cgroup/init/cgroup.procs || :
 	# enable controllers
 	sed -e 's/ / +/g' -e 's/^/+/' < /sys/fs/cgroup/cgroup.controllers \
 		> /sys/fs/cgroup/cgroup.subtree_control
 fi

 # Change mount propagation to shared to make the environment more similar to a
 # modern Linux system, e.g. with SystemD as PID 1.
 mount --make-rshared /

 if [ $# -gt 0 ]; then
 	exec "$@"
 fi

 echo >&2 'ERROR: No command specified.'
 echo >&2 'You probably want to run hack/make.sh, or maybe a shell?'
	#!/bin/sh
	set -e

	# DinD: a wrapper script which allows docker to be run inside a docker container.
	# Original version by Jerome Petazzoni <[email protected]>
	# See the blog post: https://www.docker.com/blog/docker-can-now-run-within-docker/
	#
	# This script should be executed inside a docker container in privileged mode
	# ('docker run --privileged', introduced in docker 0.6).

	# Usage: dind CMD [ARG...]

	# apparmor sucks and Docker needs to know that it's in a container (c) @tianon
	#
	# Set the container env-var, so that AppArmor is enabled in the daemon and
	# containerd when running docker-in-docker.
	#
	# see: https://github.com/containerd/containerd/blob/787943dc1027a67f3b52631e084db0d4a6be2ccc/pkg/apparmor/apparmor_linux.go#L29-L45
	# see: https://github.com/moby/moby/commit/de191e86321f7d3136ff42ff75826b8107399497
	export container=docker

	# Allow AppArmor to work inside the container;
	#
	# aa-status
	# apparmor filesystem is not mounted.
	# apparmor module is loaded.
	#
	# mount -t securityfs none /sys/kernel/security
	#
	# aa-status
	# apparmor module is loaded.
	# 30 profiles are loaded.
	# 30 profiles are in enforce mode.
	# /snap/snapd/18357/usr/lib/snapd/snap-confine
	# ...
	#
	# Note: https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts#sys-kernel-security
	#
	# ## /sys/kernel/security
	#
	# In /sys/kernel/security mounted the securityfs interface, which allows
	# configuration of Linux Security Modules. This allows configuration of
	# AppArmor policies, and so access to this may allow a container to disable
	# its MAC system.
	#
	# Given that we're running privileged already, this should not be an issue.
	if [ -d /sys/kernel/security ] && ! mountpoint -q /sys/kernel/security; then
	mount -t securityfs none /sys/kernel/security \|\| {
	echo >&2 'Could not mount /sys/kernel/security.'
	echo >&2 'AppArmor detection and --privileged mode might break.'
	}
	fi

	# Mount /tmp (conditionally)
	if ! mountpoint -q /tmp; then
	mount -t tmpfs none /tmp
	fi

	# cgroup v2: enable nesting
	if [ -f /sys/fs/cgroup/cgroup.controllers ]; then
	# move the processes from the root group to the /init group,
	# otherwise writing subtree_control fails with EBUSY.
	# An error during moving non-existent process (i.e., "cat") is ignored.
	mkdir -p /sys/fs/cgroup/init
	xargs -rn1 < /sys/fs/cgroup/cgroup.procs > /sys/fs/cgroup/init/cgroup.procs \|\| :
	# enable controllers
	sed -e 's/ / +/g' -e 's/^/+/' < /sys/fs/cgroup/cgroup.controllers \
	> /sys/fs/cgroup/cgroup.subtree_control
	fi

	# Change mount propagation to shared to make the environment more similar to a
	# modern Linux system, e.g. with SystemD as PID 1.
	mount --make-rshared /

	if [ $# -gt 0 ]; then
	exec "$@"
	fi

	echo >&2 'ERROR: No command specified.'
	echo >&2 'You probably want to run hack/make.sh, or maybe a shell?'