rootless: graduate from experimental

Close #40484 Note that the support for cgroup v2 isn't ready for production yet, regardless to rootful or rootless. Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
moby · thaJeztah · Apr 7, 2020 · Mar 10, 2020 · Apr 6, 2020 · Apr 6, 2020
commit 5ca47f517953d0016a6d48d1c2d5f5afea54f170
diff --git a/cmd/dockerd/daemon.go b/cmd/dockerd/daemon.go
@@ -102,20 +102,18 @@ func (cli *DaemonCli) start(opts *daemonOptions) (err error) {
 
 	if cli.Config.Experimental {
 		logrus.Warn("Running experimental build")
-		if cli.Config.IsRootless() {
-			logrus.Warn("Running in rootless mode. Cgroups, AppArmor, and CRIU are disabled.")
-		}
-		if rootless.RunningWithRootlessKit() {
-			logrus.Info("Running with RootlessKit integration")
-			if !cli.Config.IsRootless() {
-				return fmt.Errorf("rootless mode needs to be enabled for running with RootlessKit")
-			}
-		}
-	} else {
-		if cli.Config.IsRootless() {
-			return fmt.Errorf("rootless mode is supported only when running in experimental mode")
+	}
+
+	if cli.Config.IsRootless() {
+		logrus.Warn("Running in rootless mode. This mode has feature limitations.")
+	}
+	if rootless.RunningWithRootlessKit() {
+		logrus.Info("Running with RootlessKit integration")
+		if !cli.Config.IsRootless() {
+			return fmt.Errorf("rootless mode needs to be enabled for running with RootlessKit")
 		}
 	}
+
 	// return human-friendly error before creating files
 	if runtime.GOOS == "linux" && os.Geteuid() != 0 {
 		return fmt.Errorf("dockerd needs to be started with root. To see how to run dockerd in rootless mode with unprivileged user, see the documentation")

diff --git a/contrib/dockerd-rootless.sh b/contrib/dockerd-rootless.sh
@@ -1,8 +1,7 @@
 #!/bin/sh
 # dockerd-rootless.sh executes dockerd in rootless mode.
 #
-# Usage: dockerd-rootless.sh --experimental [DOCKERD_OPTIONS]
-# Currently, specifying --experimental is mandatory.
+# Usage: dockerd-rootless.sh [DOCKERD_OPTIONS]
 #
 # External dependencies:
 # * newuidmap and newgidmap needs to be installed.
@@ -11,7 +10,7 @@
 #   slirp4netns is used by default if installed. Otherwise fallsback to VPNKit.
 #   The default value can be overridden with $DOCKERD_ROOTLESS_ROOTLESSKIT_NET=(slirp4netns|vpnkit|lxc-user-nic)
 #
-# See the documentation for the further information.
+# See the documentation for the further information: https://docs.docker.com/engine/security/rootless/
 
 set -e -x
 if ! [ -w $XDG_RUNTIME_DIR ]; then

@@ -65,10 +65,6 @@ fi
 
 dockerd="dockerd"
 if [ -n "$DOCKER_ROOTLESS" ]; then
-	if [ -z "$DOCKER_EXPERIMENTAL" ]; then
-		echo >&2 '# DOCKER_ROOTLESS requires DOCKER_EXPERIMENTAL to be set'
-		exit 1
-	fi
 	if [ -z "$TEST_SKIP_INTEGRATION_CLI" ]; then
 		echo >&2 '# DOCKER_ROOTLESS requires TEST_SKIP_INTEGRATION_CLI to be set'
 		exit 1

@@ -39,10 +39,6 @@ fi
 dockerd="dockerd"
 socket=/var/run/docker.sock
 if [ -n "$DOCKER_ROOTLESS" ]; then
-	if [ -z "$DOCKER_EXPERIMENTAL" ]; then
-		echo >&2 '# DOCKER_ROOTLESS requires DOCKER_EXPERIMENTAL to be set'
-		exit 1
-	fi
 	user="unprivilegeduser"
 	uid=$(id -u $user)
 	# shellcheck disable=SC2174

diff --git a/testutil/daemon/daemon.go b/testutil/daemon/daemon.go
@@ -204,7 +204,7 @@ func New(t testing.TB, ops ...Option) *Daemon {
 				t.Skip("DOCKER_ROOTLESS doesn't support DOCKER_USERLANDPROXY=false")
 			}
 		}
-		ops = append(ops, WithRootlessUser("unprivilegeduser"), WithExperimental())
+		ops = append(ops, WithRootlessUser("unprivilegeduser"))
 	}
 
 	d, err := NewDaemon(dest, ops...)