hack/dind-systemd - third_party/github.com/moby/moby - Git at Google

 #!/bin/bash
 set -e

 # Set the container env-var, so that AppArmor is enabled in the daemon and
 # containerd when running docker-in-docker.
 #
 # see: https://github.com/containerd/containerd/blob/787943dc1027a67f3b52631e084db0d4a6be2ccc/pkg/apparmor/apparmor_linux.go#L29-L45
 # see: https://github.com/moby/moby/commit/de191e86321f7d3136ff42ff75826b8107399497
 container=docker
 export container

 if [ $# -eq 0 ]; then
 	echo >&2 'ERROR: No command specified. You probably want to run `journalctl -f`, or maybe `bash`?'
 	exit 1
 fi

 if [ ! -t 0 ]; then
 	echo >&2 'ERROR: TTY needs to be enabled (`docker run -t ...`).'
 	exit 1
 fi

 # Change mount propagation to shared, which SystemD PID 1 would normally do
 # itself when started by the kernel. SystemD skips that when it detects it is
 # running in a container.
 mount --make-rshared /

 # Allow AppArmor to work inside the container;
 #
 #     aa-status
 #     apparmor filesystem is not mounted.
 #     apparmor module is loaded.
 #
 #     mount -t securityfs none /sys/kernel/security
 #
 #     aa-status
 #     apparmor module is loaded.
 #     30 profiles are loaded.
 #     30 profiles are in enforce mode.
 #       /snap/snapd/18357/usr/lib/snapd/snap-confine
 #       ...
 #
 # Note: https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts#sys-kernel-security
 #
 #     ## /sys/kernel/security
 #
 #     In /sys/kernel/security mounted the securityfs interface, which allows
 #     configuration of Linux Security Modules. This allows configuration of
 #     AppArmor policies, and so access to this may allow a container to disable
 #     its MAC system.
 #
 # Given that we're running privileged already, this should not be an issue.
 if [ -d /sys/kernel/security ] && ! mountpoint -q /sys/kernel/security; then
 	mount -t securityfs none /sys/kernel/security || {
 		echo >&2 'Could not mount /sys/kernel/security.'
 		echo >&2 'AppArmor detection and --privileged mode might break.'
 	}
 fi

 env > /etc/docker-entrypoint-env

 cat > /etc/systemd/system/docker-entrypoint.target << EOF
 [Unit]
 Description=the target for docker-entrypoint.service
 Requires=docker-entrypoint.service systemd-logind.service systemd-user-sessions.service
 EOF

 quoted_args="$(printf " %q" "${@}")"
 echo "${quoted_args}" > /etc/docker-entrypoint-cmd

 cat > /etc/systemd/system/docker-entrypoint.service << EOF
 [Unit]
 Description=docker-entrypoint.service

 [Service]
 ExecStart=/bin/bash -exc "source /etc/docker-entrypoint-cmd"
 # EXIT_STATUS is either an exit code integer or a signal name string, see systemd.exec(5)
 ExecStopPost=/bin/bash -ec "if echo \${EXIT_STATUS} | grep [A-Z] > /dev/null; then echo >&2 \"got signal \${EXIT_STATUS}\"; systemctl exit \$(( 128 + \$( kill -l \${EXIT_STATUS} ) )); else systemctl exit \${EXIT_STATUS}; fi"
 StandardInput=tty-force
 StandardOutput=inherit
 StandardError=inherit
 WorkingDirectory=$(pwd)
 EnvironmentFile=/etc/docker-entrypoint-env

 [Install]
 WantedBy=multi-user.target
 EOF

 systemctl mask systemd-firstboot.service systemd-udevd.service
 systemctl unmask systemd-logind
 systemctl enable docker-entrypoint.service

 systemd=
 if [ -x /lib/systemd/systemd ]; then
 	systemd=/lib/systemd/systemd
 elif [ -x /usr/lib/systemd/systemd ]; then
 	systemd=/usr/lib/systemd/systemd
 elif [ -x /sbin/init ]; then
 	systemd=/sbin/init
 else
 	echo >&2 'ERROR: systemd is not installed'
 	exit 1
 fi
 systemd_args="--show-status=false --unit=docker-entrypoint.target"
 echo "$0: starting $systemd $systemd_args"
 exec $systemd $systemd_args
	#!/bin/bash
	set -e

	# Set the container env-var, so that AppArmor is enabled in the daemon and
	# containerd when running docker-in-docker.
	#
	# see: https://github.com/containerd/containerd/blob/787943dc1027a67f3b52631e084db0d4a6be2ccc/pkg/apparmor/apparmor_linux.go#L29-L45
	# see: https://github.com/moby/moby/commit/de191e86321f7d3136ff42ff75826b8107399497
	container=docker
	export container

	if [ $# -eq 0 ]; then
	echo >&2 'ERROR: No command specified. You probably want to run `journalctl -f`, or maybe `bash`?'
	exit 1
	fi

	if [ ! -t 0 ]; then
	echo >&2 'ERROR: TTY needs to be enabled (`docker run -t ...`).'
	exit 1
	fi

	# Change mount propagation to shared, which SystemD PID 1 would normally do
	# itself when started by the kernel. SystemD skips that when it detects it is
	# running in a container.
	mount --make-rshared /

	# Allow AppArmor to work inside the container;
	#
	# aa-status
	# apparmor filesystem is not mounted.
	# apparmor module is loaded.
	#
	# mount -t securityfs none /sys/kernel/security
	#
	# aa-status
	# apparmor module is loaded.
	# 30 profiles are loaded.
	# 30 profiles are in enforce mode.
	# /snap/snapd/18357/usr/lib/snapd/snap-confine
	# ...
	#
	# Note: https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts#sys-kernel-security
	#
	# ## /sys/kernel/security
	#
	# In /sys/kernel/security mounted the securityfs interface, which allows
	# configuration of Linux Security Modules. This allows configuration of
	# AppArmor policies, and so access to this may allow a container to disable
	# its MAC system.
	#
	# Given that we're running privileged already, this should not be an issue.
	if [ -d /sys/kernel/security ] && ! mountpoint -q /sys/kernel/security; then
	mount -t securityfs none /sys/kernel/security \|\| {
	echo >&2 'Could not mount /sys/kernel/security.'
	echo >&2 'AppArmor detection and --privileged mode might break.'
	}
	fi

	env > /etc/docker-entrypoint-env

	cat > /etc/systemd/system/docker-entrypoint.target << EOF
	[Unit]
	Description=the target for docker-entrypoint.service
	Requires=docker-entrypoint.service systemd-logind.service systemd-user-sessions.service
	EOF

	quoted_args="$(printf " %q" "${@}")"
	echo "${quoted_args}" > /etc/docker-entrypoint-cmd

	cat > /etc/systemd/system/docker-entrypoint.service << EOF
	[Unit]
	Description=docker-entrypoint.service

	[Service]
	ExecStart=/bin/bash -exc "source /etc/docker-entrypoint-cmd"
	# EXIT_STATUS is either an exit code integer or a signal name string, see systemd.exec(5)
	ExecStopPost=/bin/bash -ec "if echo \${EXIT_STATUS} \| grep [A-Z] > /dev/null; then echo >&2 \"got signal \${EXIT_STATUS}\"; systemctl exit \$(( 128 + \$( kill -l \${EXIT_STATUS} ) )); else systemctl exit \${EXIT_STATUS}; fi"
	StandardInput=tty-force
	StandardOutput=inherit
	StandardError=inherit
	WorkingDirectory=$(pwd)
	EnvironmentFile=/etc/docker-entrypoint-env

	[Install]
	WantedBy=multi-user.target
	EOF

	systemctl mask systemd-firstboot.service systemd-udevd.service
	systemctl unmask systemd-logind
	systemctl enable docker-entrypoint.service

	systemd=
	if [ -x /lib/systemd/systemd ]; then
	systemd=/lib/systemd/systemd
	elif [ -x /usr/lib/systemd/systemd ]; then
	systemd=/usr/lib/systemd/systemd
	elif [ -x /sbin/init ]; then
	systemd=/sbin/init
	else
	echo >&2 'ERROR: systemd is not installed'
	exit 1
	fi
	systemd_args="--show-status=false --unit=docker-entrypoint.target"
	echo "$0: starting $systemd $systemd_args"
	exec $systemd $systemd_args