Lookup docker-proxy in libexec paths

This allows distros to put docker-proxy under libexec paths as is done for docker-init. Also expands the lookup to to not require a `docker/` subdir in libexec subdir. Since it is a generic helper that may be used for something else in the future, this is only done for binaries with a `docker-`. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
moby · May 7, 2024 · f644c58 · f644c58
1 parent 4d525c9
commit f644c58
Showing 1 changed file with 24 additions and 7 deletions.
diff --git a/daemon/config/config_linux.go b/daemon/config/config_linux.go
@@ -6,6 +6,7 @@ import (
 	"net"
 	"os/exec"
 	"path/filepath"
+	"strings"
 
 	"github.com/containerd/cgroups/v3"
 	"github.com/containerd/log"
@@ -108,14 +109,12 @@ func (conf *Config) GetInitPath() string {
 	return DefaultInitBinary
 }
 
-// LookupInitPath returns an absolute path to the "docker-init" binary by searching relevant "libexec" directories (per FHS 3.0 & 2.3) followed by PATH
-func (conf *Config) LookupInitPath() (string, error) {
-	binary := conf.GetInitPath()
+func lookupBinPath(binary string) (string, error) {
 	if filepath.IsAbs(binary) {
 		return binary, nil
 	}
 
-	for _, dir := range []string{
+	lookupPaths := []string{
 		// FHS 3.0: "/usr/libexec includes internal binaries that are not intended to be executed directly by users or shell scripts. Applications may use a single subdirectory under /usr/libexec."
 		// https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch04s07.html
 		"/usr/local/libexec/docker",
@@ -125,7 +124,16 @@ func (conf *Config) LookupInitPath() (string, error) {
 		// https://refspecs.linuxfoundation.org/FHS_2.3/fhs-2.3.html#USRLIBLIBRARIESFORPROGRAMMINGANDPA
 		"/usr/local/lib/docker",
 		"/usr/lib/docker",
-	} {
+	}
+
+	// According to FHS, it is not neccessary to have a subdir here.
+	// If the binary has a `docker-` prefix, let's look it up without the prefix.
+	if strings.HasPrefix("docker-", binary) {
+		lookupPaths = append(lookupPaths, "/usr/local/libexec")
+		lookupPaths = append(lookupPaths, "/usr/libexec")
+	}
+
+	for _, dir := range lookupPaths {
 		// exec.LookPath has a fast-path short-circuit for paths that contain "/" (skipping the PATH lookup) that then verifies whether the given path is likely to be an actual executable binary (so we invoke that instead of reimplementing the same checks)
 		if file, err := exec.LookPath(filepath.Join(dir, binary)); err == nil {
 			return file, nil
@@ -136,6 +144,15 @@ func (conf *Config) LookupInitPath() (string, error) {
 	return exec.LookPath(binary)
 }
 
+// LookupInitPath returns an absolute path to the "docker-init" binary by searching relevant "libexec" directories (per FHS 3.0 & 2.3) followed by PATH
+func (conf *Config) LookupInitPath() (string, error) {
+	binary := conf.GetInitPath()
+	if filepath.IsAbs(binary) {
+		return binary, nil
+	}
+	return lookupBinPath(binary)
+}
+
 // GetResolvConf returns the appropriate resolv.conf
 // Check setupResolvConf on how this is selected
 func (conf *Config) GetResolvConf() string {
@@ -226,7 +243,7 @@ func setPlatformDefaults(cfg *Config) error {
 
 		var err error
 		// use rootlesskit-docker-proxy for exposing the ports in RootlessKit netns to the initial namespace.
-		cfg.BridgeConfig.UserlandProxyPath, err = exec.LookPath(rootless.RootlessKitDockerProxyBinary)
+		cfg.BridgeConfig.UserlandProxyPath, err = lookupBinPath(rootless.RootlessKitDockerProxyBinary)
 		if err != nil {
 			return errors.Wrapf(err, "running with RootlessKit, but %s not installed", rootless.RootlessKitDockerProxyBinary)
 		}
@@ -245,7 +262,7 @@ func setPlatformDefaults(cfg *Config) error {
 		cfg.Pidfile = filepath.Join(runtimeDir, "docker.pid")
 	} else {
 		var err error
-		cfg.BridgeConfig.UserlandProxyPath, err = exec.LookPath(userlandProxyBinary)
+		cfg.BridgeConfig.UserlandProxyPath, err = lookupBinPath(userlandProxyBinary)
 		if err != nil {
 			// Log, but don't error here. This allows running a daemon with
 			// userland-proxy disabled (which does not require the binary