diff --git a/rip_docker/.gitignore b/rip_docker/.gitignore new file mode 100644 index 0000000..f144293 --- /dev/null +++ b/rip_docker/.gitignore @@ -0,0 +1,4 @@ +dangerzone-cmdline +dangerzone-initrd.img +dangerzone-kernel +dangerzone-state \ No newline at end of file diff --git a/rip_docker/README.md b/rip_docker/README.md new file mode 100644 index 0000000..2f0d33b --- /dev/null +++ b/rip_docker/README.md @@ -0,0 +1,79 @@ +# RIP Docker + +Notes for removing the Docker Desktop dependency from Dangerzone. + +## macOS + +The most promising path forward is with [LinuxKit](https://github.com/linuxkit/linuxkit) and [HyperKit](https://github.com/moby/hyperkit). This is super helpful, a [LinuxKit config for Docker for Mac](https://github.com/linuxkit/linuxkit/blob/master/examples/docker-for-mac.md). + +### Install Docker Desktop + +Docker is required for linuxkit to build the VM image. + +### Install LinuxKit and HyperKit + +Install from homebrew: + +```sh +brew tap linuxkit/linuxkit +brew install --HEAD linuxkit +brew install hyperkit +``` + +### Build the dangerzone VM image + +```sh +linuxkit build -format kernel+initrd dangerzone.yml +``` + +And then try running it: + +```sh +linuxkit run hyperkit -hyperkit /usr/local/bin/hyperkit -networking=vpnkit -vsock-ports=2376 -disk size=4096M -data-file ./metadata.json -kernel -uefi dangerzone +``` + +### Uninstall Docker Desktop + +Just to make sure it isn't interfering. Click the Docker systray icon > Troubleshooting > Uninstall, and then delete Docker from Applications. + + + + +### Old stuff + +Here's my attempts at installing from source, documented for posterity. + +```sh +mkir -p build bin + +# download pre-built linuxkit binary +cd bin +wget https://github.com/linuxkit/linuxkit/releases/download/v0.8/linuxkit-darwin-amd64 +chmod +x linuxkit-darwin-amd64 +cd .. + +# build hyperkit +cd build +wget https://github.com/moby/hyperkit/archive/refs/tags/v0.20210107.tar.gz +mv v0.20210107.tar.gz hyperkit-v0.20210107.tar.gz +tar -xf hyperkit-v0.20210107.tar.gz +cd hyperkit-0.20210107 +make +cp ../.. +ln -s build/hyperkit-0.20210107/build/hyperkit bin/hyperkit + +# install dependencies for vpnkit +brew install wget opam pkg-config +opam init # only need to run this if opam wasn't installed before + +# build vpnkit +cd build +# wget https://github.com/moby/vpnkit/archive/refs/tags/v0.5.0.tar.gz +wget https://github.com/micahflee/vpnkit/archive/refs/heads/ocaml-upgrade.tar.gz +mv ocaml-upgrade.tar.gz vpnkit-ocaml-upgrade.tar.gz +tar -xf vpnkit-ocaml-upgrade.tar.gz +cd vpnkit-ocaml-upgrade +make + +# uggh, I keep failing at this. going to switch to homebrew +``` diff --git a/rip_docker/dangerzone.yml b/rip_docker/dangerzone.yml new file mode 100644 index 0000000..67757b8 --- /dev/null +++ b/rip_docker/dangerzone.yml @@ -0,0 +1,113 @@ +# This is an example for building the open source components of Docker for Mac +kernel: + image: linuxkit/kernel:5.10.39 + cmdline: "console=ttyS0 page_poison=1" +init: + - linuxkit/vpnkit-expose-port:b0a5ede4c53aa718b48fb9a86e4725ab6ae7f96e # install vpnkit-expose-port and vpnkit-iptables-wrapper on host + - linuxkit/init:78fb57c7da07c4e43c3a37b27755581da087a3b6 + - linuxkit/runc:bf1e0c61fb4678d6428d0aabbd80db5ea24e4d4d + - linuxkit/containerd:cc02c2af9c928c2faeccbe4edc78bd297ad91866 + - linuxkit/ca-certificates:4df823737c9bf6a9564b736f1a19fd25d60e909a +onboot: + # support metadata for optional config in /run/config + - name: metadata + image: linuxkit/metadata:91125438842110e7709811997815b7b33dc18d1d + - name: sysctl + image: linuxkit/sysctl:02d2bd74509fd063857ceb4c4f502f09ee4f2e0a + - name: sysfs + image: linuxkit/sysfs:3498aa99c90a29439b5a1926f6ffcd75c270372c + - name: binfmt + image: linuxkit/binfmt:5567917e7de481e4867d31c7490a0ebdb70e04a5 + # Format and mount the disk image in /var/lib/docker + - name: format + image: linuxkit/format:fdad8c50d594712537f94862dab3d955cbb48fc3 + - name: mount + image: linuxkit/mount:71c868267a4503f99e84fd7698717a3669d9dfdb + command: ["/usr/bin/mountie", "/var/lib"] + # make a swap file on the mounted disk + - name: swap + image: linuxkit/swap:0028aeae2741d28120e4d2c6efcc5af003eae395 + command: ["/swap.sh", "--path", "/var/lib/swap", "--size", "1024M"] + # mount-vpnkit mounts the 9p share used by vpnkit to coordinate port forwarding + - name: mount-vpnkit + image: alpine:3.11 + binds: + - /var/:/host_var:rbind,rshared + capabilities: + - CAP_SYS_ADMIN + rootfsPropagation: shared + command: ["sh", "-c", "mkdir -p /host_var/vpnkit/port && mount -v -t 9p -o trans=virtio,dfltuid=1001,dfltgid=50,version=9p2000 port /host_var/vpnkit"] + # move logs to the mounted disk (this is a temporary fix until we can limit the log sizes) + - name: move-logs + image: alpine:3.11 + binds: + - /var:/host_var + command: ["sh", "-c", "mv -v /host_var/log /host_var/lib && ln -vs /var/lib/log /host_var/log"] + - name: dhcpcd + image: linuxkit/dhcpcd:1033f340e2d42f86a60aab70752346f0045ea388 + command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] +services: + # Enable acpi to shutdown on power events + - name: acpid + image: linuxkit/acpid:d2ddd88c7918466f875e7c5c3e527b51dfb0b0ea + # Enable getty for easier debugging + - name: getty + image: linuxkit/getty:ed32c71531f5998aa510847bb07bd847492d4101 + env: + - INSECURE=true + # Run ntpd to keep time synchronised in the VM + - name: ntpd + image: linuxkit/openntpd:66f25a516c7460f5e49195309cf276903741c428 + # VSOCK to unix domain socket forwarding. Forwards guest /var/run/docker.sock + # to a socket on the host. + - name: vsudd + image: linuxkit/vsudd:8b442fc9296ce581e8755675eadc928c13ac79c9 + binds: + - /var/run:/var/run + command: ["/vsudd", "-inport", "2376:unix:/var/run/docker.sock"] + # vpnkit-forwarder forwards network traffic to/from the host via VSOCK port 62373. + # It needs access to the vpnkit 9P coordination share + - name: vpnkit-forwarder + image: linuxkit/vpnkit-forwarder:56ed525d212ca17e01b54d9b66c39b534a4392bc + binds: + - /var/vpnkit:/port + net: host + command: ["/vpnkit-forwarder", "-vsockPort", "62373"] + # Monitor for image deletes and invoke a TRIM on the container filesystem + - name: trim-after-delete + image: linuxkit/trim-after-delete:ac6307a62c926a49a067d4de8667c2789b5ce2c9 + # When the host resumes from sleep, force a clock resync + - name: host-timesync-daemon + image: linuxkit/host-timesync-daemon:32fec3fc7d03e5600ef88526c8f187cf21e8e0cc + # Run dockerd with the vpnkit userland proxy from the vpnkit-forwarder container. + # Bind mounts /var/run to allow vsudd to connect to docker.sock, /var/vpnkit + # for vpnkit coordination and /run/config/docker for the configuration file. + - name: docker-dfm + image: docker:20.10.6-dind + capabilities: + - all + net: host + mounts: + - type: cgroup + options: ["rw","nosuid","noexec","nodev","relatime"] + binds: + - /etc/resolv.conf:/etc/resolv.conf + - /var/lib/docker:/var/lib/docker + - /lib/modules:/lib/modules + - /var/vpnkit:/port # vpnkit control 9p mount + - /var/run:/var/run + - /run/config/docker:/var/config/docker + - /usr/bin/vpnkit-expose-port:/usr/bin/vpnkit-expose-port # userland proxy + - /usr/bin/vpnkit-iptables-wrapper:/usr/bin/iptables # iptables wrapper + command: [ "/usr/local/bin/docker-init", "/usr/local/bin/dockerd", "--", + "--config-file", "/var/config/docker/daemon.json", + "--swarm-default-advertise-addr=eth0", + "--userland-proxy-path", "/usr/bin/vpnkit-expose-port", + "--storage-driver", "overlay2" ] + runtime: + mkdir: ["/var/lib/docker"] + +trust: + org: + - linuxkit + - library diff --git a/rip_docker/metadata.json b/rip_docker/metadata.json new file mode 100644 index 0000000..9e2ab3e --- /dev/null +++ b/rip_docker/metadata.json @@ -0,0 +1,9 @@ +{ + "docker": { + "entries": { + "daemon.json": { + "content": "{\n \"debug\" : true,\n \"experimental\" : true\n}\n" + } + } + } +} \ No newline at end of file