[docker-up] Minor fixes and add tests

Tool: gitpod/catfood.gitpod.cloud

Author: geropl

components/docker-up/BUILD.yaml

@@ -5,6 +5,7 @@ packages:
       - go.mod
       - go.sum
       - "docker-up/**"
+      - "dockerd/**"
       - dependencies.sh
     deps:
       - components/common-go:lib

components/docker-up/docker-up/main.go

@@ -9,11 +9,9 @@ package main
 
 import (
 	"archive/tar"
-	"bufio"
 	"compress/gzip"
 	"context"
 	"embed"
-	"encoding/json"
 	"fmt"
 	"io"
 	"os"
@@ -25,6 +23,7 @@ import (
 	"syscall"
 	"time"
 
+	"github.com/gitpod-io/gitpod/docker-up/dockerd"
 	"github.com/rootless-containers/rootlesskit/pkg/sigproxy"
 	sigproxysignal "github.com/rootless-containers/rootlesskit/pkg/sigproxy/signal"
 	"github.com/sirupsen/logrus"
@@ -45,6 +44,7 @@ var opts struct {
 	UserAccessibleSocket bool
 	Verbose              bool
 	DontWrapNetNS        bool
+	AutoLogin            bool
 }
 
 //go:embed docker.tgz
@@ -58,6 +58,7 @@ var aptUpdated = false
 const (
 	dockerSocketFN = "/var/run/docker.sock"
 	gitpodUserId   = 33333
+	gitpodGroupId  = 33333
 	containerIf    = "eth0"
 )
 
@@ -73,6 +74,7 @@ func main() {
 	pflag.BoolVar(&opts.AutoInstall, "auto-install", true, "auto-install prerequisites (docker)")
 	pflag.BoolVar(&opts.UserAccessibleSocket, "user-accessible-socket", true, "chmod the Docker socket to make it user accessible")
 	pflag.BoolVar(&opts.DontWrapNetNS, "dont-wrap-netns", os.Getenv("WORKSPACEKIT_WRAP_NETNS") == "true", "wrap the Docker daemon in a network namespace")
+	pflag.BoolVar(&opts.AutoLogin, "auto-login", false, "use content of GITPOD_IMAGE_AUTH to automatically login with the docker daemon")
 	pflag.Parse()
 
 	logger := logrus.New()
@@ -118,7 +120,8 @@ func runWithinNetns() (err error) {
 		)
 	}
 
-	userArgs, err := userArgs()
+	userArgsValue, _ := os.LookupEnv(DaemonArgs)
+	userArgs, err := dockerd.ParseUserArgs(log, userArgsValue)
 	if err != nil {
 		return xerrors.Errorf("cannot add user supplied docker args: %w", err)
 	}
@@ -192,98 +195,6 @@ func runWithinNetns() (err error) {
 	return nil
 }
 
-type ConvertUserArg func(arg, value string) ([]string, error)
-
-var allowedDockerArgs = map[string]ConvertUserArg{
-	"remap-user": convertRemapUser,
-}
-
-func userArgs() ([]string, error) {
-	userArgs, exists := os.LookupEnv(DaemonArgs)
-	args := []string{}
-	if !exists {
-		return args, nil
-	}
-
-	var providedDockerArgs map[string]string
-	if err := json.Unmarshal([]byte(userArgs), &providedDockerArgs); err != nil {
-		return nil, xerrors.Errorf("unable to deserialize docker args: %w", err)
-	}
-
-	for userArg, userValue := range providedDockerArgs {
-		converter, exists := allowedDockerArgs[userArg]
-		if !exists {
-			continue
-		}
-
-		if converter != nil {
-			cargs, err := converter(userArg, userValue)
-			if err != nil {
-				return nil, xerrors.Errorf("could not convert %v - %v: %w", userArg, userValue, err)
-			}
-			args = append(args, cargs...)
-
-		} else {
-			args = append(args, "--"+userArg, userValue)
-		}
-	}
-
-	return args, nil
-}
-
-func convertRemapUser(arg, value string) ([]string, error) {
-	id, err := strconv.Atoi(value)
-	if err != nil {
-		return nil, err
-	}
-
-	for _, f := range []string{"/etc/subuid", "/etc/subgid"} {
-		err := adaptSubid(f, id)
-		if err != nil {
-			return nil, xerrors.Errorf("could not adapt subid files: %w", err)
-		}
-	}
-
-	return []string{"--userns-remap", "gitpod"}, nil
-}
-
-func adaptSubid(oldfile string, id int) error {
-	uid, err := os.Open(oldfile)
-	if err != nil {
-		return err
-	}
-
-	newfile, err := os.Create(oldfile + ".new")
-	if err != nil {
-		return err
-	}
-
-	mappingFmt := func(username string, id int, size int) string { return fmt.Sprintf("%s:%d:%d\n", username, id, size) }
-
-	if id != 0 {
-		newfile.WriteString(mappingFmt("gitpod", 1, id))
-		newfile.WriteString(mappingFmt("gitpod", gitpodUserId, 1))
-	} else {
-		newfile.WriteString(mappingFmt("gitpod", gitpodUserId, 1))
-		newfile.WriteString(mappingFmt("gitpod", 1, gitpodUserId-1))
-		newfile.WriteString(mappingFmt("gitpod", gitpodUserId+1, 32200)) // map rest of user ids in the user namespace
-	}
-
-	uidScanner := bufio.NewScanner(uid)
-	for uidScanner.Scan() {
-		l := uidScanner.Text()
-		if !strings.HasPrefix(l, "gitpod") {
-			newfile.WriteString(l + "\n")
-		}
-	}
-
-	if err = os.Rename(newfile.Name(), oldfile); err != nil {
-		return err
-	}
-
-	return nil
-}
-
 var prerequisites = map[string]func() error{
 	"dockerd":        installDocker,
 	"docker-compose": installDockerCompose,
@@ -353,7 +264,8 @@ func installDocker() error {
 		}
 
 		switch hdr.Typeflag {
-		case tar.TypeReg, tar.TypeRegA:
+
+		case tar.TypeReg, tar.TypeRegA: //lint:ignore SA1019 backwards compatibility
 			file, err := os.OpenFile(dstpath, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, mode)
 			if err != nil {
 				return xerrors.Errorf("unable to create file: %v", err)
@@ -480,12 +392,12 @@ func detectRuncVersion(output string) (major, minor int, err error) {
 
 		major, err = strconv.Atoi(n[0])
 		if err != nil {
-			return 0, 0, xerrors.Errorf("could not parse major %s: %w", n[0])
+			return 0, 0, xerrors.Errorf("could not parse major %s: %w", n[0], err)
 		}
 
 		minor, err = strconv.Atoi(n[1])
 		if err != nil {
-			return 0, 0, xerrors.Errorf("could not parse minor %s: %w", n[1])
+			return 0, 0, xerrors.Errorf("could not parse minor %s: %w", n[1], err)
 		}
 
 		return major, minor, nil

components/docker-up/dockerd/args.go

@@ -0,0 +1,148 @@
+// Copyright (c) 2025 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License.AGPL.txt in the project root for license information.
+
+package dockerd
+
+import (
+	"bufio"
+	"encoding/json"
+	"fmt"
+	"os"
+	"strconv"
+	"strings"
+
+	"github.com/sirupsen/logrus"
+	"golang.org/x/xerrors"
+)
+
+const (
+	gitpodUserId = 33333
+)
+
+type ConvertUserArg func(arg string, value interface{}) ([]string, error)
+
+var allowedDockerArgs = map[string]ConvertUserArg{
+	"remap-user": convertRemapUser,
+	// TODO(gpl): Why this allow-list instead of a converter lookup only?
+	"proxies":     nil,
+	"http-proxy":  nil,
+	"https-proxy": nil,
+}
+
+func ParseUserArgs(log *logrus.Entry, userArgs string) ([]string, error) {
+	if userArgs == "" {
+		return nil, nil
+	}
+
+	var providedDockerArgs map[string]interface{}
+	if err := json.Unmarshal([]byte(userArgs), &providedDockerArgs); err != nil {
+		return nil, xerrors.Errorf("unable to deserialize docker args: %w", err)
+	}
+
+	return mapUserArgs(log, providedDockerArgs)
+}
+
+func mapUserArgs(log *logrus.Entry, jsonObj map[string]interface{}) ([]string, error) {
+	args := []string{}
+	for userArg, userValue := range jsonObj {
+		converter, exists := allowedDockerArgs[userArg]
+		if !exists {
+			// TODO(gpl): Why this allow-list instead of a converter lookup only?
+			continue
+		}
+
+		if converter != nil {
+			cargs, err := converter(userArg, userValue)
+			if err != nil {
+				return nil, xerrors.Errorf("could not convert %v - %v: %w", userArg, userValue, err)
+			}
+			args = append(args, cargs...)
+			continue
+		}
+
+		strValue, ok := (userValue).(string)
+		if ok {
+			args = append(args, fmt.Sprintf("--%s=%s", userArg, strValue))
+			continue
+		}
+
+		bValue, ok := (userValue).(bool)
+		if ok {
+			args = append(args, fmt.Sprintf("--%s=%t", userArg, bValue))
+			continue
+		}
+
+		obj, ok := (userValue).(map[string]interface{})
+		if ok {
+			nestedArgs, err := mapUserArgs(log, obj)
+			if err != nil {
+				return nil, xerrors.Errorf("could not convert nested arg %v - %v: %w", userArg, userValue, err)
+			}
+			args = append(args, nestedArgs...)
+			continue
+		}
+
+		log.WithField("arg", userArg).WithField("value", userValue).Warn("could not map userArg to dockerd argument, skipping.")
+	}
+
+	return args, nil
+}
+
+func convertRemapUser(arg string, value interface{}) ([]string, error) {
+	v, ok := (value).(string)
+	if !ok {
+		return nil, xerrors.Errorf("userns-remap expects a string argument")
+	}
+
+	id, err := strconv.Atoi(v)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, f := range []string{"/etc/subuid", "/etc/subgid"} {
+		err := adaptSubid(f, id)
+		if err != nil {
+			return nil, xerrors.Errorf("could not adapt subid files: %w", err)
+		}
+	}
+
+	return []string{"--userns-remap", "gitpod"}, nil
+}
+
+func adaptSubid(oldfile string, id int) error {
+	uid, err := os.Open(oldfile)
+	if err != nil {
+		return err
+	}
+
+	newfile, err := os.Create(oldfile + ".new")
+	if err != nil {
+		return err
+	}
+
+	mappingFmt := func(username string, id int, size int) string { return fmt.Sprintf("%s:%d:%d\n", username, id, size) }
+
+	if id != 0 {
+		newfile.WriteString(mappingFmt("gitpod", 1, id))
+		newfile.WriteString(mappingFmt("gitpod", gitpodUserId, 1))
+	} else {
+		newfile.WriteString(mappingFmt("gitpod", gitpodUserId, 1))
+		newfile.WriteString(mappingFmt("gitpod", 1, gitpodUserId-1))
+		newfile.WriteString(mappingFmt("gitpod", gitpodUserId+1, 32200)) // map rest of user ids in the user namespace
+	}
+
+	uidScanner := bufio.NewScanner(uid)
+	for uidScanner.Scan() {
+		l := uidScanner.Text()
+		if !strings.HasPrefix(l, "gitpod") {
+			newfile.WriteString(l + "\n")
+		}
+	}
+
+	if err = os.Rename(newfile.Name(), oldfile); err != nil {
+		return err
+	}
+
+	return nil
+}

components/docker-up/dockerd/args_test.go

@@ -0,0 +1,62 @@
+// Copyright (c) 2025 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License.AGPL.txt in the project root for license information.
+
+package dockerd
+
+import (
+	"reflect"
+	"sort"
+	"testing"
+
+	"github.com/sirupsen/logrus"
+)
+
+func TestMapUserArgs(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    map[string]interface{}
+		expected []string
+		wantErr  bool
+	}{
+		{
+			name:     "empty input",
+			input:    map[string]interface{}{},
+			expected: []string{},
+			wantErr:  false,
+		},
+		{
+			name: "tls and proxy settings",
+			input: map[string]interface{}{
+				"proxies": map[string]interface{}{
+					"http-proxy":  "localhost:38080",
+					"https-proxy": "localhost:38081",
+				},
+			},
+			expected: []string{
+				"--http-proxy=localhost:38080",
+				"--https-proxy=localhost:38081",
+			},
+			wantErr: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			log := logrus.New().WithField("test", t.Name())
+			got, err := mapUserArgs(log, tt.input)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("mapUserArgs() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if !tt.wantErr {
+				sort.Strings(got)
+				sort.Strings(tt.expected)
+				// Sort both slices to ensure consistent comparison
+				if !reflect.DeepEqual(got, tt.expected) {
+					t.Errorf("mapUserArgs() = %v, want %v", got, tt.expected)
+				}
+			}
+		})
+	}
+}