diff --git a/contrib/dockerd-rootless.sh b/contrib/dockerd-rootless.sh index 0baa112e2c36c..97dae98ca7442 100755 --- a/contrib/dockerd-rootless.sh +++ b/contrib/dockerd-rootless.sh @@ -15,6 +15,7 @@ # * DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=(builtin|slirp4netns|implicit): the rootlesskit port driver. Defaults to "builtin". # * DOCKERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SANDBOX=(auto|true|false): whether to protect slirp4netns with a dedicated mount namespace. Defaults to "auto". # * DOCKERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SECCOMP=(auto|true|false): whether to protect slirp4netns with seccomp. Defaults to "auto". +# * DOCKERD_ROOTLESS_ROOTLESSKIT_DISABLE_HOST_LOOPBACK=(true|false): prohibit connections to 127.0.0.1 on the host (including via 10.0.2.2, in the case of slirp4netns). Defaults to "true". # To apply an environment variable via systemd, create ~/.config/systemd/user/docker.service.d/override.conf as follows, # and run `systemctl --user daemon-reload && systemctl --user restart docker`: @@ -71,6 +72,7 @@ fi : "${DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER:=builtin}" : "${DOCKERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SANDBOX:=auto}" : "${DOCKERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SECCOMP:=auto}" +: "${DOCKERD_ROOTLESS_ROOTLESSKIT_DISABLE_HOST_LOOPBACK:=}" net=$DOCKERD_ROOTLESS_ROOTLESSKIT_NET mtu=$DOCKERD_ROOTLESS_ROOTLESSKIT_MTU if [ -z "$net" ]; then @@ -98,6 +100,11 @@ if [ -z "$mtu" ]; then mtu=1500 fi +host_loopback="--disable-host-loopback" +if [ "$DOCKERD_ROOTLESS_ROOTLESSKIT_DISABLE_HOST_LOOPBACK" = "false" ]; then + host_loopback="" +fi + dockerd="${DOCKERD:-dockerd}" if [ -z "$_DOCKERD_ROOTLESS_CHILD" ]; then @@ -125,7 +132,7 @@ if [ -z "$_DOCKERD_ROOTLESS_CHILD" ]; then --net=$net --mtu=$mtu \ --slirp4netns-sandbox=$DOCKERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SANDBOX \ --slirp4netns-seccomp=$DOCKERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SECCOMP \ - --disable-host-loopback --port-driver=$DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER \ + $host_loopback --port-driver=$DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER \ --copy-up=/etc --copy-up=/run \ --propagation=rslave \ $DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS \