#!/bin/bash # Run a command as the unprivileged rootless Docker install user. # # This used to ssh to @localhost to get a fully-initialised user session # (so `systemctl --user` and the rootless dockerd would work). That needs an SSH # server, a generated key and authorized_keys — none of which the install set # up, so the whole rootless path silently no-op'd. Instead run via `sudo -u` # with the session env set explicitly: `loginctl enable-linger` (done during # rootless setup) keeps the user's `systemd --user` and /run/user/ alive, # so `systemctl --user` works, and DOCKER_HOST points at the rootless socket. # `sudo -u` to an unprivileged user is not a root escalation, and there's no SSH # attack surface. dockerCommandRunInstallUser() { local silent_flag="" if [ "$1" == "--silent" ]; then silent_flag="$1" shift fi local remote_command="$1" local uid uid=$(id -u "$CFG_DOCKER_INSTALL_USER" 2>/dev/null) if [ -z "$uid" ]; then isError "Cannot run as '$CFG_DOCKER_INSTALL_USER' — user does not exist." return 1 fi # rootless docker installs its binaries to the user's ~/bin, so include it. local run_env=( "HOME=/home/$CFG_DOCKER_INSTALL_USER" "XDG_RUNTIME_DIR=/run/user/$uid" "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$uid/bus" "DOCKER_HOST=unix:///run/user/$uid/docker.sock" "PATH=/home/$CFG_DOCKER_INSTALL_USER/bin:/usr/bin:/bin:/usr/local/bin" ) if [ -n "$silent_flag" ]; then sudo -u "$CFG_DOCKER_INSTALL_USER" env "${run_env[@]}" bash -c "$remote_command" >/dev/null 2>&1 else sudo -u "$CFG_DOCKER_INSTALL_USER" env "${run_env[@]}" bash -c "$remote_command" fi }