From b942a610fe6da1337c9f0f8b9397642ecb4b57da Mon Sep 17 00:00:00 2001 From: Omar Al-Ithawi Date: Thu, 12 Oct 2023 11:14:11 +0300 Subject: [PATCH] fix: disable `ulimits` in rootless docker mode --- tests/test_utils.py | 20 ++++++++++++++++++++ tutor/env.py | 1 + tutor/templates/dev/docker-compose.yml | 9 +++++++++ tutor/utils.py | 14 ++++++++++++++ 4 files changed, 44 insertions(+) diff --git a/tests/test_utils.py b/tests/test_utils.py index 93d4a4859c8..21af475d3ba 100644 --- a/tests/test_utils.py +++ b/tests/test_utils.py @@ -3,6 +3,7 @@ import tempfile import unittest from io import StringIO +import subprocess from typing import List, Tuple from unittest.mock import MagicMock, mock_open, patch @@ -241,6 +242,25 @@ def test_is_http(self) -> None: self.assertFalse(utils.is_http("home/user/")) self.assertFalse(utils.is_http("http-home/user/")) + @patch("subprocess.run") + def test_is_docker_rootless(self, mock_run: MagicMock) -> None: + # Mock rootless `docker info` output + utils.is_docker_rootless.cache_clear() + mock_run.return_value.stdout = "some prefix\n rootless foo bar".encode("utf-8") + self.assertTrue(utils.is_docker_rootless()) + + # Mock regular `docker info` output + utils.is_docker_rootless.cache_clear() + mock_run.return_value.stdout = "some prefix, regular docker".encode("utf-8") + self.assertFalse(utils.is_docker_rootless()) + + @patch("subprocess.run") + def test_is_docker_rootless_podman(self, mock_run: MagicMock) -> None: + """Test the `is_docker_rootless` when podman is used or any other error with `docker info`""" + utils.is_docker_rootless.cache_clear() + mock_run.side_effect = subprocess.CalledProcessError(1, "docker info") + self.assertFalse(utils.is_docker_rootless()) + def test_format_table(self) -> None: rows: List[Tuple[str, ...]] = [ ("a", "xyz", "value 1"), diff --git a/tutor/env.py b/tutor/env.py index 9ced7d5b8c7..08db87dc6d4 100644 --- a/tutor/env.py +++ b/tutor/env.py @@ -55,6 +55,7 @@ def _prepare_environment() -> None: ("TUTOR_APP", __app__.replace("-", "_")), ("TUTOR_VERSION", __version__), ("is_buildkit_enabled", utils.is_buildkit_enabled), + ("is_docker_rootless", utils.is_docker_rootless), ], ) diff --git a/tutor/templates/dev/docker-compose.yml b/tutor/templates/dev/docker-compose.yml index 4b8cd38c9bd..7c864358fc8 100644 --- a/tutor/templates/dev/docker-compose.yml +++ b/tutor/templates/dev/docker-compose.yml @@ -52,4 +52,13 @@ services: command: openedx-assets watch-themes --env dev restart: unless-stopped + {% if RUN_ELASTICSEARCH and is_docker_rootless() %} + elasticsearch: + ulimits: + memlock: + # Fixes error setting rlimits for ready process in rootless docker + soft: 0 # zero means "unset" in the memlock context + hard: 0 + {% endif %} + {{ patch("local-docker-compose-dev-services")|indent(2) }} diff --git a/tutor/utils.py b/tutor/utils.py index 59adee43778..18dba364bad 100644 --- a/tutor/utils.py +++ b/tutor/utils.py @@ -192,6 +192,20 @@ def is_buildkit_enabled() -> bool: return False +@lru_cache(maxsize=None) +def is_docker_rootless() -> bool: + """ + A helper function to determine if Docker is running in rootless mode. + + - https://docs.docker.com/engine/security/rootless/ + """ + try: + results = subprocess.run(["docker", "info"], capture_output=True, check=True) + return "rootless" in results.stdout.decode() + except subprocess.CalledProcessError: + return False + + def docker_compose(*command: str) -> int: return execute("docker", "compose", *command)