Docker made significant changes to the unattended installation process of Docker Desktop on macOS in the minor update between versions 4.14.1 and 4.15 this month, causing automated installation of the new version to fail.
Daz Wallace was the first MacAdmin to notice the change and begin digging in. I’m not going to rehash all his discovery here so make sure to read his blog post for the details.
Read on for the new scripts I am using with my Docker Desktop deployments via Munki going forward.
I first noticed the change when Munki tried to install 4.15, sourced via AutoPkg, onto my computer that morning.
Previously Munki was able to run the following command as a postinstall_script to simplify setup for all users and install components that standard users would not be able to without an admin password.
/Applications/Docker.app/Contents/MacOS/Docker --install-privileged-components
However starting in 4.15, attempting to use the --install-privileged-components flag results in an error:
Docker did highlight the change in the release notes:
Docker Desktop for Mac no longer needs to install the privileged helper process
com.docker.vmnetdon install or on the first run.
The release notes link to important documentation which in turn links to a second article:
Thankfully Daz was several hours ahead of me and gave me a great starting point for fixing the scripts to work best in my environment.
Obviously the existing postinstall_script used with Munki was no longer going to work, but in addition to changing it I also decided to dig in and add an uninstall_script as well.
One important thing to note is that all of my deployments are 1:1. If you are using Docker Desktop in a multi-user environment like a lab, you will need to explore additional options such as using a LaunchAgent or Outset to run the script at every login.
As outlined in the documentation there is a new --user flag that can be run to configure some, but not all, of the things the old --install-privileged-components flag did. This needs the currently logged in user to work correctly so we need to account for that in the script.
There is also an --accept-license flag to avoid users having to accept on first launch so we might as well add it.
As a result my new Munki postinstall_script checks for the logged in user, makes sure it is not at the login window and then runs the command:
#!/bin/zsh
currentUser="$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk '/Name :/ { print $3 }')"
if [ "${currentUser}" = "loginwindow" ]; then
echo "No user logged in, skipping Docker setup."
exit 1
else
"/Applications/Docker.app/Contents/MacOS/install" --accept-license --user "${currentUser}"
fi
Since the command needs to run with a user logged in and I want to make sure that happens, I have added a Munki preinstall_script to abort the installation/update if the Mac is at the login window:
#!/bin/zsh
currentUser="$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk '/Name :/ { print $3 }')"
if [ "${currentUser}" = "loginwindow" ]; then
echo "No user logged in, skipping Docker install."
exit 1
fi
Finally I added a postuninstall_script to clean up when a user removes Docker using Munki. (The middle section could have been more compact with a “for loop” but I think listing out all the files makes the script easier to read for those new to shell scripting.)
#!/bin/zsh /bin/launchctl bootout system /Library/LaunchDaemons/com.docker.socket.plist /bin/rm -f /Library/LaunchDaemons/com.docker.socket.plist /bin/rm -f /private/var/run/docker.sock /bin/rm -f /usr/local/bin/com.docker.cli /bin/rm -f /usr/local/bin/docker /bin/rm -f /usr/local/bin/docker-compose /bin/rm -f /usr/local/bin/docker-compose-v1 /bin/rm -f /usr/local/bin/docker-credential-desktop /bin/rm -f /usr/local/bin/docker-credential-ecr-login /bin/rm -f /usr/local/bin/docker-credential-osxkeychain /bin/rm -f /usr/local/bin/docker-index /bin/rm -f /usr/local/bin/hub-tool /bin/rm -f /usr/local/bin/kubectl /bin/rm -f /usr/local/bin/kubectl-docker /bin/rm -f /usr/local/bin/vpnkit # These files are only installed if the user has tried to bind to a privileged port, they are not part of a default installation. if [ -f /Library/LaunchDaemons/com.docker.vmnetd.plist ]; then /bin/launchctl bootout system /Library/LaunchDaemons/com.docker.vmnetd.plist /bin/rm -f /Library/LaunchDaemons/com.docker.vmnetd.plist /bin/rm -f /Library/PrivilegedHelperTools/com.docker.vmnetd fi
Docker no longer installs the com.docker.vmnetd privileged helper at installation and waits until a user tries to bind to a privileged port before prompting for installation. This prompt will require admin credentials so it is another scenario you’ll need to consider if you manage standard users.
I hope these scripts help. Let me know if you are handling your Docker installs differently or have dealt with the changes in a multi-user environment.
Pingback: Weekly News Summary for Admins — 2023-01-13 – Scripting OS X