Enable User Namespaces for Docker on EL7-based Systems

enable_namespaces_el7.sh

#!/bin/bash

# Super basic script outlining the steps to enable namespace support for Docker on
# el7-base systems (CentOS7, RHEL7, etc).

set -e

echo "Enabling user_namespace kernel option..."

grubby --args="user_namespace.enable=1" --update-kernel="$(grubby --default-kernel)"

REMAP_USER="docker_runner"
ALLOWED_UIDS=65536
START_UID=500000

echo "Adding docker_runner user"

if ! grep ${REMAP_USER} /etc/passwd
then
  useradd ${REMAP_USER}
fi

echo "Mapping ${REMAP_USER}, allowing ${ALLOWED_UIDS} UIDs, starting at ${START_UID}"
sudo sh -c "echo ${REMAP_USER}:${START_UID}:${ALLOWED_UIDS} > /etc/subuid"
sudo sh -c "echo ${REMAP_USER}:${START_UID}:${ALLOWED_UIDS} > /etc/subgid"

echo "Enabling namespace remapping in Docker"

if ! grep userns-remap /etc/sysconfig/docker
then
  sed -i "s/OPTIONS='/OPTIONS='--userns-remap=${REMAP_USER} /" /etc/sysconfig/docker
fi

echo "Restarting the Docker daemon"

systemctl restart docker.service

echo "Adding sudo rules for ${REMAP_USER}"

cat <<EOF > /tmp/15_${REMAP_USER}
Defaults:${REMAP_USER} !requiretty
${REMAP_USER} ALL=NOPASSWD: /usr/bin/docker *
EOF

echo "Validating temp sudoers file"

if visudo -cf /tmp/15_${REMAP_USER}
then
  echo "Valid..., copying in place"
  mv /tmp/15_${REMAP_USER} /etc/sudoers.d/
else
  echo "/tmp/15_${REMAP_USER} not valid:"
  cat /tmp/15_${REMAP_USER}
  exit 1
fi

echo "Now, Give your users access to become ${REMAP_USER}"
echo "and then reboot to enable user_namespace in the kernel"
echo ""
echo "The End"

this is great! I'm am stealing. 👍
Is there a way to use a unix group instead of a single user?