Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Setup User Namespaces for docker on RHEL/Centos 7.3

On CentOS 7.3 with Kernel Version: 3.10.0


1. Allow filesystem support for namespaces: xfs partition: format with ``` mkfs.xfs -m crc=1 -n ftype=1 ``` The current CentOS 7 does this by default.



2. Enable kernel support:

grubby --args="user_namespace.enable=1" --update-kernel="$(grubby --default-kernel)"

Then reboot. If this is not done you should see something like:

oci runtime error: container_linux.go:247: starting container process caused "process_linux.go:245: running exec setns process for init caused \"exit status 29\""



3. In a development environment set "world execute permissions in all the directories below the one you are mounting"

chmod 755 /home /home/loco /home/loco/Projects
find passkeeper2 -type d -print0 | xargs -0 chmod 775



4. Enable Docker User Namespace support in /etc/docker/daemon.json:

{ ... "userns-remap": "django:django", ... }



5. Create on host: django user & group with mapping to container root

sudo useradd django -u 5000 -s /sbin/nologin -M



6. Map the container root user & group to the normal host user:

Map django login (host-user-id = 5000) to the container root user (container-user-id = 0)
echo <login>:<host-user-id>:<#_of_reserved_host_ids> > /etc/sub(uid|gid)
echo django:5000:1000 > /etc/subuid will yield:
Container Login Container ID Host ID Host Login
root 0 5000 django
mike 500 5500 -
joe 1001 - -
su (cannot use sudo)
echo django:5000:1000 > /etc/subuid
echo django:5000:1000 > /etc/subgid

Notes:

django and the group/user numbers are for illustration

The <#_of_reserved_host_ids> sets the size of the range of ids that can be mapped.

Permissions for any files copied from host to container must refer to an existing user and group.

Actually permissions for application files on the host linked to a container via docker-compose volumes should probably be owned by the mapped user on the host. eg. django in this example. Test this as it will have side effects!

sudo chown -R django:django /path/to/application/root

References:

Introduction_to_User_Namespaces_in_Docker_Engine

Oracle: Configuring User Namespace Remapping

See also this gist: estesp/user-ns.md

This Gist is the result of this issue on GitHub

@pjammer
Copy link

pjammer commented Oct 20, 2017

Step two is the fix for oci runtime error: container_linux.go:247: starting container process caused "process_linux.go:245: running exec setns process for init caused \"exit status 29\"" if you have yum upgrade and docker was in the upgraded mix all on your CentOS 7 build, say on Rackspace. remember the reboot and if you use docker in say gitlab-ci or gitlab-multi-ci-runner you need the grubby line and reboot. Thanks so much!!! Also, we are on Centos 7.4 when we were having this problem too.

@vikaschoudhary16
Copy link

vikaschoudhary16 commented May 15, 2018

UPDATE: On rhel7.4, command is grubby --args="namespace.unpriv_enable=1" --update-kernel="$(grubby --default-kernel)"

@nvlonline
Copy link

nvlonline commented Aug 7, 2018

Hi, is it possible to use namespaces along with SELinux enabled?
I am getting this error when SELinux + namespaces are enabled. Namespaces work fine when SELinux is permissive.

docker run -itd --name temp -p 80:80 httpd
3bf933e06b691666094ef78fcdd384ec65f9acd70df8d0e81979554d267dcdab
docker: Error response from daemon: OCI runtime create failed: container_linux.go:348: starting container process caused "process_linux.go:301: running exec setns process for init caused \"exit status 40\"": unknown.

Sorry if this is not the right place to ask this question. I was following the above instructions so I thought you may be able to help.

Thanks !

@starkriedesel
Copy link

starkriedesel commented Jan 31, 2019

Still had the "process_linux.go:245: running exec setns process for init caused \"exit status 29\"" error after enabling userns with grubby. Found that the maximum user namespaces defaults to 0 on CentOS/REHL. Fixed by setting to a higher amount: echo 10000 > /proc/sys/user/max_user_namespaces. Make sure to set the value in the /etc/systcl.conf file to persist past reboots.

https://superuser.com/questions/1294215/is-it-safe-to-enable-user-namespaces-in-centos-7-4-and-how-to-do-it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment