Skip to content

Instantly share code, notes, and snippets.

@dpneumo

dpneumo/Docker_User_NameSpaces_setup.md

Last active September 11, 2019 17:00
Show Gist options
  • Star 5 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save dpneumo/279d6bc5dcbe5609cfcb8ec48499701a to your computer and use it in GitHub Desktop.
Save dpneumo/279d6bc5dcbe5609cfcb8ec48499701a to your computer and use it in GitHub Desktop.
Download ZIP
Setup User Namespaces for docker on RHEL/Centos 7.3
Raw
Docker_User_NameSpaces_setup.md

On CentOS 7.3 with Kernel Version: 3.10.0


1. Allow filesystem support for namespaces: xfs partition: format with ``` mkfs.xfs -m crc=1 -n ftype=1 ``` The current CentOS 7 does this by default.



2. Enable kernel support:

grubby --args="user_namespace.enable=1" --update-kernel="$(grubby --default-kernel)"

Then reboot. If this is not done you should see something like:

oci runtime error: container_linux.go:247: starting container process caused "process_linux.go:245: running exec setns process for init caused \"exit status 29\""



3. In a development environment set "world execute permissions in all the directories below the one you are mounting"

chmod 755 /home /home/loco /home/loco/Projects
find passkeeper2 -type d -print0 | xargs -0 chmod 775



4. Enable Docker User Namespace support in /etc/docker/daemon.json:

{ ... "userns-remap": "django:django", ... }



5. Create on host: django user & group with mapping to container root

sudo useradd django -u 5000 -s /sbin/nologin -M



6. Map the container root user & group to the normal host user:

Map django login (host-user-id = 5000) to the container root user (container-user-id = 0)
echo <login>:<host-user-id>:<#_of_reserved_host_ids> > /etc/sub(uid|gid)
echo django:5000:1000 > /etc/subuid will yield:
Container Login Container ID Host ID Host Login
root 0 5000 django
mike 500 5500 -
joe 1001 - - 
su (cannot use sudo)
echo django:5000:1000 > /etc/subuid
echo django:5000:1000 > /etc/subgid

Notes:

django and the group/user numbers are for illustration

The <#_of_reserved_host_ids> sets the size of the range of ids that can be mapped.

Permissions for any files copied from host to container must refer to an existing user and group.

Actually permissions for application files on the host linked to a container via docker-compose volumes should probably be owned by the mapped user on the host. eg. django in this example. Test this as it will have side effects!

sudo chown -R django:django /path/to/application/root

References:

Introduction_to_User_Namespaces_in_Docker_Engine

Oracle: Configuring User Namespace Remapping

See also this gist: estesp/user-ns.md

This Gist is the result of this issue on GitHub

@nvlonline
Copy link

Hi, is it possible to use namespaces along with SELinux enabled?
I am getting this error when SELinux + namespaces are enabled. Namespaces work fine when SELinux is permissive.

docker run -itd --name temp -p 80:80 httpd
3bf933e06b691666094ef78fcdd384ec65f9acd70df8d0e81979554d267dcdab
docker: Error response from daemon: OCI runtime create failed: container_linux.go:348: starting container process caused "process_linux.go:301: running exec setns process for init caused \"exit status 40\"": unknown.

Sorry if this is not the right place to ask this question. I was following the above instructions so I thought you may be able to help.

Thanks !

@starkriedesel
Copy link

Still had the "process_linux.go:245: running exec setns process for init caused \"exit status 29\"" error after enabling userns with grubby. Found that the maximum user namespaces defaults to 0 on CentOS/REHL. Fixed by setting to a higher amount: echo 10000 > /proc/sys/user/max_user_namespaces. Make sure to set the value in the /etc/systcl.conf file to persist past reboots.

https://superuser.com/questions/1294215/is-it-safe-to-enable-user-namespaces-in-centos-7-4-and-how-to-do-it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment