1. Allow filesystem support for namespaces: xfs partition: format with ``` mkfs.xfs -m crc=1 -n ftype=1 ``` The current CentOS 7 does this by default.
2. Enable kernel support:
grubby --args="user_namespace.enable=1" --update-kernel="$(grubby --default-kernel)"
Then reboot. If this is not done you should see something like:
oci runtime error: container_linux.go:247: starting container process caused "process_linux.go:245: running exec setns process for init caused \"exit status 29\""
3. In a development environment set "world execute permissions in all the directories below the one you are mounting"
chmod 755 /home /home/loco /home/loco/Projects
find passkeeper2 -type d -print0 | xargs -0 chmod 775
4. Enable Docker User Namespace support in /etc/docker/daemon.json:
{ ... "userns-remap": "django:django", ... }
5. Create on host: django user & group with mapping to container root
sudo useradd django -u 5000 -s /sbin/nologin -M
6. Map the container root user & group to the normal host user:
Map django login (host-user-id = 5000) to the container root user (container-user-id = 0)
echo <login>:<host-user-id>:<#_of_reserved_host_ids> > /etc/sub(uid|gid)
echo django:5000:1000 > /etc/subuid will yield:Container Login | Container ID | Host ID | Host Login |
---|---|---|---|
root | 0 | 5000 | django |
mike | 500 | 5500 | - |
joe | 1001 | - | - |
su (cannot use sudo)
echo django:5000:1000 > /etc/subuid
echo django:5000:1000 > /etc/subgid
django and the group/user numbers are for illustration
The <#_of_reserved_host_ids> sets the size of the range of ids that can be mapped.
Permissions for any files copied from host to container must refer to an existing user and group.
Actually permissions for application files on the host linked to a container via docker-compose volumes should probably be owned by the mapped user on the host. eg. django in this example. Test this as it will have side effects!
sudo chown -R django:django /path/to/application/root
Introduction_to_User_Namespaces_in_Docker_Engine
Oracle: Configuring User Namespace Remapping
See also this gist: estesp/user-ns.md
This Gist is the result of this issue on GitHub
Hi, is it possible to use namespaces along with SELinux enabled?
I am getting this error when SELinux + namespaces are enabled. Namespaces work fine when SELinux is permissive.
Sorry if this is not the right place to ask this question. I was following the above instructions so I thought you may be able to help.
Thanks !