Skip to content

Instantly share code, notes, and snippets.

@rdesfo

rdesfo/test.html

Created April 18, 2017 17:02
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save rdesfo/a9274725fa2b292ffe8b57c085aa84a1 to your computer and use it in GitHub Desktop.
Save rdesfo/a9274725fa2b292ffe8b57c085aa84a1 to your computer and use it in GitHub Desktop.
Download ZIP
h-entry test
Raw
test.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Desfo.org - Enabling Docker's User Namespaces in Nixos</title>
<link rel="stylesheet" type="text/css" href="../css/default.css" />
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js"></script>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" integrity="sha384-1q8mTJOASx8j1Au+a5WDVnPi2lkFfwwEAa8hDDdjZlpLegxhjVME1fgjWPGmkzs7" crossorigin="anonymous">
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js" integrity="sha384-0mSbJDEHialfmuBBQP6A4Qrprq5OVfW37PRR3j5ELqxss1yVqOtnepnHVP9aJ7xS" crossorigin="anonymous"></script>
<script src="https://use.fontawesome.com/cd724a90ce.js"></script>
</head>
<body>
<nav class="navbar navbar-default navbar-fixed-top shadow">
<div class="container">
<div class="navbar-header">
<a class="navbar-brand navbar-left" href="#">Ryan Desfosses</a>
<button class="navbar-toggle collapsed" type="button" data-toggle="collapse" data-target="#navbar-collapse" aria-extended="false">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
</div>
<div class="collapse navbar-collapse" id="navbar-collapse">
<ul role="navigation" class="nav navbar-nav navbar-right">
<li role="navigation"><a href="../index.html#Home">Home</a></li>
<li role="navigation"><a href="../index.html#About">About</a></li>
<li role="navigation"><a href="../index.html#Post">Post</a></li>
<li role="navigation"><a href="../cv.html">CV</a></li>
</ul>
</div>
</div>
</nav>
<div class="container">
<div class="article">
<header>
<h1 class="entry-title p-name">Enabling Docker's User Namespaces in Nixos</h1>
<span class="info">
Posted on <time class="value">August 29, 2016</time>
by <a href="http://www.desfo.org/" class="h-card">Ryan Desfosses</a>
</span>
</header>
<div class="entry-content e-content">
<p>Docker has had the ability to run a root user in a container with expected administrative privileges while also mapping the same user to an unprivileged uid on host since 1.10.</p>
<p>This can be enabled in NixOS by simply adding a few lines to the <em>configuration.nix</em> file, <code>nixos-rebuild</code>, and <code>reboot</code>.</p>
<div class="sourceCode"><pre class="sourceCode nix"><code class="sourceCode bash"> <span class="ex">virtualisation.docker.extraOptions</span> = <span class="st">&quot;--userns-remap=default&quot;</span><span class="kw">;</span>
<span class="ex">...</span>
<span class="ex">...</span>
<span class="ex">users.groups.dockremap.gid</span> = 10000<span class="kw">;</span>
<span class="ex">users.users</span> = {
<span class="ex">dockremap</span> = {
<span class="ex">isSystemUser</span> = true<span class="kw">;</span>
<span class="ex">uid</span> = 10000<span class="kw">;</span>
<span class="ex">group</span> = <span class="st">&quot;dockremap&quot;</span><span class="kw">;</span>
<span class="ex">subUidRanges</span> = [
<span class="kw">{</span> <span class="ex">startUid</span> = 100000<span class="kw">;</span> <span class="ex">count</span> = 65536<span class="kw">;</span> <span class="kw">}</span>
];
<span class="ex">subGidRanges</span> = [
<span class="kw">{</span> <span class="ex">startGid</span> = 100000<span class="kw">;</span> <span class="ex">count</span> = 65536<span class="kw">;</span> <span class="kw">}</span>
];
};
};</code></pre></div>
<p>The first line tells docker daemon to enable the user namespace support. The following lines are used to create <em>/etc/subuid</em> and <em>/etc/subgid</em> files. More information regarding user namespace feature as well as some known restriction can be found in the <a href="https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-user-namespace-options">dockerd docs</a></p>
</div>
</div>
</div>
</div>
</body>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment