6

is it possible to use docker socket mounted from host inside docker container when using user namespaces?

I have following configuration:

/etc/subuid

 user:100000:65536

/etc/subgid

 user:100000:65536

/etc/docker/daemon.json

{                              
  "userns-remap": "ns-user" 
}

I've created user ns-user with UID 100000 and group ns-user with GID 100000. Additionality I've added ns-user to group docker. When I log in as ns-user on host machine then I can use docker via socket.

The problem is that when I run container with docker socket mounted I've got permission denied on socket. Socket privileges inside docker container:

srw-rw---- 1 nobody nogroup 0 Jun 26 15:00 /var/run/docker.sock

EDIT 1:

To clarify I thought that root (uid 0) inside container maps to ns-user (uid 100000) on host which has permission to docker socket. but in fact I get permission denied. Why?

I do not want to use --userns=host parameter.

lbednaszynski
  • 678
  • 2
  • 12
  • 24
  • how are you launching your docker run command? are you setting `-v /var/run/docker.sock:/var/run/docker.sock` ?? – OscarAkaElvis Jun 26 '17 at 15:22
  • docker run --rm -it --entrypoint bash -v /var/run/docker.sock:/var/run/docker.sock myimage where my image has docker client bundled – lbednaszynski Jun 26 '17 at 16:12
  • Right now I resolved this by connecting through HTTP instead of using socket. I configured docker daemon to bind on docker bridge interface only. But question is still open. Is it possible to do this using socket? – lbednaszynski Jun 29 '17 at 09:11

2 Answers2

2

You can do this by using socat to create a socket with the right privileges for the namespace user:

sudo socat UNIX-LISTEN:/var/run/docker-userns.sock,user=1000,group=1000,mode=0600,fork UNIX-CLIENT:/var/run/docker.sock &

You'll need to write a script that will start this before your container is started. It will still work if the socket comes up after docker, your containers just might restart a few times until they are able to connect to the user socket.

I've been looking for something a bit more configurable than this. Could probably use a python script using the pty module as mentioned here.

Routhinator
  • 3,559
  • 4
  • 24
  • 35
0

I had the same problem recently, another solution that I prefer: ACL (access control lists). Just grant rw permissions for namespaced user:

setfacl -m u:dockroot:rw /var/run/docker.sock

where dockroot is my custom user with UID 100000.

Then automate granting permissions with systemd by creating custom service:

/etc/systemd/system/docker-userns-socket.service

[Unit]
Description=Docker socket permissions for user namespaces
Requires=docker.socket
Before=docker.service

[Service]
Type=oneshot
User=root
WorkingDirectory=/usr/bin/
ExecStart=setfacl -m u:dockroot:rw /var/run/docker.sock
Restart=on-failure

[Install]
WantedBy=multi-user.target

Next, create override.conf for docker service:

systemctl edit docker.service

add following 3 lines between generated comments, key here are occurrences of docker-userns-socket.service, this is the only added content compared to the original After and Requires lines:

### Editing /etc/systemd/system/docker.service.d/override.conf
### Anything between here and the comment below will become the new contents of the file

[Unit]
After=network-online.target docker.socket docker-userns-socket.service firewalld.service containerd.service
Requires=docker.socket docker-userns-socket.service containerd.service

### Lines below this comment will be discarded
...

This way permissions are granted automatically after every reboot.

dominik
  • 2,404
  • 2
  • 29
  • 33