Debian10 Docker19 UserNs - ewsdocker/ewsdocker.github.io GitHub Wiki
Enable Docker v.19 User-Namespaces on Debian 10.6.0.
- November 20, 2020.
For a detailed discussion of how Linux and Docker User-Namespaces works, refer to the Linux LXC and Docker User Namespaces Resources wiki page.
| NOTICE | ||
|---|---|---|
|
After following this procedure, previously downloaded docker images and/or created containers wil NO LONGER be available with docker images or docker ps -a. They may be restored by changing the name of /etc/docker/daemon.json and then rebooting, at the cost of subordinate namespaces no longer being available. |
||
Enable Docker User-Namespaces
Login as root
Or su, or sudo -s, or use sudo before restricted commands.
Enable user-namespaces
Debian 10 ships with user-namespaces included in the kernel, but it is not enabled by default on older distributions. The following line will show the current status:
sysctl kernel.unprivileged_userns_clone
If the value is 0 (zero), execute the following 2 lines to enable the unprivileged user-namespaces and reload /proc:
sysctl -w kernel.unprivileged_userns_clone=1
service procps restart
Create docker remap user
Edit the file /etc/docker/daemon.json and add the following:
{
“userns-remap”: “default”
}
Note: Use a comma (,) to separate entries in daemon.json.
Reboot and sign in as root (sudo -s).
This step will create the default user, dockremap.
Edit the file /etc/docker/daemon.json
Modify the userns-remap entry:
{
"userns-remap": "jay",
"max-concurrent-downloads": 1,
"max-concurrent-uploads": 1
}
where "user-name" is a user (e.g. - you) in the /etc/passwd file.
Configure subordinate user identifiers
Edit the file /etc/subuid and add user id's to be mapped, as shown below, if they don't already exist.
The format of the /etc/subuid file is
user-name:user-id:count
For example,
jay:1000:1
jay:100000:65536
dockremap:165536:65536
The first line maps the root user in the docker container to user id 1000 in the docker host (refer to Use Linux user namespaces to fix permissions in docker volumes for an explanation).
Configure subordinate group identifiers
Edit the file /etc/subgid and add user group id's to be mapped, as shown below, if they don't already exist.
The format of the /etc/subgid file is
user-name:group-id:count
For example,
jay:1001:65536
jay:100000:65536
where 1001 is the group-id of the docker group, instead of the user-group id (refer to Use Linux user namespaces to fix permissions in docker volumes for an explanation).
Reboot
Test user-remapping
Download and start a simple command-shell container
docker run -it --name=shell --rm -v /tmp:/testdir alpine:latest /bin/sh
At the # prompt, create a file
touch /testdir/testfile
Check ownership of the file
ls -l /testdir/testfile
ls -ln /testdir/testfile
The first output should show ownership by root:root, and the second output should show ownership by 0:0.
Exit the docker container (exit)
Check the file ownership of the newly created /tmp/testfile
ls -l /tmp/testfile
ls -ln /tmp/testfile
the first output should show ownership by user-name:docker-group,
and the second output should show ownership by user-id:docker-group-id.
For the examples above, the output should show owned by jay:docker
and 1000:1001.
Disable user-namespace remapping for a container
To disable the Docker user namespace remapping on a container basis, add the following flag to the docker create, docker run and/or docker exec commands:
--userns=host
For additional information about Docker user namespaces or Linux LXC user namespaces, refer to the Linux LXC and Docker User Namespaces Resources wiki page.