Debian9 Docker17 UserNs - ewsdocker/ewsdocker.github.io GitHub Wiki
| NOTICE | ||
|---|---|---|
For Docker Version 18.01 or newer, goto the Enable Docker v.18 User-Namespaces on Debian 9.4 Wiki page. |
||
| NOTICE | ||
|---|---|---|
| After following this procedure, previously downloaded images and/or created containers will NO LONGER be available. They may be restored by changing the name of /etc/docker/daemon.json and then rebooting, at the cost of subordinate namespaces no longer being available. | ||
For a detailed discussion of how Linux and Docker User-Namespaces works, refer to the Linux LXC and Docker User Namespaces Resources wiki page.
In particular, Use Linux user namespaces to fix permissions in docker volumes, at Jujens Blog, is an excellent reference.
The following procedure appears to work, and is use on Debian 9.2 using docker-ce 17.09, and on Debian 9.3 using docker-ce versions 17.10 and 17.12:
1. Edit the file /etc/docker/daemon.json
Add the following:
{
“userns-remap”: “user-name”
}
where user-name is the user being added to subuid and subgid.
Note: Use comma (,) to separate entries in daemon.json.
2. Configure subordinate user identifiers
Edit the file /etc/subuid and add user id's to be mapped, as shown below.
The format of the /etc/subuid file is
user-name:user-id:count
For example,
jay:1000:1
jay:100000:65536
3. Configure subordinate group identifiers
Edit the file /etc/subgid and add user group id's to be mapped, as shown below.
The format of the /etc/subgid file is
user-name:group-id:count
For example,
jay:1002:65536
jay:100000:65536
where 1002 is the group-id of the docker group, instead of the user-group id.
4. Reboot to install the changes.
Login as a user for the following tests
1. Download and start a simple command-shell container
docker run -it --name=shell --rm -v /tmp:/testdir alpine:latest /bin/sh
2. At the # prompt, create a file
touch /testdir/testfile
3. Check ownership of the file
ls -l /testdir/testfile
ls -ln /testdir/testfile
The first output should show ownership by root:root, and the second output should show ownership by 1:1.
4. Exit the docker container (exit)
Check the file ownership of the newly created /tmp/testfile
ls -l /tmp/testfile
ls -ln /tmp/testfile
the first output should show ownership by user-name:docker-group, and the second output should show ownership by user-id:docker-group-id.
For the examples above, the output should show owned by jay:docker and 1000:1002.
For additional information about Docker user namespaces or Linux LXC user namespaces, refer to the Linux LXC and Docker User Namespaces Resources wiki page.