Docker service support for: --userns=host #37560
Description
FEATURE REQUEST
Description
--userns for docker service create and update would be useful.
I'm trying to use userns-remap to secure my cluster containers and services transparently by default but I have a few services that need to mount files from the Docker host and I was hoping to use docker service create --userns=host ... for these few services but there doesn't appear to be a way to do this using the normal command line. I suppose I could deploy a stack but I'd rather not because it mangles the service name to be stack-service instead of just service.
I was hoping to use --user=ID to explicitly run the service with a specific host user but this doesn't work because (I believe) the container's file system restricts access to only the root user. I might be able to work around this by modifying the Dockerfiles by adding a USER and setting the container filesystem permissions, but this breaks my hope for transparency.
Specifically, I'm requesting support for:
docker service create --userns=host ...
docker service update --userns=host ...
This will make it possible to secure Docker service by default without needing to munge Dockerfiles for any exceptions.
Related issue: #25303
Related PR (docker run): #20111
Output of docker version:
API version: 1.37 (minimum version 1.12)
Go version: go1.9.5
Git commit: 9ee9f40
Built: Thu Apr 26 07:15:30 2018
OS/Arch: linux/amd64
Experimental: false
rClient:: command not found
root@manager-0:~# Version: 18.03.1-ce
Version:: command not found
Output of docker info:
Containers: 7
Running: 2
Paused: 0
Stopped: 5
Images: 3
Server Version: 18.03.1-ce
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: fluentd
Cgroup Driver: cgroupfs
Plugins:
Volume: local neon
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: active
NodeID: sw6o4jpzdwri2dz5zgvq6mju0
Is Manager: true
ClusterID: gq87clficzj7iaxahgafwri5w
Managers: 1
Nodes: 4
Orchestration:
Task History Retention Limit: 5
Raft:
Snapshot Interval: 10000
Number of Old Snapshots to Retain: 0
Heartbeat Tick: 1
Election Tick: 10
Dispatcher:
Heartbeat Period: 5 seconds
CA Configuration:
Expiry Duration: 3 months
Force Rotate: 0
Autolock Managers: false
Root Rotation In Progress: false
Node Address: 10.0.0.30
Manager Addresses:
10.0.0.30:2377
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 773c489c9c1b21a6d78b5c538cd395416ec50f88
runc version: 4fc53a81fb7c994640722ac585fa9ca548971871
init version: 949e6fa
Security Options:
apparmor
seccomp
Profile: default
userns
Kernel Version: 4.4.0-119-generic
Operating System: Ubuntu 16.04.4 LTS
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 3.936GiB
Name: manager-0
ID: BIYB:LQF3:PO5J:Z2EN:CCNF:3ERB:I7JV:KZNF:OVL4:KXUQ:RKKW:JJ75
Docker Root Dir: /mnt/docker/231072.231072
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Registry Mirrors:
https://manager-0.neon-registry-cache.hive:5001/
https://docker.io/
Live Restore Enabled: false
Additional environment details (AWS, VirtualBox, physical, etc.):
Running on Windows 10/Pro on local Hyper-V Ubuntu 16.04 VMs.