Hi @hallyn, thanks for contribution. Could you do the following :

• Using a better title for the PR "2016 03 02/nest.partial" doesn't really help us to know what it relates to ("Run docker daemon inside a docker namespace enabled engine" could be better).
• We do not change anything that is in vendor/ directory is not, changes on those must be done upstream (in opencontainers/runc in your case).
• Please use gofmt -s -w on the file changed

09:05:06 ---> Making bundle: validate-gofmt (in bundles/1.11.0-dev/validate-gofmt)
09:05:07 These files are not properly gofmt'd:
09:05:07  - pkg/archive/archive.go

D'oh! the third patch (which edits vendor/) was supposed to be removed and is in fact already a PR against opencontainers/runc. Removing it for real now.

ping @estesp for user namespaces

Got panics on CI

09:14:51 Error response from daemon: Untar re-exec error: exit status 2: output: panic: runtime error: invalid memory address or nil pointer dereference
09:14:51 [signal 0xb code=0x1 addr=0x88 pc=0x90bcf6]

Hm, I don't know what happened there, that doesn't look like my original patch... checking.

Last step here is to handle cross-platform issue with the RunningInUserNS:

19:09:09 pkg/archive/archive_unix.go:84: undefined: "github.com/opencontainers/runc/libcontainer/system".RunningInUserNS

Running make cross will reveal the issue (the libcontainer/system/linux.go functions are only compiled on linux, but pkg/archive/archive_unix.go is all Unix-like systems).

I think the cleanest way is a runC PR to have a stub for non-Linux that returns false automatically.

@hallyn I created opencontainers/runc#620 to solve this; I'm hoping to vendor in opencontainers/runc very soon for the shared namespace work that is now in libcontainer/nsenter; so hopefully we can get this solved ASAP.

Thanks @estesp ! Do I understand right that I should just wait for #620 to clear?

@hallyn you can include the change from opencontainers/runc#620 in your PR by adding the file here https://github.com/docker/docker/tree/master/vendor/src/github.com/opencontainers/runc/libcontainer/system. This will make the "vendor" CI check fail, but the other tests should then complete successfully. Once the RunC PR is merged, and vendored, you can rebase your PR to make the vendor check pass

Thanks, done, will watch for the runc pr merge...

@hallyn we need to wait until the containerd integration PR merges (#20662) to get rid of your vendor commit--that PR will update the opencontainers/runc vendor to include the needed changes.

In the meantime, what do you think about logging the "skips" for unsupported file types when tarring/untarring in the archive packages? That way there will be some record if bugs come up in the future about "missing" content?

ping @hallyn #20662 was merged, can you rebase and address the comments (if any needs addressing?)

Hi,

rebased and added the log msg @estesp mentioned.

code LGTM.

Per comment in the more recent PR re: userns + AUFS, @thaJeztah do you know which doc would be the right place to explain this behavior/availability of running the engine in a userns?

So I still can't get this to work.
Using unshare I get the lchown error. If I disable lchown then I get this overlay error: error creating overlay mount to /var/lib/docker/overlay/0ce08510fd8ca9013970f06c67003d6a0c474b4ac2d5f959c440067430ae665d-init/merged: operation not permitted

@cpuguy83 - can you show the output of 'lxc config show containername --expanded' ?
Can you create a new lxd container with

lxc launch ubuntu;xenial x1 -p default -p docker

and use the docker.io package in the archive, and see whether that also fails for you?

ping?

Hi @hallyn, we brought this PR up in our review session last Thursday. Unfortunately, @cpuguy83 didn't find the time to look into this again (and so far didn't manage to get it running properly 😊).

ping @estesp perhaps you have some time to try this?

There should be a test added for this, I bet you can use unshare, and add it to the daemon suite

otherwise we will never know if it breaks :)

A test would definately be good. IMO this was a bugfix not a feature so a testcase could be a follow-on, but especially now that it's been months since the patch was written, it would already be nice to have one.

I'm all for someone resubmitting my patch with an added-on test :)

Ping @estesp: halp!

I may also try with lxc, but I thought using runc might be a good option given it will be installed in the CI system as one of the build outputs along with the daemon.

Ran into several issues with an ubuntu image that I could mostly get around with the following daemon startup:

PATH=/usr/bin dockerd --oom-score-adjust=0 --iptables=false --bridge=none

However, on docker pull alpine after starting the daemon (with vfs being the only driver that seems happy):

Using default tag: latest
latest: Pulling from library/alpine
e110a4a17941: Extracting [=>                                                 ] 65.54 kB/2.31 MB
ERRO[0013] Error trying v2 registry: failed to register layer: ApplyLayer exit status 1 stdout:  stderr: Error creating mount namespace before pivot: operation not permitted
ERRO[0013] Attempting next endpoint for pull after error: failed to register layer: ApplyLayer exit status 1 stdout:  stderr: Error creatinge110a4a17941: Extracting [==================================================>]  2.31 MB/2.31 MB
failed to register layer: ApplyLayer exit status 1 stdout:  stderr: Error creating mount namespace before pivot: operation not permitted
root@ubuntu:/#

Maybe LXC is set up better for this nesting, but I would like to figure out how to get runc as a valid "candidate" for the outer layer of the nesting if at all possible. Any thoughts @hallyn ?

Ah, this is caused by #22506; seems we will need to extend this patch to rely on/fallback to chroot if we are nested in a userns.

Getting further after fallback to "real choot" if nested userns, but shm tmpfs mount seems to be a problem; or a real problem is not logged and the cleanup of mounts is just a side effect:

root@ubuntu # docker run -ti --rm alpine sh
WARN[0067] failed to cleanup ipc mounts:
failed to umount /var/lib/docker/containers/3cab03c60610a93231bd95a63ba2ad4f914feec3b1655b082170c59c3318fb6b/shm: operation not permitted
ERRO[0067] Handler for POST /v1.25/containers/3cab03c60610a93231bd95a63ba2ad4f914feec3b1655b082170c59c3318fb6b/start returned error: mounting shm tmpfs: operation not permitted
docker: Error response from daemon: mounting shm tmpfs: operation not permitted.

At this point I have to stop for now, but suggestions welcome. Looks like we are close to a testable scenario with runc, maybe?

ping @mlaventure perhaps you could have a look?

Here's the real issue; at least running under runc with a fairly vanilla config.json, the /sys mount is not owned by my remapped root, so directory creation for cgroups fails miserably:

root@ubuntu:~# docker run --rm alpine date
ERRO[0005] containerd: start container                   error=oci runtime error: process_linux.go:258: applying cgroup configuration for process caused "mkdir /sys
/fs/cgroup/cpuset/docker: permission denied" id=3fa1606bd39a2f2ac276e47830865e58b6d7f1426012843d91cb08042fd89805
ERRO[0005] Create container failed with error: oci runtime error: process_linux.go:258: applying cgroup configuration for process caused "mkdir /sys/fs/cgroup/cpuse
t/docker: permission denied"

I'm trying to catch up this PR because I also want to run docker inside user namespace (unpriv LXC container) and want to reproduce the errors locally first.

@estesp Mind sharing in what env you are using? Specifically, I like to know

• are you using docker built from master with the PR change?
• on what env you started docker command? (lxc container?)

Also, I'm curious if running the latest docker inside userns becomes possible without changing runc/containerd? Or is it something we'll find out eventually?

@kimh it is possible with LXC and this PR plus an additional change that is required since this PR was created (I mentioned it above related to chroot/untar fallback in a comment 12 days ago).

I will be carrying this PR with the additional change, but had been stuck on trying to see if I could get a working test using runc as the outer user namespaced container, but running into trouble as you can see.

I did try via LXC today and with this PR + my added change I can run the daemon with "dockerd -D -s vfs --oom-score-adjust=0" and pull images and run them successfully in an LXC ubuntu:xenial container.

@estesp So if my understanding is correct, my added change refers to fallback to chroot under nested userns ? Any chance you can share the change with us? I looked for the branch in your fork but not sure which one it is. I'm thrilled about testing this 💣

@kimh please see my carry PR #25672 that has both patches. I'm going to close this PR and hopefully we can get the carried PR merged