Allow engine to run inside a user namespace#25672
Conversation
If we are running in a user namespace, don't try to mknod as it won't be allowed. libcontainer will bind-mount the host's devices over files in the container anyway, so it's not needed. The chrootarchive package does a chroot (without mounting /proc) before its work, so we cannot check /proc/self/uid_map when we need to. So compute it in advance and pass it along with the tar options. Signed-off-by: Serge Hallyn <[email protected]>
The namespace unshare+pivot root is not possible when running inside a user namespace, so fallback to the original "real" chroot code. Docker-DCO-1.1-Signed-off-by: Phil Estes <[email protected]>
|
LGTM but I think we should document the cant-create-devices restriction somewhere (probably dont need to mention the chroot) as it is not something people would necessarily realise. Plus the |
|
@estesp Thanks for the PR. I used lxd and launched a container with |
|
@justincormack agree on the docs need..but where? Is that the same section as user namespaces support in the daemon, or some other place that talks about environment in which you run the daemon? Seems like it should be the latter, but that points to less clear locations as there are lots of various bits about running/configuring the engine.. any guidance appreciated! /cc @thaJeztah |
|
I think we could think of moving user namespaces to a separate document, instead of cramming it all in the ping @sfsmithcha wdyt? |
|
@thaJeztah but this is about running docker inside a user namespace, really goes in the how to install/run docker section. |
|
@justincormack oh, darn, was too quick answering. erm, yes, good question not sure where to put that; it's not a regular install, same as we don't document "docker in docker" |
|
Yes, lets maybe leave the docs for now... LGTM |
|
LGTM 🐱 |
|
LGTM |
8 participants
Carry of PR #20902
Allow the Docker daemon to run inside a user namespaced parent process. Original patch by @hallyn; I've added a change to revert to "real" chroot when inside a userns that came about since the original patch.
I have tested this capability inside lxc running an ubuntu:xenial image with a binary built from this PR patchset. To successfully run the Docker daemon I used the following command line:
Inside a user namespace, writing to the oom_score_adj special proc file fails, and I can't get any backend driver to work outside of vfs.
I cannot run the Docker engine inside of a runc container with user namespaces enabled due to how the
/sys/fs/cgroupsmount is handled under runc. Therefore it is hard to write a test that integrates well with our CI system without requiring a working LXC setup until we solve this problem in runc.