Support user Docker userns-remap (#63)

2025-08-30 21:26:09 +00:00 · 2021-02-19 14:38:44 +02:00 · 2021-02-19 14:38:44 +02:00 · 0c950bd3ea
commit 0c950bd3ea
parent af08844a9a
6 changed files with 20 additions and 2 deletions
--- a/config/docker_config.go
+++ b/config/docker_config.go
@ -20,6 +20,11 @@ func (d *DockerConfig) FullArgs() []string {
 	if d.TLS {
 		args = append(args, d.TLSArgs...)
 	}
+
+	if d.UserNsEnabled {
+		args = append(args, "--userns-remap")
+		args = append(args, "user-docker:user-docker")
+	}
 	return args
 }

--- a/config/schema.go
+++ b/config/schema.go
@ -143,6 +143,7 @@ var schema = `{
 				"selinux_enabled": {"type": ["boolean", "null"]},
 				"storage_driver": {"type": "string"},
 				"userland_proxy": {"type": ["boolean", "null"]},
+				"userns_enabled": {"type": ["boolean", "null"]},
 				"insecure_registry": {"$ref": "#/definitions/list_of_strings"}
 			}
 		},
--- a/config/types.go
+++ b/config/types.go
@ -197,6 +197,7 @@ type DockerConfig struct {
 	CAKey          string   `yaml:"ca_key,omitempty"`
 	Environment    []string `yaml:"environment,omitempty"`
 	StorageContext string   `yaml:"storage_context,omitempty"`
+	UserNsEnabled  bool     `yaml:"userns_enabled,omitempty"`
 	Exec           bool     `yaml:"exec,omitempty"`
 }

--- a/images/01-base/Dockerfile
+++ b/images/01-base/Dockerfile
@ -39,7 +39,12 @@ RUN rm /sbin/poweroff /sbin/reboot /sbin/halt && \
    rm -f /usr/share/bash-completion/completions/* && \
    chmod 555 /lib/dhcpcd/dhcpcd-run-hooks && \
    sed -i 1,10d /etc/rsyslog.conf && \
-    echo "*.*                /var/log/syslog" >> /etc/rsyslog.conf
+    echo "*.*                /var/log/syslog" >> /etc/rsyslog.conf && \
+    \
+    addgroup -g 1200 user-docker && \
+    adduser -u 1200 -G user-docker -S -H user-docker && \
+    echo 'user-docker:100000:65536' > /etc/subuid && \
+    echo 'user-docker:100000:65536' > /etc/subgid
 # dump kernel log to console (but after we've finished booting)
 #    echo "kern.*                /dev/console" >> /etc/rsyslog.conf

--- a/images/02-console/Dockerfile
+++ b/images/02-console/Dockerfile
@ -26,7 +26,12 @@ RUN apt-get update \
    && cat /etc/ssh/sshd_config > /etc/ssh/sshd_config.tpl \
    && cat /etc/ssh/sshd_config.append.tpl >> /etc/ssh/sshd_config.tpl \
    && rm -f /etc/ssh/sshd_config.append.tpl /etc/ssh/sshd_config \
-    && echo > /etc/motd
+    && echo > /etc/motd \
+    \
+    && addgroup --gid 1200 user-docker \
+    && adduser --system -u 1200 --gid 1200 --disabled-login --no-create-home user-docker \
+    && echo 'user-docker:100000:65536' > /etc/subuid \
+    && echo 'user-docker:100000:65536' > /etc/subgid

 COPY build/iscsid.conf /etc/iscsi/

--- a/scripts/schema.json
+++ b/scripts/schema.json
@ -136,6 +136,7 @@
        "selinux_enabled": {"type": ["boolean", "null"]},
        "storage_driver": {"type": "string"},
        "userland_proxy": {"type": ["boolean", "null"]},
+        "userns_enabled": {"type": ["boolean", "null"]},
        "insecure_registry": {"$ref": "#/definitions/list_of_strings"}
      }
    },