From 0c950bd3ea5e76418e31542cf580b77c954b74b7 Mon Sep 17 00:00:00 2001 From: Olli Janatuinen Date: Fri, 19 Feb 2021 14:38:44 +0200 Subject: [PATCH] Support user Docker userns-remap (#63) --- config/docker_config.go | 5 +++++ config/schema.go | 1 + config/types.go | 1 + images/01-base/Dockerfile | 7 ++++++- images/02-console/Dockerfile | 7 ++++++- scripts/schema.json | 1 + 6 files changed, 20 insertions(+), 2 deletions(-) diff --git a/config/docker_config.go b/config/docker_config.go index 5c48fb34..2c7b3541 100644 --- a/config/docker_config.go +++ b/config/docker_config.go @@ -20,6 +20,11 @@ func (d *DockerConfig) FullArgs() []string { if d.TLS { args = append(args, d.TLSArgs...) } + + if d.UserNsEnabled { + args = append(args, "--userns-remap") + args = append(args, "user-docker:user-docker") + } return args } diff --git a/config/schema.go b/config/schema.go index 23ae4735..d736d00f 100644 --- a/config/schema.go +++ b/config/schema.go @@ -143,6 +143,7 @@ var schema = `{ "selinux_enabled": {"type": ["boolean", "null"]}, "storage_driver": {"type": "string"}, "userland_proxy": {"type": ["boolean", "null"]}, + "userns_enabled": {"type": ["boolean", "null"]}, "insecure_registry": {"$ref": "#/definitions/list_of_strings"} } }, diff --git a/config/types.go b/config/types.go index 6df37134..2cde3bcd 100644 --- a/config/types.go +++ b/config/types.go @@ -197,6 +197,7 @@ type DockerConfig struct { CAKey string `yaml:"ca_key,omitempty"` Environment []string `yaml:"environment,omitempty"` StorageContext string `yaml:"storage_context,omitempty"` + UserNsEnabled bool `yaml:"userns_enabled,omitempty"` Exec bool `yaml:"exec,omitempty"` } diff --git a/images/01-base/Dockerfile b/images/01-base/Dockerfile index fc686b4e..b742e78c 100644 --- a/images/01-base/Dockerfile +++ b/images/01-base/Dockerfile @@ -39,7 +39,12 @@ RUN rm /sbin/poweroff /sbin/reboot /sbin/halt && \ rm -f /usr/share/bash-completion/completions/* && \ chmod 555 /lib/dhcpcd/dhcpcd-run-hooks && \ sed -i 1,10d /etc/rsyslog.conf && \ - echo "*.* /var/log/syslog" >> /etc/rsyslog.conf + echo "*.* /var/log/syslog" >> /etc/rsyslog.conf && \ + \ + addgroup -g 1200 user-docker && \ + adduser -u 1200 -G user-docker -S -H user-docker && \ + echo 'user-docker:100000:65536' > /etc/subuid && \ + echo 'user-docker:100000:65536' > /etc/subgid # dump kernel log to console (but after we've finished booting) # echo "kern.* /dev/console" >> /etc/rsyslog.conf diff --git a/images/02-console/Dockerfile b/images/02-console/Dockerfile index 3ad3162b..92e8a5af 100644 --- a/images/02-console/Dockerfile +++ b/images/02-console/Dockerfile @@ -26,7 +26,12 @@ RUN apt-get update \ && cat /etc/ssh/sshd_config > /etc/ssh/sshd_config.tpl \ && cat /etc/ssh/sshd_config.append.tpl >> /etc/ssh/sshd_config.tpl \ && rm -f /etc/ssh/sshd_config.append.tpl /etc/ssh/sshd_config \ - && echo > /etc/motd + && echo > /etc/motd \ + \ + && addgroup --gid 1200 user-docker \ + && adduser --system -u 1200 --gid 1200 --disabled-login --no-create-home user-docker \ + && echo 'user-docker:100000:65536' > /etc/subuid \ + && echo 'user-docker:100000:65536' > /etc/subgid COPY build/iscsid.conf /etc/iscsi/ diff --git a/scripts/schema.json b/scripts/schema.json index 435fb7f1..8b561611 100644 --- a/scripts/schema.json +++ b/scripts/schema.json @@ -136,6 +136,7 @@ "selinux_enabled": {"type": ["boolean", "null"]}, "storage_driver": {"type": "string"}, "userland_proxy": {"type": ["boolean", "null"]}, + "userns_enabled": {"type": ["boolean", "null"]}, "insecure_registry": {"$ref": "#/definitions/list_of_strings"} } },