Support user Docker userns-remap (#63)

olljanat · web-flow · commit 0c950bd3ea5e · 2021-02-19T09:38:44.000-03:00
diff --git a/config/docker_config.go b/config/docker_config.go
@@ -20,6 +20,11 @@ func (d *DockerConfig) FullArgs() []string {
 	if d.TLS {
 		args = append(args, d.TLSArgs...)
 	}
+
+	if d.UserNsEnabled {
+		args = append(args, "--userns-remap")
+		args = append(args, "user-docker:user-docker")
+	}
 	return args
 }
 
diff --git a/config/schema.go b/config/schema.go
@@ -143,6 +143,7 @@ var schema = `{
 				"selinux_enabled": {"type": ["boolean", "null"]},
 				"storage_driver": {"type": "string"},
 				"userland_proxy": {"type": ["boolean", "null"]},
+				"userns_enabled": {"type": ["boolean", "null"]},
 				"insecure_registry": {"$ref": "#/definitions/list_of_strings"}
 			}
 		},
diff --git a/config/types.go b/config/types.go
@@ -197,6 +197,7 @@ type DockerConfig struct {
 	CAKey          string   `yaml:"ca_key,omitempty"`
 	Environment    []string `yaml:"environment,omitempty"`
 	StorageContext string   `yaml:"storage_context,omitempty"`
+	UserNsEnabled  bool     `yaml:"userns_enabled,omitempty"`
 	Exec           bool     `yaml:"exec,omitempty"`
 }
 
diff --git a/images/01-base/Dockerfile b/images/01-base/Dockerfile
@@ -39,7 +39,12 @@ RUN rm /sbin/poweroff /sbin/reboot /sbin/halt && \
     rm -f /usr/share/bash-completion/completions/* && \
     chmod 555 /lib/dhcpcd/dhcpcd-run-hooks && \
     sed -i 1,10d /etc/rsyslog.conf && \
-    echo "*.*                /var/log/syslog" >> /etc/rsyslog.conf
+    echo "*.*                /var/log/syslog" >> /etc/rsyslog.conf && \
+    \
+    addgroup -g 1200 user-docker && \
+    adduser -u 1200 -G user-docker -S -H user-docker && \
+    echo 'user-docker:100000:65536' > /etc/subuid && \
+    echo 'user-docker:100000:65536' > /etc/subgid
 # dump kernel log to console (but after we've finished booting)
 #    echo "kern.*                /dev/console" >> /etc/rsyslog.conf
 
diff --git a/images/02-console/Dockerfile b/images/02-console/Dockerfile
@@ -26,7 +26,12 @@ RUN apt-get update \
     && cat /etc/ssh/sshd_config > /etc/ssh/sshd_config.tpl \
     && cat /etc/ssh/sshd_config.append.tpl >> /etc/ssh/sshd_config.tpl \
     && rm -f /etc/ssh/sshd_config.append.tpl /etc/ssh/sshd_config \
-    && echo > /etc/motd
+    && echo > /etc/motd \
+    \
+    && addgroup --gid 1200 user-docker \
+    && adduser --system -u 1200 --gid 1200 --disabled-login --no-create-home user-docker \
+    && echo 'user-docker:100000:65536' > /etc/subuid \
+    && echo 'user-docker:100000:65536' > /etc/subgid
 
 COPY build/iscsid.conf /etc/iscsi/
 
diff --git a/scripts/schema.json b/scripts/schema.json
@@ -136,6 +136,7 @@
         "selinux_enabled": {"type": ["boolean", "null"]},
         "storage_driver": {"type": "string"},
         "userland_proxy": {"type": ["boolean", "null"]},
+        "userns_enabled": {"type": ["boolean", "null"]},
         "insecure_registry": {"$ref": "#/definitions/list_of_strings"}
       }
     },

Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,11 @@ func (d *DockerConfig) FullArgs() []string {`
`20`	`20`	`if d.TLS {`
`21`	`21`	`args = append(args, d.TLSArgs...)`
`22`	`22`	`}`
	`23`	`+`
	`24`	`+ if d.UserNsEnabled {`
	`25`	`+ args = append(args, "--userns-remap")`
	`26`	`+ args = append(args, "user-docker:user-docker")`
	`27`	`+ }`
`23`	`28`	`return args`
`24`	`29`	`}`
`25`	`30`
Original file line number	Diff line number	Diff line change
@@ -143,6 +143,7 @@ var schema = `{
`143`	`143`	`"selinux_enabled": {"type": ["boolean", "null"]},`
`144`	`144`	`"storage_driver": {"type": "string"},`
`145`	`145`	`"userland_proxy": {"type": ["boolean", "null"]},`
	`146`	`+ "userns_enabled": {"type": ["boolean", "null"]},`
`146`	`147`	`"insecure_registry": {"$ref": "#/definitions/list_of_strings"}`
`147`	`148`	`}`
`148`	`149`	`},`
Original file line number	Diff line number	Diff line change
`@@ -197,6 +197,7 @@ type DockerConfig struct {`
`197`	`197`	CAKey string `yaml:"ca_key,omitempty"`
`198`	`198`	Environment []string `yaml:"environment,omitempty"`
`199`	`199`	StorageContext string `yaml:"storage_context,omitempty"`
	`200`	+ UserNsEnabled bool `yaml:"userns_enabled,omitempty"`
`200`	`201`	Exec bool `yaml:"exec,omitempty"`
`201`	`202`	`}`
`202`	`203`
Original file line number	Diff line number	Diff line change
`@@ -136,6 +136,7 @@`
`136`	`136`	`"selinux_enabled": {"type": ["boolean", "null"]},`
`137`	`137`	`"storage_driver": {"type": "string"},`
`138`	`138`	`"userland_proxy": {"type": ["boolean", "null"]},`
	`139`	`+ "userns_enabled": {"type": ["boolean", "null"]},`
`139`	`140`	`"insecure_registry": {"$ref": "#/definitions/list_of_strings"}`
`140`	`141`	`}`
`141`	`142`	`},`