Share docker socket using user namespaces

4
votes

is it possible to use docker socket mounted from host inside docker container when using user namespaces?

I have following configuration:

/etc/subuid

 user:100000:65536

/etc/subgid

 user:100000:65536

/etc/docker/daemon.json

{                              
  "userns-remap": "ns-user" 
}

I've created user ns-user with UID 100000 and group ns-user with GID 100000. Additionality I've added ns-user to group docker. When I log in as ns-user on host machine then I can use docker via socket.

The problem is that when I run container with docker socket mounted I've got permission denied on socket. Socket privileges inside docker container:

srw-rw---- 1 nobody nogroup 0 Jun 26 15:00 /var/run/docker.sock

EDIT 1:

To clarify I thought that root (uid 0) inside container maps to ns-user (uid 100000) on host which has permission to docker socket. but in fact I get permission denied. Why?

I do not want to use --userns=host parameter.

1
dockerlinux-namespaces
how are you launching your docker run command? are you setting -v /var/run/docker.sock:/var/run/docker.sock ?? - OscarAkaElvis
docker run --rm -it --entrypoint bash -v /var/run/docker.sock:/var/run/docker.sock myimage where my image has docker client bundled - lbednaszynski
Right now I resolved this by connecting through HTTP instead of using socket. I configured docker daemon to bind on docker bridge interface only. But question is still open. Is it possible to do this using socket? - lbednaszynski

1 Answers

1
votes

You can do this by using socat to create a socket with the right privileges for the namespace user:

sudo socat UNIX-LISTEN:/var/run/docker-userns.sock,user=1000,group=1000,mode=0600,fork UNIX-CLIENT:/var/run/docker.sock &

You'll need to write a script that will start this before your container is started. It will still work if the socket comes up after docker, your containers just might restart a few times until they are able to connect to the user socket.

I've been looking for something a bit more configurable than this. Could probably use a python script using the pty module as mentioned here.