How to launch container with user namespace configuration?

2
votes

In the below docker file, base image(jenkins/jenkins) is providing a user jenkins with UID 1000 and GID 1000, within container.

FROM jenkins/jenkins

# Install some base packages

# Use non-privileged user provided by base image
USER jenkins # with uid 1000 and GID 1000

# Copy plugins and other stuff

On the docker host(EC2 instance), we also have similar UID & GID created, 

 $ groupadd -g 1000 jenkins
 $ useradd -u 1000 -g jenkins jenkins
 $ mkdir -p /abc/home_folder_for_jenkins
 $ chown -R jenkins:jenkins /abc/home_folder_for_jenkins

to make sure, container can write files to /abc/home_folder_for_jenkins in EC2 instance.

Another aspect that we need to take care in same EC2 instance, is to run containers(other than above container) to run in non-privileged mode.

So, below configuration is performed on docker host(EC2):

$ echo dockremap:165536:65536 > /etc/subuid
$ echo dockremap:165536:65536 > /etc/subgid
$ echo '{"debug":true, "userns-remap":"default"}' > /etc/docker/daemon.json

This dockremap configuration is not allowing jenkins to start and docker container goes in Exited state:

$ ls -l /abc/home_folder_for_jenkins
total 0

After removing docker remap configuration, everything work fine.

Why dockremap configuration not allow the jenkins container to run as jenkins user?

2
dockerlinux-kerneldockerfileamazon-ecslinux-namespaces
Since NS are used, UID 1000 on the host is not the same as UID 1000 in your running container. Try opening a shell in your container using docker run or docker exec and run your chown command from inside the container. You may then check ownership again from the host system and you'll see that owner is not 1000. - Stéphane C.

2 Answers

2
votes

I'm actually fighting with this because it seems not very portable but this is the best I found. As said above on your docker host the UID/GID are the ones from the container + the value in /etc/subuid & /etc/subgid. So your "container root" is 165536 on your host and your user jenkins is 166536 (165536 + 1000).

To come back to your example what you need to do is 

$ mkdir -p /abc/home_folder_for_jenkins
$ chown -R 166536:166536 /abc/home_folder_for_jenkins
1
votes

User namespaces offset the UID/GID of the user inside the container, and any files inside the container. There is no mapping from the UID/GID inside the container to the external host UID/GID (that would defeat the purpose). Therefore, you would need the offset the UID/GID of the directory being created, or just use a named volume and let docker handle this for you. I believe that UID/GID on the host would be 166536 (165536 + 1000) (I may have an off by one in there, so try opening the directory permissions if this still fails and see what gets created).