Hello,
I am trying to configure Docker to use a user namespace according to documentation Isolate containers with a user namespace | Docker Docs
I have CentOS 7.5 with latest updates and docker-ce-18.06.1.
According to manual user dockerrun with uid 80000 and group dockerrun with gid 80000 were created.
/etc/subuid and /etc/gid have similar content:
dockerrun:80000:65536
In additional, /etc/docker/daemon.json file was created with content
{
“userns-remap”: “dockerrun:dockerrun”
}
After restarting docker daemon I can see the directory
#ls -ld /var/lib/docker/80000.80000/
drwx------ 15 dockerrun dockerrun 200 Aug 22 14:09 /var/lib/docker/80000.80000/
I can pull an image:
$ docker pull hello-world
Using default tag: latest
latest: Pulling from library/hello-world
9db2ca6ccae0: Pull complete
Digest: sha256:4b8ff392a12ed9ea17784bd3c9a8b1fa3299cac44aca35a85c90c5e3c7afacdc
Status: Downloaded newer image for hello-world:latest
But I got an error message when I tried to run it:
$ docker run hello-world
docker: Error response from daemon: OCI runtime create failed: container_linux.go:348: starting container process caused “process_linux.go:301: running exec setns process for init caused "exit status 40"”: unknown.
Does anybody has an idea what is wrong? I will very appreciate your help.
Some additional info about the docker installation:
$ docker version
Client:
Version: 18.06.1-ce
API version: 1.38
Go version: go1.10.3
Git commit: e68fc7a
Built: Tue Aug 21 17:23:03 2018
OS/Arch: linux/amd64
Experimental: falseServer:
Engine:
Version: 18.06.1-ce
API version: 1.38 (minimum version 1.12)
Go version: go1.10.3
Git commit: e68fc7a
Built: Tue Aug 21 17:25:29 2018
OS/Arch: linux/amd64
Experimental: false
and
$ docker info
Containers: 1
Running: 0
Paused: 0
Stopped: 1
Images: 1
Server Version: 18.06.1-ce
Storage Driver: overlay2
Backing Filesystem: xfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 468a545b9edcd5932818eb9de8e72413e616e86e
runc version: 69663f0bd4b60df09991c08812a60108003fa340
init version: fec3683
Security Options:
seccomp
Profile: default
userns
Kernel Version: 3.10.0-862.11.6.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 1.796GiB
Name: dockertest
ID: 5RVP:3XMF:6JSH:HIPO:KETB:5UAL:CPJB:LLSR:PVPK:2F2N:R3Q3:6WWX
Docker Root Dir: /var/lib/docker/80000.80000
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false