I am trying to run the docker daemon on an Ubuntu 16.04 host such that the processes within the docker container no longer run as root
.
I have altered /etc/docker/daemon.json
as follows
{
"experimental": true,
"bip": "192.19.77.1/24",
"storage-driver": "overlay2",
"graph": "/opt/docker",
"userns-remap": "default"
}
(Note that I specified the graph
location as /opt/docker
based on my client’s requirements.)
Docker seems to have added entries as follows:
cat /etc/subuid
me:100000:65536
dockremap:165536:65536
cat /etc/subgid
me:100000:65536
dockremap:165536:65536
After this, if I try to run the daemon with sudo dockerd
, I get the following:
# sudo dockerd
WARN[0000] The "graph" config file option is deprecated. Please use "data-root" instead.
WARN[0000] Running experimental build
INFO[2018-07-04T12:31:43.430653152-07:00] User namespaces: ID ranges will be mapped to subuid/subgid ranges of: dockremap:dockremap
a subdirectory in your graphroot path (/opt/docker/165536.165536) restricts access to the remapped root uid/gid; please fix by allowing 'o+x' permissions on existing directories
After a lot of flailing with chown
and chmod
the /opt/docker
directory looks like this:
# ls -al
total 60
drwx--x--x 15 dockremap dockremap 4096 Jul 4 11:42 .
drwxr-s--- 4 mjb mjb 4096 Jul 4 11:32 ..
drwxrwxrwx 2 165536 165536 4096 Jul 4 11:38 165536.165536
drwx--S--- 2 dockremap dockremap 4096 Jun 8 13:16 builder
drwx--s--x 3 dockremap dockremap 4096 Jun 8 13:16 containerd
drwx--S--- 2 dockremap dockremap 4096 Jul 4 11:40 containers
drwx--S--- 3 dockremap dockremap 4096 Jun 8 13:16 image
drwxr-s--- 3 dockremap dockremap 4096 Jun 8 13:16 network
drwx--S--- 3 dockremap dockremap 4096 Jul 4 11:42 overlay2
drwx--S--- 4 dockremap dockremap 4096 Jun 8 13:16 plugins
drwx------ 2 dockremap dockremap 4096 Jul 4 11:42 runtimes
drwx--S--- 2 dockremap dockremap 4096 Jun 8 13:16 swarm
drwx------ 2 dockremap dockremap 4096 Jul 4 11:42 tmp
drwx--S--- 2 dockremap dockremap 4096 Jun 8 13:16 trust
drwx--S--- 2 dockremap dockremap 4096 Jun 8 13:16 volumes
The error has persisted through many different attempts at chown
and chmod
. I’m not sure who needs to own the directory and what the permissions need to be.
What do I need to do to get the docker daemon to start with the desired userns remapping option in place?