Docker userns-remap permissions issue

Docker Engine General
1

I am trying to run the docker daemon on an Ubuntu 16.04 host such that the processes within the docker container no longer run as root.

I have altered /etc/docker/daemon.json as follows

{
  "experimental": true,
  "bip": "192.19.77.1/24",
  "storage-driver": "overlay2",
  "graph": "/opt/docker",
  "userns-remap": "default"
}

(Note that I specified the graph location as /opt/docker based on my client’s requirements.)

Docker seems to have added entries as follows:

cat /etc/subuid
me:100000:65536
dockremap:165536:65536

cat /etc/subgid
me:100000:65536
dockremap:165536:65536

After this, if I try to run the daemon with sudo dockerd, I get the following:

# sudo dockerd
WARN[0000] The "graph" config file option is deprecated. Please use "data-root" instead.
WARN[0000] Running experimental build
INFO[2018-07-04T12:31:43.430653152-07:00] User namespaces: ID ranges will be mapped to subuid/subgid ranges of: dockremap:dockremap
a subdirectory in your graphroot path (/opt/docker/165536.165536) restricts access to the remapped root uid/gid; please fix by allowing 'o+x' permissions on existing directories

After a lot of flailing with chown and chmod the /opt/docker directory looks like this:

# ls -al
total 60
drwx--x--x 15 dockremap dockremap 4096 Jul  4 11:42 .
drwxr-s---  4 mjb       mjb       4096 Jul  4 11:32 ..
drwxrwxrwx  2    165536    165536 4096 Jul  4 11:38 165536.165536
drwx--S---  2 dockremap dockremap 4096 Jun  8 13:16 builder
drwx--s--x  3 dockremap dockremap 4096 Jun  8 13:16 containerd
drwx--S---  2 dockremap dockremap 4096 Jul  4 11:40 containers
drwx--S---  3 dockremap dockremap 4096 Jun  8 13:16 image
drwxr-s---  3 dockremap dockremap 4096 Jun  8 13:16 network
drwx--S---  3 dockremap dockremap 4096 Jul  4 11:42 overlay2
drwx--S---  4 dockremap dockremap 4096 Jun  8 13:16 plugins
drwx------  2 dockremap dockremap 4096 Jul  4 11:42 runtimes
drwx--S---  2 dockremap dockremap 4096 Jun  8 13:16 swarm
drwx------  2 dockremap dockremap 4096 Jul  4 11:42 tmp
drwx--S---  2 dockremap dockremap 4096 Jun  8 13:16 trust
drwx--S---  2 dockremap dockremap 4096 Jun  8 13:16 volumes

The error has persisted through many different attempts at chown and chmod. I’m not sure who needs to own the directory and what the permissions need to be.

What do I need to do to get the docker daemon to start with the desired userns remapping option in place?

2

Belated response, but sounds like the docker daemon is complaining that user 165536 may not have “search” permissions into /opt/docker. Make sure both /opt and /opt/docker have o+x permissions.