Docker Community Forums

Share and learn in the Docker community.

Is ubuntu/debian possible with namespaces? setgroups fails


(Docdocdoc) #1

i have namespaces working nicely on a centos7 host, (with appropriate kernel flag set)
Server Version: 17.07.0-ce
Cgroup Driver: cgroupfs
Runtimes: runc
Security Options:
seccomp
Profile: default
userns
Kernel Version: 3.10.0-514.26.2.el7.x86_64
Operating System: CentOS Linux 7 (Core)

and for,
say a centos image everything works as expected.
take this simple Dockerfile.
FROM centos
RUN yum update
builds perfect.

however for the equivalent debian/ubuntu/phusion based images a similar Dockerfile
FROM ubuntu
RUN apt-get update
results in
# docker build .
Sending build context to Docker daemon 2.048kB
Step 1/2 : FROM ubuntu
—> ccc7a11d65b1
Step 2/2 : RUN apt-get update
—> Running in 5dd2f96388b5
E: setgroups 65534 failed - setgroups (22: Invalid argument)
E: setegid 65534 failed - setegid (22: Invalid argument)
Reading package lists…
E: setgroups 65534 failed - setgroups (22: Invalid argument)
E: setegid 65534 failed - setegid (22: Invalid argument)
E: Method gave invalid 400 URI Failure message: Failed to setgroups - setgroups (22: Invalid argument)
E: Method http has died unexpectedly!
E: Sub-process http returned an error code (112)
The command ‘/bin/sh -c apt-get update’ returned a non-zero code: 100

restart dockerd without the --userns-remap=default and the above ubuntu Dockerfile builds fine.
its only namespaces that apt-get update doesn’t work against.

what to do to get around this? is it even possible to use the likes of ubuntu, phusion etc for a namespaced dockerd?
apt-get install bash does however work, but it only takes a baseimage like phusion to issue an apt-get update and any build fails and of course update is kinda required.


(P0tr3c) #2

By default _apt user is using gid=65534 as shown below.

_apt:x:100:65534::/nonexistent:/usr/sbin/nologin

Make sure your /etc/subuid and /etc/subgid include this UID for remapping. At least this has fixed this error for me.

You can also force apt to use different gid.