Docker Community Forums

Share and learn in the Docker community.

Namespace access error

daemon.json

{
“userns-remap”: “ilya:ilya”
}

id ilya

uid=1000(ilya) gid=1000(ilya) groups=1000(ilya),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),998(docker)

/etc/subuid

ilya:1000:65536

/etc/subgid

ilya:1000:65536

Dockerfile

RUN addgroup -g 1000 ilya &&
adduser -D -u 1000 ilya -G ilya &&
mkdir /test &&
chown -R ilya:ilya /test &&
chmod -R u+rwx /test
WORKDIR /test
ENTRYPOINT touch test.txt

Error

bin/sh: can’t create test.txt: Permission denied

Even when connectivity and name resolution are functioning correctly, DFS configuration problems may cause the error to occur on a client. DFS relies on up-to-date DFS configuration data, correctly configured service settings, and Active Directory site configuration.

First, verify that the DFS service is started on all domain controllers and on DFS namespace/root servers. If the service is started in all locations, make sure that no DFS-related errors are reported in the system event logs of the servers.

When an administrator makes a change to the domain-based namespace, the change is made on the Primary Domain Controller (PDC) emulator master. Domain controllers and DFS root servers periodically poll PDC for configuration information. If the PDC is unavailable, or if “Root Scalability Mode” is enabled, Active Directory replication latencies and failures may prevent servers from issuing correct referrals. For more information about Root Scalability Mode, see Reviewing DFS Size Recommendations.

One method to evaluate replication health is to interrogate the status of the last inbound replication attempt for each domain controller. To do this, run the repadmin.exe command. The required syntax for this command is as follows:

repadmin /showrepl * DN_of_domain

Note

In this command, * represents all domain controllers that are to be queried, and DN_of_domain represents the distinguished name of the domain, such as dc=contoso,dc=com.

Review the status and time of the last successful replication to make sure that DFSN configuration changes have reached all domain controllers. You should investigate any failures that are reported for inbound replication to a DC.

DFSN configuration problems may also prevent access to the namespace. One common scenario in which this occurs is a client that belongs to a site that contains no namespace or folder targets. If the namespace is configured to issue referral targets only within the client’s site (the insite option), DFSN will not provide a referral. To evaluate whether the insite option is configured on a namespace, open a command prompt, and then type the dfsutil /path:\contoso.com\dfs /insite /display command.

Similarly, Active Directory site configuration problems may prevent DFSN servers from correctly determining the client site. Therefore, these problems may cause referral failures if insite is configured. The DFSN service maps the client to a site by analyzing the source IP address of the client’s referral request. The DFS service also maps each root target server to a site by resolving the target server’s name to an IP address. To evaluate whether a domain controller or a DFS root can determine the correct site of the system, run either of the following commands locally on the domain controllers and on the DFS namespace server:

dfsutil /sitename:root_target_name
dfsutil /sitename:client_ip_address