New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
User namespaces: graduate from experimental #19187
Conversation
ping @thaJeztah : I spent some extra time trying to make the docs more readable/clear. Feel free to start reviewing/providing feedback as I think the docs may need more help than the code, which is basically just a migration of the flag and settings. |
ping @moxiegirl as well 😄 |
😻 |
yayayayayayayayayayayayyayaaya! LGTM |
yolo |
Looks YOLO To Me 👍 |
Adds the `--userns-remap` flag to the master build Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
@jfrazelle just FYI--updated the patch to stop |
sweet thats perfect thanks! On Fri, Jan 8, 2016 at 12:10 PM, Phil Estes notifications@github.com
|
@estesp don't forget to update the daemon man page as well, to include the new flag; https://github.com/docker/docker/blob/master/man/docker-daemon.8.md |
@thaJeztah do you know how to test it when it was not merged ? Do we have binary build for that ? Or need I cherry-pick these code in my repo and build binary by myself ? Thanks |
@HackToday You can try out a pull request by checking it out using git and then build it (using |
Thanks @vdemeester I tried this clone Since I did not figure it out just cherry-pick easy ways to do that :( |
Found following potential issues:
root@003d1da3734a:/go/src/github.com/docker/docker# docker run -it --uts=host myhtop pidtest-1
root@003d1da3734a:/go/src/github.com/docker/docker# docker ps And the container was created. |
And another issue: When run with docker run --read-only -v /icanwrite busybox sh still have long go trace message like below: 5: main 6: main 7: goexit It seems still an issue mentioned like this one #18430 (although the old one is about pid namespace) |
return warnings, fmt.Errorf("Cannot share network namespaces with user namespaces enabled.") | ||
} | ||
if hostConfig.PidMode.IsHost() { | ||
return warnings, fmt.Errorf("Cannot use the host PID namespace with user namespaces enabled.") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Suggest replace use with share, as keep consistent above network namespace error message.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
I have added an early error similar to the namespace sharing errors when using |
@thaJeztah I have made the modifications you suggested as well as added the additional info to the @HackToday I have made corrections to the docs per your suggestions and added an error message when |
## Daemon user namespace options | ||
|
||
Linux kernel [user namespace support](http://man7.org/linux/man-pages/man7/user_namespaces.7.html) provides additional security by enabling | ||
a process--and therefore a container--to have a unique range of user and |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
single dashes if you must use dashes.
- and therefore a container -
Nice Docs - minor edits. |
Thanks for the docs review @jamtur01. I have updated the PR per your comments. |
One minor fix but otherwise Docs LGTM. Thanks! |
Great! @jamtur01 I've used "superuser" instead, and the PR is updated. Thanks! |
This prevents strange errors and clarifies which namespace options are incompatible with user namespaces (at this time). Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
Remove the experimental docs for user namespaces and add similar content to the `docker daemon` command documentation. Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
I think that #19251 should be considered before we make this non-experimental (quite a few systems don't have the latest version of shadow). |
LGTM |
@HackToday "LGTM"s should only be used by Docker maintainers (they are used by other maintainers to figure out whether there is a consensus on a feature being merged). It's just confusing to have non-maintainers LGTM things. |
@cyphar sure, Ignore LGTM, I will +1 about this |
👍 |
ping @thaJeztah for docs signoff |
docs LGTM, let's merge! |
User namespaces: graduate from experimental
\o/ |
Moves experimental user namespaces to master in preparation for the 1.10 release. Adds documentation to regular
docker daemon
command docs. Properly warns of incompatible flags for namespace sharing + privileged.Closes: #18448
Closes: #18430
Closes: #18247