3

I am running dockerd 19.03.1, build 74b1e89 with user namespaces enabled on a dedicated ID range

 cat > /etc/sub{uid,gid}
 dockeruser:120000:10000

I need to switch in a container from root to a dedicated user, which I create as

ARG USERID=26551
ENV runUID=${USERID}
ARG GROUPID=26551
ENV runGID=${GROUPID}
ARG USERNAME='testuser'
ENV runUSER=${USERNAME}
ARG groupNAME='testgroup'
ENV runGROUP=${groupNAME}
RUN groupadd -g ${runGID}  ${runGROUP} && useradd -u ${runUID} -g ${runGID} -r ${runUSER}

However, I cannot switch in the container context to the user. su as well as replacements as gosu fail similar to

[root@1d5594cd99a0 /]# su - testuser ls
su: cannot set groups: Invalid argument

According to the documentation on user namespace mapping, this might be a caveat and would affect all binaries relying on setuid or/and such as su checking for the actual binary owner.

It is possible to run commands/binaries in a Docker container under another user in the container context with user namespaces enabled for dockerd?

pmav99
  • 1,909
  • 2
  • 20
  • 27
THX
  • 553
  • 2
  • 8
  • 18

1 Answers1

2

answering to my problem

I had not enough subuids/subgids defined for the user namespace.

before

/etc/subuid
/etc/subgid
  dockeruser:120000:10000

and I created an user in the container with UID=26551 - where 26551 lies not within [120000,120000+10000] and thus switching to that user failed.

fix

extending the subuid and subgid range to [200000,200000+100000] and actually include the UID

/etc/subuid
/etc/subgid
   dockeruser:200000:100000
THX
  • 553
  • 2
  • 8
  • 18