Rootless variant on Amazon Linux 2 - /proc/sys/kernel/unprivileged_userns_clone

[benabineri]

Hi,

We are running Amazon Linux 2 on our Kubernetes nodes. We are trying to run DinD(inK) without running priviliged containers. I am experimenting with using the rootless variant introduced by #174

I understand from a comment on the PR (#174 (comment)) that I will probably still need privileged but I am going to try setting the securityContext in Kubernetes to provide the minimum required privileges...

Unfortunately, Amazon Linux 2 (which is loosely related to RHEL/CentOS/Fedora) doesn't have the file /proc/sys/kernel/unprivileged_userns_clone which the entrypoint script is testing for. It would appear that user namespaces are enabled by default on AL2, and that file would only be present on Debian derivatives where user namespaces have been explicitly enabled. Therefore, the script is bombing out before I can even get into the rabbit hole of adding capabilities...

Would it be possible to check for user namespace support using a different method?

[tianon]

Ah, for now we should probably just add a file existence check to that block and let dockerd fail if it's not supported (since this is really just an attempt to make that obscure failure mode more obvious, especially the fix).