fix error when docker daemon is running with user namespace enabled. #2161
Conversation
|
Thanks for this! This change assumes that the running Docker Engine version is >= 1.10 , which is "only" one year old (some distros may not have caught up). @QianJin2013 Could you conditionally incorporate the |
|
@bboreham You may want to take this into consideration for Weave Net as well. |
|
TBH, I reckon mandating Docker >=1.10 is fine - Weave Net will do that from the next release onwards anyway. |
|
@rade Will you explicitly be checking the Docker version on launch or is it implicit? |
|
no idea. @bboreham will know. |
|
ok, i will add a check whether or not support --userns=host |
|
@QianJin2013 Hold on, it may not be necessary. It seems almost all users run >= 1.10 anyways |
|
@2opremio yeah, not much necessary. If anyone want, i will use |
jjqq2013
force-pushed
the
master
branch
2 times, most recently
from
648e0fa to
359a177
Compare
|
Since See also https://github.com/koalaman/shellcheck/wiki/SC2086 |
jjqq2013
force-pushed
the
master
branch
2 times, most recently
from
70b404e to
28d6f33
Compare
|
@alban OK, added |
|
It seems that So your current proposed mitigation is workable; the original assumption that since we mandate 1.10 we're ok is not. |
|
anyway, for docker which does not support |
| @@ -22,6 +22,8 @@ IP_ADDR_CMD="find /sys/class/net -type l | xargs -n1 basename | grep -vE 'docker | |||
| xargs -n1 ip addr show | grep inet | awk '{ print \$2 }' | grep -oE '$IP_REGEXP'" | |||
| WEAVESCOPE_DOCKER_ARGS=${WEAVESCOPE_DOCKER_ARGS:-} | |||
|
|
|||
| docker run --help |grep -q -- --userns && USERNS_HOST="--userns=host" | |||
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
Fair enough. LGTM, modulo a descriptive comment. @QianJin2013 I will merge after you add it. |
|
ok, comment added. Seems too long, i am not good at english, sorry. |
| # "Cannot share the host's network namespace when user namespaces are enabled" for `docker run --net=host` | ||
| # To avoid above errors, use `--userns=host` option to let container use host User Namespace. | ||
| # This option(saved in $USERNS_HOST) will be inserted ONLY IF docker support `--userns` option. | ||
| docker run --help |grep -q -- --userns && USERNS_HOST="--userns=host" |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
1:"Privileged mode is incompatible with user namespaces". 2:"Cannot share the host's network namespace when user namespaces are enabled".
|
OK, added |
Hi, i have my docker daemon run with user namespace enabled(All users in containers will be mapped to sub user of specified external user),
When i start
/usr/local/bin/scope, it reports1:"Privileged mode is incompatible with user namespaces".
Then modify the script, add
--userns=hostto let it share user namespace with host.2:"Cannot share the host's network namespace when user namespaces are enabled".
The same reason and solution with 1.
That's all, hope helpful.