add userns-remap setup
Some checks failed
continuous-integration/drone/push Build is failing

This commit is contained in:
Robert Kaussow 2019-07-16 16:55:25 +02:00
parent c4ecbdeaa4
commit 7cf7c56972
3 changed files with 28 additions and 1 deletions

View File

@ -26,3 +26,8 @@ dockerengine_cli_options:
- selinux-enabled - selinux-enabled
- log-driver=journald - log-driver=journald
- signature-verification=false - signature-verification=false
dockerengine_usernamespace_enabled: False
dockerengine_nsremap_user: dockremap
dockerengine_nsremap_range_start: 231072
dockerengine_nsremap_range_length: 65536

View File

@ -39,6 +39,28 @@
label: "{{ item.dest }}" label: "{{ item.dest }}"
notify: __docker_restart notify: __docker_restart
- name: Add namespace group
group:
name: "{{ dockerengine_remap_user }}"
state: "{{ 'present' if dockerengine_usernamespace_enabled | bool else 'absent' }}"
- name: Add namespace user
user:
name: "{{ dockerengine_remap_user }}"
group: "{{ dockerengine_remap_user }}"
shell: /sbin/nologin
state: "{{ 'present' if dockerengine_usernamespace_enabled | bool else 'absent' }}"
- name: Configure namespace id range
lineinfile:
dest: "{{ item }}"
regexp: "^{{ dockerengine_remap_user }}:"
line: "{{ dockerengine_remap_user }}:{{ dockerengine_nsremap_range_start }}:{{ dockerengine_nsremap_range_length }}"
state: "{{ 'present' if dockerengine_usernamespace_enabled | bool else 'absent' }}"
loop:
- /etc/subuid
- /etc/subgid
- name: Ensure docker engine is up and running - name: Ensure docker engine is up and running
service: service:
name: "{{ dockerengine_package }}" name: "{{ dockerengine_package }}"

View File

@ -2,7 +2,7 @@
# /etc/sysconfig/docker # /etc/sysconfig/docker
# Modify these options if you want to change the way the docker daemon runs # Modify these options if you want to change the way the docker daemon runs
OPTIONS='{{ dockerengine_cli_options | prefix | join(' ') }}' OPTIONS='{{ dockerengine_cli_options | prefix | join(' ') }}{{ ' --userns-remap='+dockerengine_nsremap_user+':'+dockerengine_nsremap_user if dockerengine_usernamespace_enabled | bool else '' }}'
if [ -z "${DOCKER_CERT_PATH}" ]; then if [ -z "${DOCKER_CERT_PATH}" ]; then
DOCKER_CERT_PATH=/etc/docker DOCKER_CERT_PATH=/etc/docker
fi fi