From 7cf7c569725c9dd77681576115aca115f9635d7c Mon Sep 17 00:00:00 2001
From: Robert Kaussow <mail@geeklabor.de>
Date: Tue, 16 Jul 2019 16:55:25 +0200
Subject: [PATCH] add userns-remap setup

---
 defaults/main.yml                 |  5 +++++
 tasks/install.yml                 | 22 ++++++++++++++++++++++
 templates/etc/sysconfig/docker.j2 |  2 +-
 3 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 78747a3..c935f7d 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -26,3 +26,8 @@ dockerengine_cli_options:
   - selinux-enabled
   - log-driver=journald
   - signature-verification=false
+
+dockerengine_usernamespace_enabled: False
+dockerengine_nsremap_user: dockremap
+dockerengine_nsremap_range_start: 231072
+dockerengine_nsremap_range_length: 65536
diff --git a/tasks/install.yml b/tasks/install.yml
index cfb0c08..3fb090f 100644
--- a/tasks/install.yml
+++ b/tasks/install.yml
@@ -39,6 +39,28 @@
         label: "{{ item.dest }}"
       notify: __docker_restart
 
+    - name: Add namespace group
+      group:
+        name: "{{ dockerengine_remap_user }}"
+        state: "{{ 'present' if dockerengine_usernamespace_enabled | bool else 'absent' }}"
+
+    - name: Add namespace user
+      user:
+        name: "{{ dockerengine_remap_user }}"
+        group: "{{ dockerengine_remap_user }}"
+        shell: /sbin/nologin
+        state: "{{ 'present' if dockerengine_usernamespace_enabled | bool else 'absent' }}"
+
+    - name: Configure namespace id range
+      lineinfile:
+        dest: "{{ item }}"
+        regexp: "^{{ dockerengine_remap_user }}:"
+        line: "{{ dockerengine_remap_user }}:{{ dockerengine_nsremap_range_start }}:{{ dockerengine_nsremap_range_length }}"
+        state: "{{ 'present' if dockerengine_usernamespace_enabled | bool else 'absent' }}"
+      loop:
+        - /etc/subuid
+        - /etc/subgid
+
     - name: Ensure docker engine is up and running
       service:
         name: "{{ dockerengine_package }}"
diff --git a/templates/etc/sysconfig/docker.j2 b/templates/etc/sysconfig/docker.j2
index 9f47ac6..04fc751 100644
--- a/templates/etc/sysconfig/docker.j2
+++ b/templates/etc/sysconfig/docker.j2
@@ -2,7 +2,7 @@
 # /etc/sysconfig/docker
 
 # Modify these options if you want to change the way the docker daemon runs
-OPTIONS='{{ dockerengine_cli_options | prefix | join(' ') }}'
+OPTIONS='{{ dockerengine_cli_options | prefix | join(' ') }}{{ ' --userns-remap='+dockerengine_nsremap_user+':'+dockerengine_nsremap_user if dockerengine_usernamespace_enabled | bool else '' }}'
 if [ -z "${DOCKER_CERT_PATH}" ]; then
     DOCKER_CERT_PATH=/etc/docker
 fi