add userns-remap setup

defaults/main.yml

@@ -26,3 +26,8 @@ dockerengine_cli_options:
   - selinux-enabled
   - log-driver=journald
   - signature-verification=false
+
+dockerengine_usernamespace_enabled: False
+dockerengine_nsremap_user: dockremap
+dockerengine_nsremap_range_start: 231072
+dockerengine_nsremap_range_length: 65536

tasks/install.yml

@@ -39,6 +39,28 @@
         label: "{{ item.dest }}"
       notify: __docker_restart
 
+    - name: Add namespace group
+      group:
+        name: "{{ dockerengine_remap_user }}"
+        state: "{{ 'present' if dockerengine_usernamespace_enabled | bool else 'absent' }}"
+
+    - name: Add namespace user
+      user:
+        name: "{{ dockerengine_remap_user }}"
+        group: "{{ dockerengine_remap_user }}"
+        shell: /sbin/nologin
+        state: "{{ 'present' if dockerengine_usernamespace_enabled | bool else 'absent' }}"
+
+    - name: Configure namespace id range
+      lineinfile:
+        dest: "{{ item }}"
+        regexp: "^{{ dockerengine_remap_user }}:"
+        line: "{{ dockerengine_remap_user }}:{{ dockerengine_nsremap_range_start }}:{{ dockerengine_nsremap_range_length }}"
+        state: "{{ 'present' if dockerengine_usernamespace_enabled | bool else 'absent' }}"
+      loop:
+        - /etc/subuid
+        - /etc/subgid
+
     - name: Ensure docker engine is up and running
       service:
         name: "{{ dockerengine_package }}"

templates/etc/sysconfig/docker.j2

@@ -2,7 +2,7 @@
 # /etc/sysconfig/docker
 
 # Modify these options if you want to change the way the docker daemon runs
-OPTIONS='{{ dockerengine_cli_options | prefix | join(' ') }}'
+OPTIONS='{{ dockerengine_cli_options | prefix | join(' ') }}{{ ' --userns-remap='+dockerengine_nsremap_user+':'+dockerengine_nsremap_user if dockerengine_usernamespace_enabled | bool else '' }}'
 if [ -z "${DOCKER_CERT_PATH}" ]; then
     DOCKER_CERT_PATH=/etc/docker
 fi