From debbugs-submit-bounces@debbugs.gnu.org Tue May 23 03:49:35 2023 Received: (at 55358) by debbugs.gnu.org; 23 May 2023 07:49:35 +0000 Received: from localhost ([127.0.0.1]:38165 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1q1Mlz-0006Mz-7u for submit@debbugs.gnu.org; Tue, 23 May 2023 03:49:35 -0400 Received: from wout4-smtp.messagingengine.com ([64.147.123.20]:41651) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1q1Mlw-0006Mm-Vf for 55358@debbugs.gnu.org; Tue, 23 May 2023 03:49:34 -0400 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id DF052320095E; Tue, 23 May 2023 03:49:26 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Tue, 23 May 2023 03:49:27 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=remworks.net; h= cc:cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:sender:subject:subject:to:to; s=fm3; t= 1684828166; x=1684914566; bh=djE70iYqcK23pNxNm74GYYh+c4Jbchp/vmh ela8Q/Cc=; b=d7a4AQHi1B4cZ+RlbkeMnkBFobocTevAhC4BP+YbsVPnfpsphPT wDDDT/6KqllDa6fow8EveIZD1cjdODMnMJwDsp+g3Wx0Mm5TzPpBD2WKl+o+j+Cu lcny/Dd2dEDhuDLVV4a37DoSsg1zVoLVIvtnxm6I/UJLW+eMlxDfWsMU8sc1o2hH XqC0ENXoGLEq8TYkv384+zLpfh3qAwJEBtSgKsoYzY+qB5LXLklQirCy75xE00gN kj3LZkXpL+t4EepvL/WzSXAN/fI1uOvtCrNtA06N6Kdg4vuRh/8vbERp4iRoF9lS VbG5YkoEy4HW5U842ujcnb0Nv3oqwgY1JXg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:sender:subject:subject:to:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t= 1684828166; x=1684914566; bh=djE70iYqcK23pNxNm74GYYh+c4Jbchp/vmh ela8Q/Cc=; b=xC61PPk8FyHRcbsSOm5l7QNPzlu0Dd19mexfyhAcPbIt0REiW5A AGBBwQdGdz8PCbsd7iUiEhtbchzSVBy3NkXuoLukxzYEeSzQgAADkKAD+sjadlKo BuQtF7OvELcxk6opJYn0adDKPSYGLvSzv5uz71VCljnsTgOFG/+ROozBNzB0DiKw IBEefDErLe8p2OZOYI4pNivKRbdj7MKqVHYCeadxxayq4Ji0/xuSOhUrVrmhaPXm 0XlKNh+wQxv1m8fn0qz1ikKQ1HxqRO8pQ32sU6Dk91HyuEwgKMOopDTYFRh+UHfR lxJkSfHAnqxwwx71TiG4sZoIWULQuhNOaCQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrfeejvddguddvhecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefhvfevufffkffojghfgggtgfesthekredtredtjeenucfhrhhomheptfgv mhgtohcuvhgrnhcukdhtucggvggvrhcuoehrvghmtghosehrvghmfihorhhkshdrnhgvth eqnecuggftrfgrthhtvghrnhephfetueelgefgvdefledvleekheegtdevgeeljeeihefg hefhtdeukeduhedvveffnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrg hilhhfrhhomheprhifvhesfhgrshhtmhgrihhlrdgtohhm X-ME-Proxy: Feedback-ID: i7e59465b:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 23 May 2023 03:49:25 -0400 (EDT) From: Remco van 't Veer To: 55358@debbugs.gnu.org Subject: [PATCH] services: docker: Add 'enable-userns-remap?' argument. Date: Tue, 23 May 2023 09:49:21 +0200 Message-Id: X-Mailer: git-send-email 2.40.1 In-Reply-To: <878rdk8gm9.fsf@remworks.net> References: <878rdk8gm9.fsf@remworks.net> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.5 (/) X-Debbugs-Envelope-To: 55358 Cc: guix-devel@gnu.org, Remco van 't Veer , Maxim Cournoyer , zimoun X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.5 (-) * gnu/services/docker.scm (docker-configuration): Define the argument. * gnu/services/docker.scm (docker-shepherd-service): Use it. * doc/guix.texi (Docker Service): Document it. --- doc/guix.texi | 27 ++++++++++++++++++++++++++- gnu/services/docker.scm | 28 +++++++++++++++++++++++++++- 2 files changed, 53 insertions(+), 2 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index f4cca66d76..ae185ced61 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -100,7 +100,7 @@ Copyright @copyright{} 2021 muradm@* Copyright @copyright{} 2021, 2022 Andrew Tropin@* Copyright @copyright{} 2021 Sarah Morgensen@* -Copyright @copyright{} 2022 Remco van 't Veer@* +Copyright @copyright{} 2022, 2023 Remco van 't Veer@* Copyright @copyright{} 2022 Aleksandr Vityazev@* Copyright @copyright{} 2022 Philip M@sup{c}Grath@* Copyright @copyright{} 2022 Karl Hallsby@* @@ -38533,6 +38533,31 @@ Miscellaneous Services @item @code{enable-iptables?} (default @code{#t}) Enable or disable the addition of iptables rules. +@item @code{enable-userns-remap?} (default @code{#f}) +Enable remapping and subordinate user and group IDs. + +A system user account named @code{dockremap} and user group named +@code{dockremap} will be created. They must be mapped using the +@file{/etc/subuid} and @file{/etc/subguid} files otherwise docker fail +to startup. + +Here's an example service to setup both files: + +@lisp +(simple-service + 'subuid-subgid etc-service-type + (list `("subuid" + ,(plain-file "subuid" + "dockremap:65536:65536\n")) + `("subgid" + ,(plain-file "subgid" + "dockremap:65536:65536\n")))) +@end lisp + +The above will remap to UID 0 (root) to 65536, UID 1 to 65537 etc. For +more information regarding the format of these files, consult +@command{man 5 subuid} and @command{man 5 subgid}. + @item @code{environment-variables} (default: @code{()}) List of environment variables to set for @command{dockerd}. diff --git a/gnu/services/docker.scm b/gnu/services/docker.scm index 741bab5a8c..e138a6be7e 100644 --- a/gnu/services/docker.scm +++ b/gnu/services/docker.scm @@ -5,6 +5,7 @@ ;;; Copyright © 2020 Efraim Flashner ;;; Copyright © 2020 Jesse Dowell ;;; Copyright © 2021 Brice Waegeneire +;;; Copyright © 2023 Remco van 't Veer ;;; ;;; This file is part of GNU Guix. ;;; @@ -29,6 +30,7 @@ (define-module (gnu services docker) #:use-module (gnu services shepherd) #:use-module (gnu system setuid) #:use-module (gnu system shadow) + #:use-module (gnu packages admin) #:use-module (gnu packages docker) #:use-module (gnu packages linux) ;singularity #:use-module (guix records) @@ -62,6 +64,9 @@ (define-configuration docker-configuration (enable-iptables? (boolean #t) "Enable addition of iptables rules (enabled by default).") + (enable-userns-remap? + (boolean #f) + "Enable remapping and subordinate user and group IDs (disabled by default).") (environment-variables (list '()) "Environment variables to set for dockerd") @@ -107,6 +112,7 @@ (define (docker-shepherd-service config) (let* ((docker (docker-configuration-docker config)) (enable-proxy? (docker-configuration-enable-proxy? config)) (enable-iptables? (docker-configuration-enable-iptables? config)) + (enable-userns-remap? (docker-configuration-enable-userns-remap? config)) (environment-variables (docker-configuration-environment-variables config)) (proxy (docker-configuration-proxy config)) (debug? (docker-configuration-debug? config))) @@ -135,6 +141,9 @@ (define (docker-shepherd-service config) #~(string-append "--userland-proxy-path=" #$proxy "/bin/proxy")) '("--userland-proxy=false")) + #$@(if enable-userns-remap? + '("--userns-remap=dockremap") + '()) (if #$enable-iptables? "--iptables" "--iptables=false") @@ -145,6 +154,18 @@ (define (docker-shepherd-service config) #:log-file "/var/log/docker.log")) (stop #~(make-kill-destructor))))) +(define %docker-remap-user-group + (user-group (name "dockremap") + (system? #t))) + +(define %docker-remap-user-account + (user-account (name "dockremap") + (group "dockremap") + (system? #t) + (comment "Docker user namespace remap user") + (home-directory "/var/empty") + (shell (file-append shadow "/sbin/nologin")))) + (define docker-service-type (service-type (name 'docker) (description "Provide capability to run Docker application @@ -161,7 +182,12 @@ (define docker-service-type (list (containerd-shepherd-service config) (docker-shepherd-service config)))) (service-extension account-service-type - (const %docker-accounts)))) + (lambda (config) + (if (docker-configuration-enable-userns-remap? config) + (cons* %docker-remap-user-group + %docker-remap-user-account + %docker-accounts) + %docker-accounts))))) (default-value (docker-configuration)))) base-commit: 849286ba66c96534bddc04df1a47d5692cbc977e -- 2.40.1