[PATCH] services: docker: Add 'enable-userns-remap?' argument.

[Remco van 't Veer <remco@remworks.net>]

* gnu/services/docker.scm (docker-configuration): Define the argument.
* gnu/services/docker.scm (docker-shepherd-service): Use it.
* doc/guix.texi (Docker Service): Document it.
---
 doc/guix.texi           | 27 ++++++++++++++++++++++++++-
 gnu/services/docker.scm | 28 +++++++++++++++++++++++++++-
 2 files changed, 53 insertions(+), 2 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index f4cca66d76..ae185ced61 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -100,7 +100,7 @@
 Copyright @copyright{} 2021 muradm@*
 Copyright @copyright{} 2021, 2022 Andrew Tropin@*
 Copyright @copyright{} 2021 Sarah Morgensen@*
-Copyright @copyright{} 2022 Remco van 't Veer@*
+Copyright @copyright{} 2022, 2023 Remco van 't Veer@*
 Copyright @copyright{} 2022 Aleksandr Vityazev@*
 Copyright @copyright{} 2022 Philip M@sup{c}Grath@*
 Copyright @copyright{} 2022 Karl Hallsby@*
@@ -38533,6 +38533,31 @@ Miscellaneous Services
 @item @code{enable-iptables?} (default @code{#t})
 Enable or disable the addition of iptables rules.
 
+@item @code{enable-userns-remap?} (default @code{#f})
+Enable remapping and subordinate user and group IDs.
+
+A system user account named @code{dockremap} and user group named
+@code{dockremap} will be created.  They must be mapped using the
+@file{/etc/subuid} and @file{/etc/subguid} files otherwise docker fail
+to startup.
+
+Here's an example service to setup both files:
+
+@lisp
+(simple-service
+   'subuid-subgid etc-service-type
+   (list `("subuid"
+           ,(plain-file "subuid"
+                        "dockremap:65536:65536\n"))
+         `("subgid"
+           ,(plain-file "subgid"
+                        "dockremap:65536:65536\n"))))
+@end lisp
+
+The above will remap to UID 0 (root) to 65536, UID 1 to 65537 etc.  For
+more information regarding the format of these files, consult
+@command{man 5 subuid} and @command{man 5 subgid}.
+
 @item @code{environment-variables} (default: @code{()})
 List of environment variables to set for @command{dockerd}.
 
diff --git a/gnu/services/docker.scm b/gnu/services/docker.scm
index 741bab5a8c..e138a6be7e 100644
--- a/gnu/services/docker.scm
+++ b/gnu/services/docker.scm
@@ -5,6 +5,7 @@
 ;;; Copyright © 2020 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2020 Jesse Dowell <jessedowell@gmail.com>
 ;;; Copyright © 2021 Brice Waegeneire <brice@waegenei.re>
+;;; Copyright © 2023 Remco van 't Veer <remco@remworks.net>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -29,6 +30,7 @@ (define-module (gnu services docker)
   #:use-module (gnu services shepherd)
   #:use-module (gnu system setuid)
   #:use-module (gnu system shadow)
+  #:use-module (gnu packages admin)
   #:use-module (gnu packages docker)
   #:use-module (gnu packages linux)               ;singularity
   #:use-module (guix records)
@@ -62,6 +64,9 @@ (define-configuration docker-configuration
   (enable-iptables?
    (boolean #t)
    "Enable addition of iptables rules (enabled by default).")
+  (enable-userns-remap?
+   (boolean #f)
+   "Enable remapping and subordinate user and group IDs (disabled by default).")
   (environment-variables
    (list '())
    "Environment variables to set for dockerd")
@@ -107,6 +112,7 @@ (define (docker-shepherd-service config)
   (let* ((docker (docker-configuration-docker config))
          (enable-proxy? (docker-configuration-enable-proxy? config))
          (enable-iptables? (docker-configuration-enable-iptables? config))
+         (enable-userns-remap? (docker-configuration-enable-userns-remap? config))
          (environment-variables (docker-configuration-environment-variables config))
          (proxy (docker-configuration-proxy config))
          (debug? (docker-configuration-debug? config)))
@@ -135,6 +141,9 @@ (define (docker-shepherd-service config)
                                         #~(string-append
                                            "--userland-proxy-path=" #$proxy "/bin/proxy"))
                                   '("--userland-proxy=false"))
+                           #$@(if enable-userns-remap?
+                                  '("--userns-remap=dockremap")
+                                  '())
                            (if #$enable-iptables?
                                "--iptables"
                                "--iptables=false")
@@ -145,6 +154,18 @@ (define (docker-shepherd-service config)
                      #:log-file "/var/log/docker.log"))
            (stop #~(make-kill-destructor)))))
 
+(define %docker-remap-user-group
+  (user-group (name "dockremap")
+              (system? #t)))
+
+(define %docker-remap-user-account
+  (user-account (name "dockremap")
+                (group "dockremap")
+                (system? #t)
+                (comment "Docker user namespace remap user")
+                (home-directory "/var/empty")
+                (shell (file-append shadow "/sbin/nologin"))))
+
 (define docker-service-type
   (service-type (name 'docker)
                 (description "Provide capability to run Docker application
@@ -161,7 +182,12 @@ (define docker-service-type
                                        (list (containerd-shepherd-service config)
                                              (docker-shepherd-service config))))
                   (service-extension account-service-type
-                                     (const %docker-accounts))))
+                                     (lambda (config)
+                                       (if (docker-configuration-enable-userns-remap? config)
+                                           (cons* %docker-remap-user-group
+                                                  %docker-remap-user-account
+                                                  %docker-accounts)
+                                           %docker-accounts)))))
                 (default-value (docker-configuration))))
 
 \f

base-commit: 849286ba66c96534bddc04df1a47d5692cbc977e
-- 
2.40.1