From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id mL7kAC9wbGSLcQEASxT56A (envelope-from ) for ; Tue, 23 May 2023 09:50:07 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id QOqFOy5wbGRXYgAAG6o9tA (envelope-from ) for ; Tue, 23 May 2023 09:50:06 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id B0EDD2DDB2 for ; Tue, 23 May 2023 09:50:06 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1q1Mlz-0007F7-Mn; Tue, 23 May 2023 03:49:35 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1q1Mlx-0007EH-GM for guix-devel@gnu.org; Tue, 23 May 2023 03:49:33 -0400 Received: from wout4-smtp.messagingengine.com ([64.147.123.20]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1q1Mlu-0007UW-OK for guix-devel@gnu.org; Tue, 23 May 2023 03:49:33 -0400 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id DF052320095E; Tue, 23 May 2023 03:49:26 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Tue, 23 May 2023 03:49:27 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=remworks.net; h= cc:cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:sender:subject:subject:to:to; s=fm3; t= 1684828166; x=1684914566; bh=djE70iYqcK23pNxNm74GYYh+c4Jbchp/vmh ela8Q/Cc=; b=d7a4AQHi1B4cZ+RlbkeMnkBFobocTevAhC4BP+YbsVPnfpsphPT wDDDT/6KqllDa6fow8EveIZD1cjdODMnMJwDsp+g3Wx0Mm5TzPpBD2WKl+o+j+Cu lcny/Dd2dEDhuDLVV4a37DoSsg1zVoLVIvtnxm6I/UJLW+eMlxDfWsMU8sc1o2hH XqC0ENXoGLEq8TYkv384+zLpfh3qAwJEBtSgKsoYzY+qB5LXLklQirCy75xE00gN kj3LZkXpL+t4EepvL/WzSXAN/fI1uOvtCrNtA06N6Kdg4vuRh/8vbERp4iRoF9lS VbG5YkoEy4HW5U842ujcnb0Nv3oqwgY1JXg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:sender:subject:subject:to:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t= 1684828166; x=1684914566; bh=djE70iYqcK23pNxNm74GYYh+c4Jbchp/vmh ela8Q/Cc=; b=xC61PPk8FyHRcbsSOm5l7QNPzlu0Dd19mexfyhAcPbIt0REiW5A AGBBwQdGdz8PCbsd7iUiEhtbchzSVBy3NkXuoLukxzYEeSzQgAADkKAD+sjadlKo BuQtF7OvELcxk6opJYn0adDKPSYGLvSzv5uz71VCljnsTgOFG/+ROozBNzB0DiKw IBEefDErLe8p2OZOYI4pNivKRbdj7MKqVHYCeadxxayq4Ji0/xuSOhUrVrmhaPXm 0XlKNh+wQxv1m8fn0qz1ikKQ1HxqRO8pQ32sU6Dk91HyuEwgKMOopDTYFRh+UHfR lxJkSfHAnqxwwx71TiG4sZoIWULQuhNOaCQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrfeejvddguddvhecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefhvfevufffkffojghfgggtgfesthekredtredtjeenucfhrhhomheptfgv mhgtohcuvhgrnhcukdhtucggvggvrhcuoehrvghmtghosehrvghmfihorhhkshdrnhgvth eqnecuggftrfgrthhtvghrnhephfetueelgefgvdefledvleekheegtdevgeeljeeihefg hefhtdeukeduhedvveffnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrg hilhhfrhhomheprhifvhesfhgrshhtmhgrihhlrdgtohhm X-ME-Proxy: Feedback-ID: i7e59465b:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 23 May 2023 03:49:25 -0400 (EDT) From: Remco van 't Veer To: 55358@debbugs.gnu.org Cc: Maxim Cournoyer , zimoun , guix-devel@gnu.org, Remco van 't Veer Subject: [PATCH] services: docker: Add 'enable-userns-remap?' argument. Date: Tue, 23 May 2023 09:49:21 +0200 Message-Id: X-Mailer: git-send-email 2.40.1 In-Reply-To: <878rdk8gm9.fsf@remworks.net> References: <878rdk8gm9.fsf@remworks.net> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=64.147.123.20; envelope-from=rwv@fastmail.com; helo=wout4-smtp.messagingengine.com X-Spam_score_int: -21 X-Spam_score: -2.2 X-Spam_bar: -- X-Spam_report: (-2.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Seal: i=1; s=key1; d=yhetil.org; t=1684828206; a=rsa-sha256; cv=none; b=kSeTlQU+jIH4iULmvK8Pdu2+FXEjbZeSbIxphPdbMKCm0rmGmuIm5MLrduLZ9MSiQ0Ie1V V4SnggzuCSQvPdPpaa0Se/73L0nthkPpeymmDVikHmmAavHlib/WFul42itPjUxt3GSV1h MImUdMdWTiL4GKoKS6lmtBHlg0aRHG6bUsoE7Sm2+wdicgsAr7VGyzimbfk+uMCujKw0du 12qOvL8+wK8cCIWcnfyklcvwUuczZr5lJl8Mkln0E8h8ZvsCpjM7lIbrKx6q9KTL0FI/EO gzR+CmYKS5+pkT/x1xJdlgbyKfeaVIiWDkWeZLLTtgyH63oiWqnbnv+UWGv8qA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("body hash did not verify") header.d=remworks.net header.s=fm3 header.b=d7a4AQHi; dkim=fail ("body hash did not verify") header.d=messagingengine.com header.s=fm1 header.b=xC61PPk8; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1684828206; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=lkXacvCYXYiR0UXrmgvPMNK8wiH+QmDQ2Z1aGICB35U=; b=sePe0WDWDGL/0qWA68SgwLaxzmjFtNXVAILggF73TA/AJklSh1oAVQcPKCL6vm04oXFcr7 0PJriyBDJfPMN/u06Dvhi0dZXfpCxGvCH/P5YZq6HWvEMNuAhlHPslUXYLPq6HrFyQOSxm vrkVLHkmd065q3IUi83wzUF68YuvgWoEq5xEzzYvUON8Aq96jZbpm+fVQAL2hPAxArBkc1 DVEDKbJGW5m6KSXFhaokHzvgMOJafSsr+y1/25NJRRpKo9XxYcmbCKx1RxxCBYDbC9rcwI HiT+fg1y0by63yPsi6Cm40Q/zA2ctnnIomZb9QD62tHDzXSUmzmu9SJv5ZKNNA== X-Migadu-Scanner: scn1.migadu.com Authentication-Results: aspmx1.migadu.com; dkim=fail ("body hash did not verify") header.d=remworks.net header.s=fm3 header.b=d7a4AQHi; dkim=fail ("body hash did not verify") header.d=messagingengine.com header.s=fm1 header.b=xC61PPk8; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: 3.43 X-Spam-Score: 3.43 X-Migadu-Queue-Id: B0EDD2DDB2 X-TUID: QPyK5rwChxRw * gnu/services/docker.scm (docker-configuration): Define the argument. * gnu/services/docker.scm (docker-shepherd-service): Use it. * doc/guix.texi (Docker Service): Document it. --- doc/guix.texi | 27 ++++++++++++++++++++++++++- gnu/services/docker.scm | 28 +++++++++++++++++++++++++++- 2 files changed, 53 insertions(+), 2 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index f4cca66d76..ae185ced61 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -100,7 +100,7 @@ Copyright @copyright{} 2021 muradm@* Copyright @copyright{} 2021, 2022 Andrew Tropin@* Copyright @copyright{} 2021 Sarah Morgensen@* -Copyright @copyright{} 2022 Remco van 't Veer@* +Copyright @copyright{} 2022, 2023 Remco van 't Veer@* Copyright @copyright{} 2022 Aleksandr Vityazev@* Copyright @copyright{} 2022 Philip M@sup{c}Grath@* Copyright @copyright{} 2022 Karl Hallsby@* @@ -38533,6 +38533,31 @@ Miscellaneous Services @item @code{enable-iptables?} (default @code{#t}) Enable or disable the addition of iptables rules. +@item @code{enable-userns-remap?} (default @code{#f}) +Enable remapping and subordinate user and group IDs. + +A system user account named @code{dockremap} and user group named +@code{dockremap} will be created. They must be mapped using the +@file{/etc/subuid} and @file{/etc/subguid} files otherwise docker fail +to startup. + +Here's an example service to setup both files: + +@lisp +(simple-service + 'subuid-subgid etc-service-type + (list `("subuid" + ,(plain-file "subuid" + "dockremap:65536:65536\n")) + `("subgid" + ,(plain-file "subgid" + "dockremap:65536:65536\n")))) +@end lisp + +The above will remap to UID 0 (root) to 65536, UID 1 to 65537 etc. For +more information regarding the format of these files, consult +@command{man 5 subuid} and @command{man 5 subgid}. + @item @code{environment-variables} (default: @code{()}) List of environment variables to set for @command{dockerd}. diff --git a/gnu/services/docker.scm b/gnu/services/docker.scm index 741bab5a8c..e138a6be7e 100644 --- a/gnu/services/docker.scm +++ b/gnu/services/docker.scm @@ -5,6 +5,7 @@ ;;; Copyright © 2020 Efraim Flashner ;;; Copyright © 2020 Jesse Dowell ;;; Copyright © 2021 Brice Waegeneire +;;; Copyright © 2023 Remco van 't Veer ;;; ;;; This file is part of GNU Guix. ;;; @@ -29,6 +30,7 @@ (define-module (gnu services docker) #:use-module (gnu services shepherd) #:use-module (gnu system setuid) #:use-module (gnu system shadow) + #:use-module (gnu packages admin) #:use-module (gnu packages docker) #:use-module (gnu packages linux) ;singularity #:use-module (guix records) @@ -62,6 +64,9 @@ (define-configuration docker-configuration (enable-iptables? (boolean #t) "Enable addition of iptables rules (enabled by default).") + (enable-userns-remap? + (boolean #f) + "Enable remapping and subordinate user and group IDs (disabled by default).") (environment-variables (list '()) "Environment variables to set for dockerd") @@ -107,6 +112,7 @@ (define (docker-shepherd-service config) (let* ((docker (docker-configuration-docker config)) (enable-proxy? (docker-configuration-enable-proxy? config)) (enable-iptables? (docker-configuration-enable-iptables? config)) + (enable-userns-remap? (docker-configuration-enable-userns-remap? config)) (environment-variables (docker-configuration-environment-variables config)) (proxy (docker-configuration-proxy config)) (debug? (docker-configuration-debug? config))) @@ -135,6 +141,9 @@ (define (docker-shepherd-service config) #~(string-append "--userland-proxy-path=" #$proxy "/bin/proxy")) '("--userland-proxy=false")) + #$@(if enable-userns-remap? + '("--userns-remap=dockremap") + '()) (if #$enable-iptables? "--iptables" "--iptables=false") @@ -145,6 +154,18 @@ (define (docker-shepherd-service config) #:log-file "/var/log/docker.log")) (stop #~(make-kill-destructor))))) +(define %docker-remap-user-group + (user-group (name "dockremap") + (system? #t))) + +(define %docker-remap-user-account + (user-account (name "dockremap") + (group "dockremap") + (system? #t) + (comment "Docker user namespace remap user") + (home-directory "/var/empty") + (shell (file-append shadow "/sbin/nologin")))) + (define docker-service-type (service-type (name 'docker) (description "Provide capability to run Docker application @@ -161,7 +182,12 @@ (define docker-service-type (list (containerd-shepherd-service config) (docker-shepherd-service config)))) (service-extension account-service-type - (const %docker-accounts)))) + (lambda (config) + (if (docker-configuration-enable-userns-remap? config) + (cons* %docker-remap-user-group + %docker-remap-user-account + %docker-accounts) + %docker-accounts))))) (default-value (docker-configuration)))) base-commit: 849286ba66c96534bddc04df1a47d5692cbc977e -- 2.40.1