Permissions to set on /var/run/docker.sock with user namespace (userns-remap) isolation?

[C-Duv]

i get the following errors wheen running Chadburn (via Docker Compose) on a Docker host where user namespace isolation is enabled ("userns-remap": "default" in /etc/docker/daemon.json file):

daemon.go:46 ▶ CRITICAL Can't start the app: Get "http://unix.sock/info": dial unix /var/run/docker.sock: connect: permission denied

I tried adding permissions to /var/run/docker.sock with setfacl without success (still getting the same errors), getfacl -R /var/run/docker.sock returns:

getfacl: Removing leading '/' from absolute path names
# file: var/run/docker.sock
# owner: root
# group: docker
user::rw-
user:dockremap:rwx
group::rw-
mask::rwx
other::---

Is Chadburn compatible with user namespace isolation?

PS: Also tested with Ofelia : same result (mcuadros/ofelia#176)

[maietta]

Sorry for the delayed response. Very interesting scenario! I've never actually used user namespace isolation for docker environments so this never even occurred to me. I suspect this is only going to be an issue for tasks that need to perform actions on containers not in the same user space as Chadburn's container.

Did you configure Chadburn to run in a different user space than your other containers?

Your use-case is not typical but highly encouraged! As a fan of better security practices, I'll definitely be looking into this in the near future. Sadly though, this may be just outside my skill level but I'll be here for the ride in case anyone else jumps in to help with this. Until then, I'll try and carve out some time soon to look into this.

[martadinata666]

So here is a thing, as already shown the /var/run/docker.sock permission is root UID 0 and docker group GID X. And userns feature is either randomized UID:GID or set specific UID:GID. And the most simple way is add the userns user to docker group GID X. This is just common for any other container that need mount /var/run/docker.sock, either run as root or add yourself to docker group.

[C-Duv]

Thanks for the tips: I'll try adding dockremap user to docker group and see how it goes.

[maietta]

I'd love to know if that worked for you. I'm about to begin a major re-work of Chadburn and releasing it under version 2.x. Knowing this now would save me some time in initial testing.

[beardstack]

I believe that you should be running the containers that require to talk to the docker socket in the host user namespace.
userns_mode: 'host' this should give you the permissions you need.