Public bug reported:
This is a summary of my 2 posts:
1.
https://forum.snapcraft.io/t/call-for-testing-of-the-docker-snap/7710/31?u=huygens
2.
https://forum.snapcraft.io/t/call-for-testing-of-the-docker-snap/7710/32?u=huygens
In brief, I want to activate User Namespace for Docker. Currently using
Docker provided as Snap package, it is not possible to use the `userns-
remap` option with the default value. AppArmor denies the permission to
create a new user.
I went the manual way, creating the user and appropriate UID/GID
mapping. But still AppArmor denies reading access to /etc/subuid and
/etc/subgid.
So the problem is: User Namespace does not work out of the box.
Solution:
I have edited this file
`/var/lib/snapd/apparmor/profiles/snap.docker.dockerd` and added the
`subuid` and `subgid` to the authorised list of file with read-only
permission.
After making sure the changes were activated, I got the result (snippet
from `sudo docker info` command):
Security Options:
apparmor
seccomp
Profile: default
userns
And running `sudo docker run hello-world` did work as well.
Could you make the change permanent?
** Affects: docker (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1822004
Title:
User Namespace fails with Docker Snap - AppArmor profile too
restrictive
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/docker/+bug/1822004/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
