Bug 1461573

Summary: docker run --privileged : unhelpful error message when user namespaces enabled
Product: Red Hat Enterprise Linux 7 Reporter: Ed Santiago <santiago>
Component: dockerAssignee: Tom Sweeney <tsweeney>
Status: CLOSED ERRATA QA Contact: atomic-bugs <atomic-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.4CC: amurdaca, fkluknav, jhonce, lsm5, lsu
Target Milestone: rcKeywords: Extras
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-10-19 15:19:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ed Santiago 2017-06-14 20:06:04 UTC 
Setup: RHEL 7.4, docker daemon running with--userns-remap=default:

    # docker run --privileged centos date                                                  
    /usr/bin/docker-current: Error response from daemon: Privileged mode is incompatible with user namespaces.
    See '/usr/bin/docker-current run --help'.

A better error message might suggest adding '--userns=host' to docker run

Full setup details:

    # echo 100 >/proc/sys/user/max_user_namespaces
    # for i in uid gid; do echo "dockremap:100000:65536" > /etc/sub$i;done
    # vi /etc/sysconfig/docker
    [ add --userns-remap=default to OPTIONS ]
    # systemctl stop docker
    # rm -rf /var/lib/docker
    # docker-storage-setup --reset
    # docker-storage-setup
    # systemctl start docker
Comment 2 Daniel Walsh 2017-06-15 11:38:52 UTC 
Tom can you take a look at this one.  Basically we need to check if the user is specifying --privileged without --userns=host and tell them this will not work and how to make it work.  Patch should be submitted upstream.
Comment 3 Tom Sweeney 2017-06-18 01:23:10 UTC 
PR opened with proposed fix>  https://github.com/moby/moby/pull/33722
Comment 4 Tom Sweeney 2017-08-16 18:49:53 UTC 
PR https://github.com/moby/moby/pull/33722 recently merged.  It was a change to the upstream Docker that will need to wind it's way back to RHEL.
Comment 7 Frantisek Kluknavsky 2017-10-16 18:09:38 UTC 
https://github.com/projectatomic/docker/pull/276
Comment 9 errata-xmlrpc 2017-10-19 15:19:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2964