Bug 1461573 - docker run --privileged : unhelpful error message when user namespaces enabled [NEEDINFO]
docker run --privileged : unhelpful error message when user namespaces enabled
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: docker (Show other bugs)
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Tom Sweeney
: Extras
Depends On:
  Show dependency treegraph
Reported: 2017-06-14 16:06 EDT by Ed Santiago
Modified: 2017-10-19 11:19 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-10-19 11:19:22 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
lsu: needinfo? (lsm5)

Attachments (Terms of Use)

  None (edit)
Description Ed Santiago 2017-06-14 16:06:04 EDT
Setup: RHEL 7.4, docker daemon running with--userns-remap=default:

    # docker run --privileged centos date                                                  
    /usr/bin/docker-current: Error response from daemon: Privileged mode is incompatible with user namespaces.
    See '/usr/bin/docker-current run --help'.

A better error message might suggest adding '--userns=host' to docker run

Full setup details:

    # echo 100 >/proc/sys/user/max_user_namespaces
    # for i in uid gid; do echo "dockremap:100000:65536" > /etc/sub$i;done
    # vi /etc/sysconfig/docker
    [ add --userns-remap=default to OPTIONS ]
    # systemctl stop docker
    # rm -rf /var/lib/docker
    # docker-storage-setup --reset
    # docker-storage-setup
    # systemctl start docker
Comment 2 Daniel Walsh 2017-06-15 07:38:52 EDT
Tom can you take a look at this one.  Basically we need to check if the user is specifying --privileged without --userns=host and tell them this will not work and how to make it work.  Patch should be submitted upstream.
Comment 3 Tom Sweeney 2017-06-17 21:23:10 EDT
PR opened with proposed fix>  https://github.com/moby/moby/pull/33722
Comment 4 Tom Sweeney 2017-08-16 14:49:53 EDT
PR https://github.com/moby/moby/pull/33722 recently merged.  It was a change to the upstream Docker that will need to wind it's way back to RHEL.
Comment 7 Frantisek Kluknavsky 2017-10-16 14:09:38 EDT
Comment 9 errata-xmlrpc 2017-10-19 11:19:22 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.