support (per-container) user namespace remapping

[geekodour]

I was wondering where would the feature of providing per container user-ns go in nomad?

Following are recent developments in k8s:

Mirantis/cri-dockerd#74
kubernetes/enhancements#127

Is it something nomad would like to support? if yes does it go in the docker driver or how would this roughly be implemented?

cc: @tgross

[tgross]

@geekodour isn't this configurable already in dockerd? https://docs.docker.com/engine/security/userns-remap/ In any case, yes, that'd be a task-driver specific configuration, so it'd need to get implemented for each task driver.

[geekodour]

isn't this configurable already in dockerd

afaiu, userns-remap does it for all containers(a daemon config). and the --userns=host apparently just works as a disable namespace option when using using the userns-remap daemon option.

This feature is more about being able to assign a user-namespace at runtime to the container we want to run.

This has some historical info about it: moby/moby#27548

But I am unsure about the current status upstream aswell.

so it'd need to get implemented for each task driver.

I see, makes sense! I wonder how this plays out with podman

EDIT: podman does support this ootb, with --userns flag but I think it's not there in the nomad podman task driver yet.

[tgross]

Ok, I think I know why I was confused. The containers all run in their own user namespace. But it's the user remapping for the namespaces that you want to set individually per-container. Totally sensible. I'll mark this for roadmapping, but it might also be an interesting issue for someone to try to contribute from the community if one were so inclined.