Browse code
Properly report conflicting namespace options when using userns
This prevents strange errors and clarifies which namespace options are
incompatible with user namespaces (at this time).
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
Phil Estes authored on 2016/01/08 23:03:17Showing 1 changed files
| ... | ... |
@@ -380,8 +380,23 @@ func verifyPlatformContainerSettings(daemon *Daemon, hostConfig *containertypes. |
| 380 | 380 |
warnings = append(warnings, "IPv4 forwarding is disabled. Networking will not work.") |
| 381 | 381 |
logrus.Warnf("IPv4 forwarding is disabled. Networking will not work")
|
| 382 | 382 |
} |
| 383 |
- if hostConfig.Privileged && daemon.configStore.RemappedRoot != "" {
|
|
| 384 |
- return warnings, fmt.Errorf("Privileged mode is incompatible with user namespace mappings")
|
|
| 383 |
+ // check for various conflicting options with user namespaces |
|
| 384 |
+ if daemon.configStore.RemappedRoot != "" {
|
|
| 385 |
+ if hostConfig.Privileged {
|
|
| 386 |
+ return warnings, fmt.Errorf("Privileged mode is incompatible with user namespaces.")
|
|
| 387 |
+ } |
|
| 388 |
+ if hostConfig.NetworkMode.IsHost() || hostConfig.NetworkMode.IsContainer() {
|
|
| 389 |
+ return warnings, fmt.Errorf("Cannot share the host or a container's network namespace when user namespaces are enabled.")
|
|
| 390 |
+ } |
|
| 391 |
+ if hostConfig.PidMode.IsHost() {
|
|
| 392 |
+ return warnings, fmt.Errorf("Cannot share the host PID namespace when user namespaces are enabled.")
|
|
| 393 |
+ } |
|
| 394 |
+ if hostConfig.IpcMode.IsContainer() {
|
|
| 395 |
+ return warnings, fmt.Errorf("Cannot share a container's IPC namespace when user namespaces are enabled.")
|
|
| 396 |
+ } |
|
| 397 |
+ if hostConfig.ReadonlyRootfs {
|
|
| 398 |
+ return warnings, fmt.Errorf("Cannot use the --read-only option when user namespaces are enabled.")
|
|
| 399 |
+ } |
|
| 385 | 400 |
} |
| 386 | 401 |
return warnings, nil |
| 387 | 402 |
} |