This prevents strange errors and clarifies which namespace options are
incompatible with user namespaces (at this time).
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
... | ... |
@@ -380,8 +380,23 @@ func verifyPlatformContainerSettings(daemon *Daemon, hostConfig *containertypes. |
380 | 380 |
warnings = append(warnings, "IPv4 forwarding is disabled. Networking will not work.") |
381 | 381 |
logrus.Warnf("IPv4 forwarding is disabled. Networking will not work") |
382 | 382 |
} |
383 |
- if hostConfig.Privileged && daemon.configStore.RemappedRoot != "" { |
|
384 |
- return warnings, fmt.Errorf("Privileged mode is incompatible with user namespace mappings") |
|
383 |
+ // check for various conflicting options with user namespaces |
|
384 |
+ if daemon.configStore.RemappedRoot != "" { |
|
385 |
+ if hostConfig.Privileged { |
|
386 |
+ return warnings, fmt.Errorf("Privileged mode is incompatible with user namespaces.") |
|
387 |
+ } |
|
388 |
+ if hostConfig.NetworkMode.IsHost() || hostConfig.NetworkMode.IsContainer() { |
|
389 |
+ return warnings, fmt.Errorf("Cannot share the host or a container's network namespace when user namespaces are enabled.") |
|
390 |
+ } |
|
391 |
+ if hostConfig.PidMode.IsHost() { |
|
392 |
+ return warnings, fmt.Errorf("Cannot share the host PID namespace when user namespaces are enabled.") |
|
393 |
+ } |
|
394 |
+ if hostConfig.IpcMode.IsContainer() { |
|
395 |
+ return warnings, fmt.Errorf("Cannot share a container's IPC namespace when user namespaces are enabled.") |
|
396 |
+ } |
|
397 |
+ if hostConfig.ReadonlyRootfs { |
|
398 |
+ return warnings, fmt.Errorf("Cannot use the --read-only option when user namespaces are enabled.") |
|
399 |
+ } |
|
385 | 400 |
} |
386 | 401 |
return warnings, nil |
387 | 402 |
} |