Share docker socket using user namespaces

Question

is it possible to use docker socket mounted from host inside docker container when using user namespaces?

I have following configuration:

/etc/subuid

 user:100000:65536

/etc/subgid

 user:100000:65536

/etc/docker/daemon.json

{                              
  "userns-remap": "ns-user" 
}

I've created user ns-user with UID 100000 and group ns-user with GID 100000. Additionality I've added ns-user to group docker. When I log in as ns-user on host machine then I can use docker via socket.

The problem is that when I run container with docker socket mounted I've got permission denied on socket. Socket privileges inside docker container:

srw-rw---- 1 nobody nogroup 0 Jun 26 15:00 /var/run/docker.sock

EDIT 1:

To clarify I thought that root (uid 0) inside container maps to ns-user (uid 100000) on host which has permission to docker socket. but in fact I get permission denied. Why?

I do not want to use --userns=host parameter.

Answer 1

You can do this by using socat to create a socket with the right privileges for the namespace user:

sudo socat UNIX-LISTEN:/var/run/docker-userns.sock,user=1000,group=1000,mode=0600,fork UNIX-CLIENT:/var/run/docker.sock &

You'll need to write a script that will start this before your container is started. It will still work if the socket comes up after docker, your containers just might restart a few times until they are able to connect to the user socket.

I've been looking for something a bit more configurable than this. Could probably use a python script using the pty module as mentioned here.