docker 打开userns-remap后无法运行
背景
开启docker的隔离机制之后,重启docker 发现无法运行
参考文档
https://www.cnblogs.com/sparkdev/archive/2018/09/13/9614326.html
https://docs.docker.com/engine/security/userns-remap/
/etc/docker/daemon.json
{
"registry-mirrors": [
"http://hub-mirror.c.163.com",
"https://registry.docker-cn.com",
"https://docker.mirrors.ustc.edu.cn",
"https://2oslzh3e.mirror.aliyuncs.com"
],
"userns-remap": "1001:1001"
}
cat /etc/subuid
lighthouse:100000:65536
ziop:165535:65536
cat /etc/subgid
lighthouse:100000:65536
ziop:165535:65536
测试
运行
docker run hello-world
报错
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
2db29710123e: Pull complete
Digest: sha256:53f1bbee2f52c39e41682ee1d388285290c5c8a76cc92b42687eecf38e0af3f0
Status: Downloaded newer image for hello-world:latest
docker: Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: can't get final child's PID from pipe: EOF: unknown.
ERRO[0002] error waiting for container: context canceled
原因
containers 虽然组别已经变成166535了但是仍然属于root
