Docker run userns host + privileged + net host not working as expected

[monwolf]

---

BUG REPORT INFORMATION

Description

I'm trying to setup weave to create an overlay network in a host with docker daemon with using namespaces, but when I try to run the container as follow:

docker run  --rm --userns=host  --privileged --net host  -v /var/run/docker.sock:/var/run/docker.sock --pid host -v /:/host -e HOST_ROOT=/host -e DOCKERHUB_USER=weaveworks -e WEAVE_VERSION -e WEAVE_DEBUG -e WEAVE_DOCKER_ARGS -e WEAVE_PASSWORD -e WEAVE_PORT -e WEAVE_HTTP_ADDR -e WEAVE_STATUS_ADDR -e WEAVE_CONTAINER_NAME -e WEAVE_MTU -e WEAVE_NO_FASTDP -e WEAVE_NO_BRIDGED_FASTDP -e DOCKER_BRIDGE -e DOCKER_CLIENT_HOST= -e DOCKER_CLIENT_ARGS -e PROXY_HOST=127.0.0.1 -e COVERAGE -e CHECKPOINT_DISABLE -e AWSVPC  weaveworks/weaveexec:2.8.1 --local launch --no-restart --ipalloc-range=

I'm getting the error:

unable to create container: API error (400): privileged mode is incompatible with user namespaces.  You must run the container in the host namespace when running privileged mode

The only way I found to run this container is removing the flag net, I also tried with the flag network but the same happens.
As expected the container can't run without the host network.

Describe the results you expected:

Additional information you deem important (e.g. issue happens only occasionally):

Output of docker version:

Client: Docker Engine - Community
 Version:           20.10.5
 API version:       1.41
 Go version:        go1.13.15
 Git commit:        55c4c88
 Built:             Tue Mar  2 20:33:55 2021
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.5
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       363e9a8
  Built:            Tue Mar  2 20:32:17 2021
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.4.4
  GitCommit:        05f951a3781f4f2c1911b05e61c160e9c30eaa8e
 runc:
  Version:          1.0.0-rc93
  GitCommit:        12644e614e25b05da6fd08a38ffa0cfe1903fdec
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

Output of docker info:

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  app: Docker App (Docker Inc., v0.9.1-beta3)
  buildx: Build with BuildKit (Docker Inc., v0.5.1-docker)

Server:
 Containers: 7
  Running: 5
  Paused: 0
  Stopped: 2
 Images: 19
 Server Version: 20.10.5
 Storage Driver: overlay2
  Backing Filesystem: xfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: syslog
 Cgroup Driver: systemd
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 05f951a3781f4f2c1911b05e61c160e9c30eaa8e
 runc version: 12644e614e25b05da6fd08a38ffa0cfe1903fdec
 init version: de40ad0
 Security Options:
  seccomp
   Profile: default
  userns
 Kernel Version: 3.10.0-1127.13.1.el7.x86_64
 Operating System: CentOS Linux 7 (Core)
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 3.7GiB
 Name: usvcdes01
 ID: K7L7:HJYU:4V7S:7KVY:E3XK:SX6A:IB3A:DALQ:NNDD:MHPL:CF62:MB4S
 Docker Root Dir: /var/lib/docker/500000.500000
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: true

Our hosts are centos 7 virtualized on top of vmware.

[thaJeztah]

If you docker inspect the container, what does it show for UserNsMode in the hostconfig? I think this line should check if it's != "host", so wondering why it's hitting that block;

moby/daemon/daemon_unix.go

Lines 697 to 698 in 9e7bbdb

	if daemon.configStore.RemappedRoot != "" && hostConfig.UsernsMode.IsPrivate() {
	if hostConfig.Privileged {

[thaJeztah]

/cc @AkihiroSuda

[monwolf]

Hey @thaJeztah!

Sorry for the delay in responding, I had some problems with my email: I lost the Github notifications.

There's the info requested

docker inspect bf4e0b16f76b |grep -i userns
            "UsernsMode": "host",

As you can see the UsernsMode is host when I remove the flag network host

[joanmm8]

Good morning,

We are trying to deploy an overlay network and we are finding the same problem we can't deploy weave beacause we enabled userns.

@thaJeztah / @AkihiroSuda is this an expected behaviour or could be a bug related with the conditional you quoted in your las comment? #42846 (comment)

@monwolf did you found a workarround?

[monwolf]

No, I didn't find a workaround. I was waiting for @thaJeztah or @AkihiroSuda to give us some feedback.

[AkihiroSuda]

Looks a bug.

Slightly kinda "enhancement", though.