Docker – How to make exceptions to Docker namespacing

dockerdocker-compose

Via /etc/docker/daemon.json, I've configured a user namespace using userns-remap. I'm trying to start a nginx-proxy container, but it requires access to the Docker socket, which requires it to be real root. The namespacing breaks this, causing an "operation not permitted" error.

Is there a way to tell Docker to not put this one individual container in the namespace? If it's possible through docker-compose, that's preferrable.

Best Answer

This problem can be solved by adding the command line option for the container in question --userns=host.

For docker-compose, the version must be 2.1 or newer. You can add userns_mode: 'host' to the relevant service definition.

Related Solutions

Nginx – Using networks in Docker Compose file

Actually it was the quote : I set the environment variable for the db with quotes, that are escaped by phpmyadmin, so instead of connecting to host db it tries to connect to 'db' :

- PMA_HOST='db'

It should be :

- PMA_HOST=db

That was a pretty lame problem, but the whole thing about networks in Compose isn't too clear, and I hope that finally getting a working conf will help others.

Nginx in front of docker swarm services

I'd recommend swapping out the statically defined nginx reverse proxy for traefik which is swarm aware and can dynamically reconfigure itself as services are deployed and destroyed.

Here's a sample implementation:

create a network for the traefik to talk to containers: docker network create proxy
Make a traefik.toml, here's an example:

traefik.toml

accessLogsFile = "/proc/1/fd/1"
defaultEntryPoints = ["http"]
[entryPoints]
  [entryPoints.http]
  address = ":80"
[web]
address = ":8080"
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "localhost"
watch = true
swarmmode = true
constraints = ["tag==frontend"]

Sample compose file for traefik:

docker-compose.traefik.yml

version: '3'

networks:
  proxy:
    external:
      name: proxy

services:
  traefik:
    image: traefik:latest
    volumes:
    - ./traefik.toml:/etc/traefik/traefik.toml:ro
    - /var/run/docker.sock:/var/run/docker.sock
    ports:
    - 80:80
    - 8080:8080
    networks:
    - proxy
    restart: unless-stopped

Configure your app with labels and on the same network.

docker-compose.app.yml

version: '3'

networks:
  proxy:
    external: true

services:
  webtest:
    image: nginx:latest
    networks:
    - default
    - proxy
    labels:
    - traefik.frontend.rule=PathPrefixStrip:/webtest
    - traefik.port=80
    - traefik.docker.network=proxy
    - traefik.tags=frontend
    restart: unless-stopped

The rule above uses path prefixes for the container for simplicity, but you can use any rule you prefer to proxy your application.

Best Answer

Related Solutions

Nginx – Using networks in Docker Compose file

Nginx in front of docker swarm services

Related Topic