Add better error for subuid/subgid with usernamespace

[TomSweeneyRedHat]

Signed-off-by: TomSweeneyRedHat tsweeney@redhat.com

- What I did

Updated man page for dockerd to indicate that subuid and subgid files need to be created for --userns-remap and then added a little more verbiage to the errors to make it more user friendly.

- How I did it

vi is my friend.

- How to verify it

1. Verify that both /etc/subuid and /etc/subgid are present and empty.

2. Add --userns-remap=default to OPTIONS in /etc/sysconfig/docker

3. restart docker service 'systemctl restart docker' Should see: dockerd-current[*]: Can't create ID mappings: No subuid ranges found for user "dockremap" in /etc/subuid

4. enter values into /etc/subuid via 'echo dockremap:808080:1000 >> /etc/subuid'

5. restart docker service 'systemctl restart docker' Should see: dockerd-current[*]: Can't create ID mappings: No subgid ranges found for gid "dockremap" in /etc/subgid

6. enter values into /etc/subgid via 'echo dockremap:808080:1000 >> /etc/subgid'

7. restart docker service 'systemctl restart docker'

Should not see an error.

Verify 'man dockerd' has new verbiage as noted below.

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1546870

- Description for the changelog

Add better error for subuid/subgid with usernamespace

[TomSweeneyRedHat]

@jwhonce @runcom @rhatdan PTAL

[rhatdan]

@edsantiago PTAL

[edsantiago]

I agree that this approach is best bang-for-the-buck. See my comment about the man page, though: I think that should be fixed before merging. And, for the sake of being a PITA, could I ask you to edit step 6 in the comment and fix 'subuid' and 'suguid' to read 'subgid' in both cases?

[TomSweeneyRedHat]

@edsantiago I think I've touched up everything as you requested. Please verify and let me know if I missed anything.

[edsantiago]

Are links acceptable? If so, how about:

For instructions on using the "default" option, see
    https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html/getting_started_with_containers/get_started_with_docker_formatted_container_images#user_namespaces_options

...and, again, yuk. (Plus, that documentation is obsolete anyway). Maybe duplicate the KB instructions?

Specifying "default" will cause a new user and group to be created [...]
If you use "default", you must manually ensure that the files /etc/subuid
and /etc/subgid contain an entry such as:

    dockremap:808080:1000

See the documentation accompanying your Red Hat Enterprise Linux distribution
for more information.

This, too, is awful. In desperation I revisited the question of updating shadow-utils but the sub*id functionality is part of a rebase (4.1->4.2) so it's probably not even worth bothering to ask.

[TomSweeneyRedHat]

@edsantiago PTAL, one more go at the man page.

[edsantiago]

LGTM. Thank you for tolerating my persnicketiness.

[rhatdan]

LGTM