docker: add configuration for user namespace remapping (#121)

2022-10-05 02:12:13 +02:00 · 2022-10-05 02:12:13 +02:00 · 0637eebefe
commit 0637eebefe
parent e98d249cf7
3 changed files with 10 additions and 0 deletions
--- a/config/config_docker.go
+++ b/config/config_docker.go
@ -78,6 +78,14 @@ type DockerConfiguration struct {
 	Overhead Overhead `json:"overhead" yaml:"overhead"`

 	UsePerformantInspect bool `default:"true" json:"use_performant_inspect" yaml:"use_performant_inspect"`
+
+	// Sets the user namespace mode for the container when user namespace remapping option is
+	// enabled.
+	//
+	// If the value is blank, the daemon's user namespace remapping configuration is used,
+	// if the value is "host", then the pterodactyl containers are started with user namespace
+	// remapping disabled
+	UsernsMode string `default:"" json:"userns_mode" yaml:"userns_mode"`
 }

 // RegistryConfiguration defines the authentication credentials for a given
--- a/environment/docker/container.go
+++ b/environment/docker/container.go
@ -261,6 +261,7 @@ func (e *Environment) Create() error {
 			"fowner", "fsetid", "net_bind_service", "sys_chroot", "setfcap",
 		},
 		NetworkMode: networkMode,
+		UsernsMode:  container.UsernsMode(config.Get().Docker.UsernsMode),
 	}

 	if _, err := e.client.ContainerCreate(ctx, conf, hostConf, nil, nil, e.Id); err != nil {
--- a/server/install.go
+++ b/server/install.go
@ -449,6 +449,7 @@ func (ip *InstallationProcess) Execute() (string, error) {
 		},
 		Privileged:  true,
 		NetworkMode: container.NetworkMode(config.Get().Docker.Network.Mode),
+		UsernsMode: container.UsernsMode(config.Get().Docker.UsernsMode),
 	}

 	// Ensure the root directory for the server exists properly before attempting