weaveworks
Run weave with userns
Following best practices for bastion docker in production a year ago we implemented user namespaces and user remap.
we would like to implement at the same time an overlay network and weave seems to fit pretty well with our use case, I tried to launch it as follows:
docker run --rm --userns=host --privileged --net host -v /var/run/docker.sock:/var/run/docker.sock --pid host -v /:/host -e HOST_ROOT=/host -e DOCKERHUB_USER=weaveworks -e WEAVE_VERSION -e WEAVE_DEBUG -e WEAVE_DOCKER_ARGS -e WEAVE_PASSWORD -e WEAVE_PORT -e WEAVE_HTTP_ADDR -e WEAVE_STATUS_ADDR -e WEAVE_CONTAINER_NAME -e WEAVE_MTU -e WEAVE_NO_FASTDP -e WEAVE_NO_BRIDGED_FASTDP -e DOCKER_BRIDGE -e DOCKER_CLIENT_HOST= -e DOCKER_CLIENT_ARGS -e PROXY_HOST=127.0.0.1 -e COVERAGE -e CHECKPOINT_DISABLE -e AWSVPC weaveworks/weaveexec:2.8.1 --local launch --no-restart --ipalloc-range=
I get:
unable to create container: API error (400): privileged mode is incompatible with user namespaces. You must run the container in the host namespace when running privileged mode
The only way I found to run this container is removing the flag net, I also tried with the flag network but the same happens. As expected the container can't run without the host network.
I saw older issues pretty similar:
https://github.com/weaveworks/weave/issues/3662 https://github.com/weaveworks/weave/issues/2755
I opened an issue in moby: https://github.com/moby/moby/issues/42846 but I got no response neither.
But there's no response. Has anyone achieved it?
