@@ -31,6 +31,49 @@ if ! whoami &> /dev/null; then
3131 echo " ${USER_NAME:- user} :x:$( id -u) ${USER_NAME:- user} user:${HOME} :/bin/bash" >> /etc/passwd
3232 echo " ${USER_NAME:- user} :x:$( id -u) " >> /etc/group
3333 fi
34+
35+ # Try to detect if we are running in a user namespace and if so, update /etc/subuid and /etc/subgid files.
36+ # The user namespace is created when `UserNamespacesSupport` feature is enabled and `hostUsers` is set to false in Pod spec.
37+ # Typical output of `/proc/self/uid_map`:
38+ # 1. When NOT running in a user namespace:
39+ # 0 0 4294967295
40+ # 2. When running in a user namespace:
41+ # 0 1481179136 65536
42+ # or
43+ # 0 1000 1
44+ # 1 1001 64535
45+ # For more details see:
46+ # - https://man7.org/linux/man-pages/man7/user_namespaces.7.html
47+ # - https://kubernetes.io/docs/concepts/workloads/pods/user-namespaces/
48+ # - https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/
49+ # - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/
50+ if [ -f /proc/self/uid_map ]; then
51+ if ! grep -q ' ^\s*0\s\+0\s\+\([2-9]\|[1-9][0-9]\+\)' ; then
52+ echo " Running in a user namespace, user id: $( id -u) "
53+ # By default, the valid UIDs/GIDs is the range 0-65535
54+ # Update /etc/subuid and /etc/subgid to reflect that.
55+ if [ " $( id -u) " -lt 65536 ]; then
56+ USER_NAME=$( whoami)
57+ START_ID=$(( $(id - u) + 1 ))
58+ END_ID=$(( 65536 - ${START_ID} ))
59+ ID_RANGE=" ${USER_NAME} :${START_ID} :${END_ID} "
60+
61+ if [ -w /etc/subuid ]; then
62+ echo " ${ID_RANGE} " > /etc/subuid
63+ echo " /etc/subuid updated"
64+ fi
65+ if [ -w /etc/subgid ]; then
66+ echo " ${ID_RANGE} " > /etc/subgid
67+ echo " /etc/subgid updated"
68+ fi
69+ fi
70+ else
71+ echo " Not running in a user namespace"
72+ echo " /proc/self/uid_map content: $( cat /proc/self/uid_map) "
73+ fi
74+ else
75+ echo " /proc/self/uid_map not found, cannot determine if running in a user namespace"
76+ fi
3477fi
3578
3679source kubedock_setup
0 commit comments