Share docker socket using user namespaces

is it possible to use docker socket mounted from host inside docker container when using user namespaces?

I have following configuration:

  • how to “docker run” a shell session on a minimal linux install and immediately tear down the container?
  • Starting and stopping docker container from other container
  • Guide to Kubernetes Manifests: Good Resources/Docker Run options
  • Synchronizing numeric user id's between Dockerfiles and docker-compose.yml?
  • How do I configure Docker to work with my ens34 network interface (instead of eth0)?
  • How to get the URL of Swarm agent load balancer in Azure container service
  • /etc/subuid

     user:100000:65536
    

    /etc/subgid

     user:100000:65536
    

    /etc/docker/daemon.json

    {                              
      "userns-remap": "ns-user" 
    }
    

    I’ve created user ns-user with UID 100000 and group ns-user with GID 100000. Additionality I’ve added ns-user to group docker. When I log in as ns-user on host machine then I can use docker via socket.

    The problem is that when I run container with docker socket mounted I’ve got permission denied on socket. Socket privileges inside docker container:

    srw-rw---- 1 nobody nogroup 0 Jun 26 15:00 /var/run/docker.sock
    

    EDIT 1:

    To clarify I thought that root (uid 0) inside container maps to ns-user (uid 100000) on host which has permission to docker socket. but in fact I get permission denied. Why?

    I do not want to use –userns=host parameter.

  • Announcing your app from within a container (docker)
  • Testing multiple docker images with RSpec
  • Must I create a tunnel to access a docker container on another host?
  • GitLab Ci with docker runner - Multiple Stages
  • Could not find sprockets-3.6.2 in any of the sources (Bundler::GemNotFound) when doing docker-compose up
  • Running a Docker container with the -p or -P flag causes it to fail
  • Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.