daemon.WithCommonOptions() fix detection of user-namespaces

[thaJeztah]

Commit dae652e (#41030) added support for non-privileged containers to use ICMP_PROTO (used for ping). This option cannot be set for containers that have user-namespaces enabled.

However, the detection looks to be incorrect; HostConfig.UsernsMode was added in 6993e89 (#20111) / ee21838 (#20913), and the property only has meaning if the daemon is running with user namespaces enabled. In other situations, the property has no meaning.

As a result of the above, the sysctl would only be set for containers running with UsernsMode=host on a daemon running with user-namespaces enabled.

This patch adds a check if the daemon has user-namespaces enabled (RemappedRoot having a non-empty value) to fix the detection.

- Description for the changelog

- A picture of a cute animal (not mandatory but encouraged)

[thaJeztah]

ping @justincormack @AkihiroSuda @tianon ptal

[thaJeztah]

Looks like it's missing detection for rootless now

[thaJeztah]

Rootless looks ok now, but hitting a flaky test. Opened a ticket for that: #42739

=== FAIL: libnetwork/networkdb TestNetworkDBCRUDTableEntries (7.25s)
    networkdb_test.go:314: Entry existence verification test failed for node2(df7cec9ba2d9)
2021/08/12 11:35:37 Closing DB instances...

[thaJeztah]

Another flaky: TestBuildWCOWSandboxSize - opened #42743

[thaJeztah]

CI is green; I was trying to test some things, but ... Interesting;

Busybox:

docker run --rm -u 1000:1000 busybox ping -c1 example.com
ping: permission denied (are you root?)
PING example.com (93.184.216.34): 56 data bytes

docker run --rm busybox ls -la /bin/ping
-rwxr-xr-x  400 root     root       1149184 Jun  7 17:34 /bin/ping

Alpine:

docker run --rm -u 1000:1000 alpine ping -c1 example.com
PING example.com (93.184.216.34): 56 data bytes
64 bytes from 93.184.216.34: seq=0 ttl=42 time=93.436 ms

--- example.com ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 93.436/93.436/93.436 ms

docker run --rm alpine ls -la /bin/ping
lrwxrwxrwx    1 root     root            12 Aug  5 12:25 /bin/ping -> /bin/busybox

So the alpine image uses busybox for ping how is that in the busybox image (hardlinks?)

[thaJeztah]

Note that on docker 20.10.8, I get the same for both;

docker run --rm -u 1000:1000 busybox ping -c1 example.com
PING example.com (93.184.216.34): 56 data bytes
ping: permission denied (are you root?)

docker run --rm -u 1000:1000 alpine ping -c1 example.com
ping: permission denied (are you root?)
PING example.com (93.184.216.34): 56 data bytes

Versions of busybox are the same in both:

docker run --rm -u 1000:1000 alpine sh -c 'busybox | head -n1'
BusyBox v1.33.1 () multi-call binary.

docker run --rm -u 1000:1000 busybox sh -c 'busybox | head -n1'
BusyBox v1.33.1 (2021-06-07 17:33:50 UTC) multi-call binary.

[thaJeztah]

Tianon found this; apparently by design; https://git.alpinelinux.org/aports/tree/main/busybox/0006-ping-make-ping-work-without-root-privileges.patch?h=3.14-stable

And that patch was rejected by the busybox maintainers;

http://lists.busybox.net/pipermail/busybox/2014-January/080224.html

[thaJeztah]

With this patch, and CAP_NET_RAW removed, it works with alpine and a non-privileged user;

docker run --rm -u 1000:1000 --cap-drop CAP_NET_RAW alpine ping -c1 example.com
PING example.com (93.184.216.34): 56 data bytes
64 bytes from 93.184.216.34: seq=0 ttl=42 time=92.999 ms

--- example.com ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 92.999/92.999/92.999 ms

[thaJeztah]

@AkihiroSuda PTAL

[thaJeztah]

@AkihiroSuda PTAL

[AkihiroSuda]

LGTM, but would like to see an integration test too if possible

[thaJeztah]

@AkihiroSuda updated; added an integration test, PTAL

[thaJeztah]

@AkihiroSuda PTAL; this ready to merge?