User Namespaces is officially added to Docker ver. 1.10, which allows the host system to map its own
gid to some different
gid for containers' processes. This is a big improvement in Docker's security. So I will show an example of the problem that User Namespaces can resolve, and then show how to enable it.
Creating a Docker Machine
If you already have a docker machine to try out the User Namaspaces, you can skip this step. I'm using Docker Toolbox on my Macbook, so I simply create a Docker Machine on VirutalBox with
docker-machine command (e.g. hostname=
# Create host1 $ docker-machine create --driver virtualbox host1 # Login to host1 $ docker-machine ssh host1
Understanding what a non-root user can do if User Namespaces is not enabled
Before setting up User Namespaces, let's see what the problem is. What was actually wrong with Docker? First of all, one of the great benefits on using Docker is that user can have root privilege on containers so that user can easily install software packages. But this is like a double-edged sword in Linux container technology. With some little twist, non-root user can get root access to, for instance,
/etc of the host system. Here's how to do it.
# Run a container and mount host1's /etc onto /root/etc $ docker run --rm -v /etc:/root/etc -it ubuntu # Make some change on /root/etc/hosts root@34ef23438542:/# vi /root/etc/hosts # Exit from the container root@34ef23438542:/# exit # Check /etc/hosts $ cat /etc/hosts
As you can see, it is surprizingly easy, and it's obvious that Docker wasn't designed for shared computers. But now, with the User Namespaces, Docker lets you avoid this problem.
Enabling User Namespaces
# Create a user called "dockremap" $ sudo adduser dockremap # Setup subuid and subgid $ sudo sh -c 'echo dockremap:500000:65536 > /etc/subuid' $ sudo sh -c 'echo dockremap:500000:65536 > /etc/subgid'
And then, open
/etc/init.d/docker, and add
--userns-remap=default next to
/usr/local/bin/docker daemon like this:
$ sudo vi /etc/init.d/docker : : /usr/local/bin/docker daemon --userns-remap=default -D -g "$DOCKER_DIR" -H unix:// $DOCKER_HOST $EXTRA_ARGS >> "$DOCKER_LOGFILE" 2>&1 & : :
And restart Docker:
$ sudo /etc/init.d/docker restart
Note: If you're using CentOS 7, there are two things you need to know.
1. User Namespaces is not enabled on the kernel by default. You can enable it by executing the following command and restart the system.
sudo grubby --args="user_namespace.enable=1" \ --update-kernel=/boot/vmlinuz-3.10.0-XXX.XX.X.el7.x86_64
2. CentOS 7 uses systemctl to manage services, so the file you need to edit is
Checking if User Namespaces is working properly
If everything's set properly, you shouldn't be able to edit host1's
/etc from a container. So let's check it out.
# Create a container and mount host1's /etc to container's /root/etc $ docker run --rm -v /etc:/root/etc -it ubuntu # Check the owner of files in /root/etc, which should be "nobody nogroup". root@d5802c5e670a:/# ls -la /root/etc total 180 drwxr-xr-x 11 nobody nogroup 1100 Mar 21 23:31 . drwx------ 3 root root 4096 Mar 21 23:50 .. lrwxrwxrwx 1 nobody nogroup 19 Mar 21 23:07 acpi -> /usr/local/etc/acpi -rw-r--r-- 1 nobody nogroup 48 Mar 10 22:09 boot2docker drwxr-xr-x 2 nobody nogroup 60 Mar 21 23:07 default : : # Try creating a file in /root/etc root@d5802c5e670a:/# touch /root/etc/test touch: cannot touch '/root/etc/test': Permission denied # Try deleting a file root@d5802c5e670a:/# rm /root/etc/hostname rm: cannot remove '/root/etc/hostname': Permission denied
Okay, great. This is how User Namespaces works.
- User namespaces have arrived in Docker!
- Docker Engine 1.10 Security Improvements
- Docker and --userns-remap, how to manage volume permissions to share data between host and container?
- Docker does not start containers in CentOS when user namespaces activated
- What’s Next for Containers? User Namespaces