Using User Namespaces

User Namespaces are officially available on Docker 1.10. Which allows you to isolate container's root(super user) from host's root. So it allows regular users to use Docker on a shared computer with much improved security.

Configuring User Namespaces

Step 0. I'm using boot2docker on Mac and VirtualBox. I create a Docker Machine(e.g. test1) and login to it.

docker-machine create --driver virtualbox test1
docker-machine ssh test1

Step 1. Create a user named dockremap(*set password as you like)。

sudo adduser dockremap

Step 2. Setup subuid and subgid.

sudo sh -c 'echo dockremap:500000:65536 > /etc/subuid'
sudo sh -c 'echo dockremap:500000:65536 > /etc/subgid'

Step 3. Open /etc/init.d/docker with an editor(e.g. vi) and add --userns-remap=default next to /usr/local/bin/docker daemon. It should like below.

sudo vi /etc/init.d/docker
 :
 :
/usr/local/bin/docker daemon --userns-remap=default -D -g "$DOCKER_DIR" -H unix:// $DOCKER_HOST $EXTRA_ARGS >> "$DOCKER_LOGFILE" 2>&1 &
 :
 :

Step 4. Restart Docker.

sudo /etc/init.d/docker restart

If everything's done correctly, if you mount host's /etc on a container, the owner of it should be nobody nogroup, and you cannot edit/delete a file in the directory.

The follows is an example, mounting host's /etc on container's /root/etc.

Testing User Namespaces

Step 1. Create a container with mounting /etc on /root/etc.

docker run --rm -v /etc:/root/etc -it ubuntu

Step 2. Confirm the owner of /root/etc is nobody nogroup.

root@d5802c5e670a:/# ls -la /root/etc
total 180
drwxr-xr-x 11 nobody nogroup  1100 Mar 21 23:31 .
drwx------  3 root   root     4096 Mar 21 23:50 ..
lrwxrwxrwx  1 nobody nogroup    19 Mar 21 23:07 acpi -> /usr/local/etc/acpi
-rw-r--r--  1 nobody nogroup    48 Mar 10 22:09 boot2docker
drwxr-xr-x  2 nobody nogroup    60 Mar 21 23:07 default
 :
 :

Step 3. Try creating a file test in /root/etc, but you cannot.

root@d5802c5e670a:/# touch /root/etc/test
touch: cannot touch '/root/etc/test': Permission denied

Step 4. Try deleting hostname, but you cannot.

root@d5802c5e670a:/# rm /root/etc/hostname
rm: cannot remove '/root/etc/hostname': Permission denied

One negative aspect is that it means that you cannot use volume. But this is a huge security improvement.

Reference

• Docker and --userns-remap, how to manage volume permissions to share data between host and container?