SONiC namespace remap HLD

[maipbui]

SONiC containers are run with root user privileges by default. User IDs (UIDs) and Group IDs (GIDs) inside a Docker container directly correspond to those on the host system. Specifically, the root user (UID 0) inside the container has the same privileges as the root user on the host.

This lack of separation can lead to further security risks, as a process that breaks out of the container with root privileges can have full control over the host system.

To mitigate these risks, this HLD implements the enablement of the user namespace remapping feature on SONiC containers. User namespace remapping allows mapping the root user in a container to a less-privileged user on the Docker host system, thereby enhancing security by limiting the potential damage of a container breakout.

Repo	PR title	State
sonic-buildimage	[database] enable userns-remap and make redis process runs as non-root user