Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support user Docker userns-remap #63

Merged
merged 1 commit into from
Feb 19, 2021

Conversation

olljanat
Copy link
Member

@olljanat olljanat commented Feb 18, 2021

It is possible to run containers on user namespace which improves security https://docs.docker.com/engine/security/userns-remap/

This PR includes all needed pre-requirements so users can enable that feature easily by just running:

sudo ros config set rancher.docker.userns_enabled true
sudo reboot

Functionality can be verified by starting some container as root user:

docker run -d --rm -u root --name nginx -p 80:80 nginx

and then checking processes. UID is 100000 instead of root when this feature is enabled.

$ ps -Af | grep nginx
100000    1956  1936  0 17:41 ?        00:00:00 nginx: master process nginx -g daemon off;
100101    2018  1956  0 17:41 ?        00:00:00 nginx: worker process

Another nice way is mount root file system inside of container and try write to it. It is read-only when this feature is enabled.

docker run -it -v /:/host bash bash
$ touch /host/test
touch: /host/test: Permission denied

This will need changed also to https://github.com/burmilla/burmilla.github.io/blob/master/content/docs/configuration/docker/_index.md

Copy link
Collaborator

@tomaswarynyca tomaswarynyca left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good contribution!

@tomaswarynyca tomaswarynyca merged commit 0c950bd into master Feb 19, 2021
@tomaswarynyca tomaswarynyca deleted the feat/user-docker-on-user-ns branch February 19, 2021 12:38
olljanat added a commit that referenced this pull request Apr 9, 2021
olljanat added a commit that referenced this pull request Apr 9, 2021
@olljanat olljanat mentioned this pull request Apr 9, 2021
olljanat added a commit that referenced this pull request Apr 11, 2021
* Bump up kernel to 4.14.229

* Support user Docker userns-remap (#63)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants