|
|
@@ -243,26 +243,16 @@ with e.g., special network topologies or shared filesystems, you can
|
|
|
expect to see tools to harden existing Docker containers without
|
|
|
affecting Docker's core.
|
|
|
|
|
|
-Recent improvements in Linux namespaces will soon allow to run
|
|
|
-full-featured containers without root privileges, thanks to the new user
|
|
|
-namespace. This is covered in detail [here](
|
|
|
-http://s3hh.wordpress.com/2013/07/19/creating-and-using-containers-without-privilege/).
|
|
|
-Moreover, this will solve the problem caused by sharing filesystems
|
|
|
-between host and guest, since the user namespace allows users within
|
|
|
-containers (including the root user) to be mapped to other users in the
|
|
|
-host system.
|
|
|
-
|
|
|
-Today, Docker does not directly support user namespaces, but they
|
|
|
-may still be utilized by Docker containers on supported kernels,
|
|
|
-by directly using the clone syscall, or utilizing the 'unshare'
|
|
|
-utility. Using this, some users may find it possible to drop
|
|
|
-more capabilities from their process as user namespaces provide
|
|
|
-an artificial capabilities set. Likewise, however, this artificial
|
|
|
-capabilities set may require use of 'capsh' to restrict the
|
|
|
-user-namespace capabilities set when using 'unshare'.
|
|
|
-
|
|
|
-Eventually, it is expected that Docker will have direct, native support
|
|
|
-for user-namespaces, simplifying the process of hardening containers.
|
|
|
+As of Docker 1.10 User Namespaces are supported directly by the docker
|
|
|
+daemon. This feature allows for the root user in a container to be mapped
|
|
|
+to a non uid-0 user outside the container, which can help to mitigate the
|
|
|
+risks of container breakout. This facility is available but not enabled
|
|
|
+by default.
|
|
|
+
|
|
|
+Refer to the [daemon command](../reference/commandline/daemon.md#daemon-user-namespace-options)
|
|
|
+in the command line reference for more information on this feature.
|
|
|
+Additional information on the implementation of User Namespaces in Docker
|
|
|
+can be found in <a href="https://integratedcode.us/2015/10/13/user-namespaces-have-arrived-in-docker/" target="_blank">this blog post</a>.
|
|
|
|
|
|
## Conclusions
|
|
|
|
Sebastiaan van Stijn