beenull/moby
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request #30553 from lewisdaly/21050-improve-user-namespace-docs

Browse source 
Updated dockerd docs with note about user namespaces
(cherry picked from commit d6b1b532a1)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
Sebastiaan van Stijn 2017-02-03 19:48:06 -08:00 committed by Sebastiaan van Stijn
parent 492f2ab8fe
commit 84f026ba7e
No known key found for this signature in database
GPG key ID: 76698F39D527CE8C
1 changed files with 13 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
docs/reference/commandline/dockerd.md
View file

@ -994,6 +994,19 @@ with user namespaces enabled or not. If the daemon is configured with user
namespaces, the Security Options entry in the response will list "userns" as
one of the enabled security features.
#### Behavior differences when user namespaces are enabled
When you start the Docker daemon with `--userns-remap`, Docker segregates the graph directory
where the images are stored by adding an extra directory with a name corresponding to the
remapped UID and GID. For example, if the remapped UID and GID begin with `165536`, all
images and containers running with that remap setting are located in `/var/lib/docker/165536.165536`
instead of `/var/lib/docker/`.
In addition, the files and directories within the new directory, which correspond to
images and container layers, are also owned by the new UID and GID. To set the ownership
correctly, you need to re-pull the images and restart the containers after starting the
daemon with `--userns-remap`.
### Detailed information on `subuid`/`subgid` ranges
Given potential advanced use of the subordinate ID ranges by power users, the