New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support privileged with user namespaces #17409
Comments
@estesp @crosbymichael @LK4D4 ping |
+1 for this, if use the |
Yes --privileged should mean disable all container separation including user namespace. |
If you want to disable some separation then you need to do --securityopt label:disabled --cap-add all But --privileged should mean root==root |
Following moby#19995 and moby#17409 this PR enables skipping userns re-mapping when creating a container (or when executing a command). Thus, enabling privileged containers running side by side with userns remapped containers. The feature is enabled by specifying ```--userns:host```, which will not remapped the user if userns are applied. If this flag is not specified, the existing behavior (which blocks specific privileged operation) remains. Signed-off-by: Liron Levin <liron@twistlock.com>
This was fixed as far as I know. |
How was this fixed? I don't seem to be able to use privileged mode with user namespaces on the latest stable release yet. |
@ziermmar running However, #20111 allows you to disable userns remapping for a single container, so that you can start a privileged container if userns is enabled on the daemon. That was previously not possible, and is implemented by #20111 |
Ah, thanks for clearing that up! In my case, I was just missing |
Currently, privileged isn't supported when user namespaces are on. However, there are many use cases where one would want to run privileged containers side by side with user namespaced containers.
How about we disable (don't apply) user namespace mappings when --privileged is passed, so we can have privilege mean the same whether user namespaces are in use or not?
The text was updated successfully, but these errors were encountered: