-
Notifications
You must be signed in to change notification settings - Fork 18.6k
-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Having non-root privileges on the host and root inside the container #2918
Comments
+1 Anyone has an idea at least of the modifications required for docker to work with the |
IIRC user namespace is not properly supported in "older" kernel (pre 3.10?). /cc @jpetazzo |
Latest kernel from last weekend (3.14.1) is needed for this to work properly. I was hitting a kernel regression with mounting proc earlier, which is now fixed. With that latest kernel, some manual configuration and quick/dirty changes (mostly) to container.start, I am able to run bash as root in the container but UID 100000 on my CentOS 6.5 host. My usage model is as follows. A set of UID ranges from the host are mapped into the container through a new option to docker run.
The process will then run with a virtual UID as specified by The key change is to translate UIDs and GIDs on all files in the container to their virtual values and adjust permissions of a few global directories so that the process won't stumble on missing root privileges on the host. Traversing the entire container file system does take some time. As an optimization, its worth committing those changes back to the image and adding a flag so that UID translation doesn't have to be repeated the next time. |
This exposes UID namespace support. A new command line option (--uidmap) maps a set of virtual UIDs to which the application within the container is confined. The application could potentially be the root in the container but unprivileged on the host. Addresses issue moby#2918 Docker-DCO-1.1-Signed-off-by: Dinesh Subhraveti <dineshs@altiscale.com> (github: dineshs-altiscale)
This exposes UID namespace support. A new command line option (--uidmap) maps a set of virtual UIDs to which the application within the container is confined. The application could potentially be the root in the container but unprivileged on the host. Addresses issue moby#2918 Docker-DCO-1.1-Signed-off-by: Dinesh Subhraveti <dineshs@altiscale.com> (github: dineshs-altiscale)
Any update on this? A namespace change isn't going to help users stuck on legacy hosts. Speed isn't an issue. It could run 100x slower and still be useful. |
duplicate of #7906 |
Could this have label project/security added? |
I don't see how this is a duplicate of #7906 though there are some connection. I try to do exactly that, run a docker daemon inside a namespace sandbox and it does not work. With docker 10rc2, I get the following log:
You can obviously run a docker daemon inside a docker container in priviledged mode but that does not help in running the docker daemon without requiring root privilege. If that bug is really resolved, is there any description somewhere on how to do it? |
@damienmg What happens if you mount a cgroups hierarchy before starting docker? |
Same thing, wether I do the mount inside or outside the namespace sandbox |
Sorry in advance for a maybe stupid question: For what I understand reading this discussion and #15187 with the advent of user namespaces in Docker 1.9 the problem of having files owned by Files still owned by root on a mounted volumeNow, I run docker-engine 1.11.2 and docker-compose 1.7.1. And the files that the Docker container of my (Python) application generates in the mounted volume of the container (e.g. Is this a different issue, or am I missing something? |
@bittner have you enabled user namespaces? They are not enabled by default. However, they do not yet fix all the issues with ownership, there is still work going on upstream in the kernel to make a better solution. |
This issue is for discussion of one of the two halves of #1034 ("taking advantage of
CONFIG_USER_NS
").With user namespaces, docker could have ordinary user privileges on the host but think that they have root privileges inside the container.
xref #503 (comment)
The text was updated successfully, but these errors were encountered: