Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Enable userns by default #38795
Posting this for discussion.
This is a huge boost to default security.
requested review from
Feb 25, 2019
RHEL/CentOS: We can check the setting (it's in /proc/sys/kernel somewhere if I remember correctly) and handle/warn accordingly (
k8s: I think there is likely to be issues for many people (not just k8s), which we can try to mitigate through various things (fuse), but ultimately this is why the flag to disable is there. We just need to make more noise on whatever release this default changes so people can make the required configurations before deploying new systems with the new version.
@@ Coverage Diff @@ ## master #38795 +/- ## ========================================= Coverage ? 36.41% ========================================= Files ? 614 Lines ? 45908 Branches ? 0 ========================================= Hits ? 16719 Misses ? 26900 Partials ? 2289
Looks like there's some issues with the plugin tests with userns.
I've also added a 2nd commit for testing purposes... it does uid/gid mapping for bind mounts into the container's ID space using https://github.com/cpuguy83/idmapfs
Looks like docker-py tests are using viex/sshfs which is mounting /var/lib/docker/plugins, which doesn't exist for userns (because it's under