diff --git a/docs/security/security.md b/docs/security/security.md index ec24d879d8..9eea663788 100644 --- a/docs/security/security.md +++ b/docs/security/security.md @@ -243,26 +243,16 @@ with e.g., special network topologies or shared filesystems, you can expect to see tools to harden existing Docker containers without affecting Docker's core. -Recent improvements in Linux namespaces will soon allow to run -full-featured containers without root privileges, thanks to the new user -namespace. This is covered in detail [here]( -http://s3hh.wordpress.com/2013/07/19/creating-and-using-containers-without-privilege/). -Moreover, this will solve the problem caused by sharing filesystems -between host and guest, since the user namespace allows users within -containers (including the root user) to be mapped to other users in the -host system. +As of Docker 1.10 User Namespaces are supported directly by the docker +daemon. This feature allows for the root user in a container to be mapped +to a non uid-0 user outside the container, which can help to mitigate the +risks of container breakout. This facility is available but not enabled +by default. -Today, Docker does not directly support user namespaces, but they -may still be utilized by Docker containers on supported kernels, -by directly using the clone syscall, or utilizing the 'unshare' -utility. Using this, some users may find it possible to drop -more capabilities from their process as user namespaces provide -an artificial capabilities set. Likewise, however, this artificial -capabilities set may require use of 'capsh' to restrict the -user-namespace capabilities set when using 'unshare'. - -Eventually, it is expected that Docker will have direct, native support -for user-namespaces, simplifying the process of hardening containers. +Refer to the [daemon command](../reference/commandline/daemon.md#daemon-user-namespace-options) +in the command line reference for more information on this feature. +Additional information on the implementation of User Namespaces in Docker +can be found in this blog post. ## Conclusions