mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
Update security.md with basic User Namespace info.
Just some suggested wording to update this page to take account of User Namespaces being available as of 1.10. Signed-off-by: Rory McCune <rorym@mccune.org.uk>
This commit is contained in:
Rory McCune
Rory McCune
parent
a7fefcf16c
commit
c1e53ad1aa
1 changed files with 9 additions and 19 deletions
|
|
@ -243,26 +243,16 @@ with e.g., special network topologies or shared filesystems, you can
|
|||
expect to see tools to harden existing Docker containers without
|
||||
affecting Docker's core.
|
||||
|
||||
Recent improvements in Linux namespaces will soon allow to run
|
||||
full-featured containers without root privileges, thanks to the new user
|
||||
namespace. This is covered in detail [here](
|
||||
http://s3hh.wordpress.com/2013/07/19/creating-and-using-containers-without-privilege/).
|
||||
Moreover, this will solve the problem caused by sharing filesystems
|
||||
between host and guest, since the user namespace allows users within
|
||||
containers (including the root user) to be mapped to other users in the
|
||||
host system.
|
||||
As of Docker 1.10 User Namespaces are supported directly by the docker
|
||||
daemon. This feature allows for the root user in a container to be mapped
|
||||
to a non uid-0 user outside the container, which can help to mitigate the
|
||||
risks of container breakout. This facility is available but not enabled
|
||||
by default.
|
||||
|
||||
Today, Docker does not directly support user namespaces, but they
|
||||
may still be utilized by Docker containers on supported kernels,
|
||||
by directly using the clone syscall, or utilizing the 'unshare'
|
||||
utility. Using this, some users may find it possible to drop
|
||||
more capabilities from their process as user namespaces provide
|
||||
an artificial capabilities set. Likewise, however, this artificial
|
||||
capabilities set may require use of 'capsh' to restrict the
|
||||
user-namespace capabilities set when using 'unshare'.
|
||||
|
||||
Eventually, it is expected that Docker will have direct, native support
|
||||
for user-namespaces, simplifying the process of hardening containers.
|
||||
Refer to the [daemon command](../reference/commandline/daemon.md#daemon-user-namespace-options)
|
||||
in the command line reference for more information on this feature.
|
||||
Additional information on the implementation of User Namespaces in Docker
|
||||
can be found in <a href="https://integratedcode.us/2015/10/13/user-namespaces-have-arrived-in-docker/" target="_blank">this blog post</a>.
|
||||
|
||||
## Conclusions
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue