mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
Update security.md with basic User Namespace info.
Just some suggested wording to update this page to take account of User Namespaces being available as of 1.10. Signed-off-by: Rory McCune <rorym@mccune.org.uk>
This commit is contained in:
Rory McCune
Rory McCune
parent
a7fefcf16c
commit
c1e53ad1aa
1 changed files with 9 additions and 19 deletions
|
|
@ -243,26 +243,16 @@ with e.g., special network topologies or shared filesystems, you can
|
||||||
expect to see tools to harden existing Docker containers without
|
expect to see tools to harden existing Docker containers without
|
||||||
affecting Docker's core.
|
affecting Docker's core.
|
||||||
|
|
||||||
Recent improvements in Linux namespaces will soon allow to run
|
As of Docker 1.10 User Namespaces are supported directly by the docker
|
||||||
full-featured containers without root privileges, thanks to the new user
|
daemon. This feature allows for the root user in a container to be mapped
|
||||||
namespace. This is covered in detail [here](
|
to a non uid-0 user outside the container, which can help to mitigate the
|
||||||
http://s3hh.wordpress.com/2013/07/19/creating-and-using-containers-without-privilege/).
|
risks of container breakout. This facility is available but not enabled
|
||||||
Moreover, this will solve the problem caused by sharing filesystems
|
by default.
|
||||||
between host and guest, since the user namespace allows users within
|
|
||||||
containers (including the root user) to be mapped to other users in the
|
|
||||||
host system.
|
|
||||||
|
|
||||||
Today, Docker does not directly support user namespaces, but they
|
Refer to the [daemon command](../reference/commandline/daemon.md#daemon-user-namespace-options)
|
||||||
may still be utilized by Docker containers on supported kernels,
|
in the command line reference for more information on this feature.
|
||||||
by directly using the clone syscall, or utilizing the 'unshare'
|
Additional information on the implementation of User Namespaces in Docker
|
||||||
utility. Using this, some users may find it possible to drop
|
can be found in <a href="https://integratedcode.us/2015/10/13/user-namespaces-have-arrived-in-docker/" target="_blank">this blog post</a>.
|
||||||
more capabilities from their process as user namespaces provide
|
|
||||||
an artificial capabilities set. Likewise, however, this artificial
|
|
||||||
capabilities set may require use of 'capsh' to restrict the
|
|
||||||
user-namespace capabilities set when using 'unshare'.
|
|
||||||
|
|
||||||
Eventually, it is expected that Docker will have direct, native support
|
|
||||||
for user-namespaces, simplifying the process of hardening containers.
|
|
||||||
|
|
||||||
## Conclusions
|
## Conclusions
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue