On 05/19/2016 03:03 PM, Hardy Ferentschik wrote:
Hi,
On Thu, 19-May-2016 10:12, Daniel J Walsh wrote:
User namespace as you would expect it to work. (Container Isolation) does
not work yet. User Namespace can be used with docker-1.10, but only for
protecting the host from the container. All containers would run with the
same "DockerRoot".
So one thing which always surprised me, is that Docker seems to recommend in its
best practices to actually do change the USER -
https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/
Hence, so many images on DockerHub follow this principle and each and every one
won't run out of the box on OpenShift.
Is it really so wrong? And if it is, why does Docker not change its
recommendation?
--Hardy
Running a container as not root is what they are recommending, which we
are also recommending. This has
nothing to do with UserNamespace.
UserNamespace is about mapping UIDs in the container to different UIDS
outside of the container. For example you
could map 0-1000 inside the container to 6000-7000 outside the
container. This would allow you to run a container as "root"
inside the container, but if you break out you would be UID=6000.
This is supported in docker-1.10 and later but only at the daemon not
per/container. We need it per container so container
1 would map 0-1000 to 6000-7000 and container 2 to 8000-9000 ...
OpenShift currently implements running containers PID1 as a different
UID, and this is more secure then using usernamespace.
_______________________________________________
Container-tools mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/container-tools
