##Lab: User Namespaces
By default, the Docker daemon runs as root. This allows the daemon to create and work with the kernel structures required to start containers. However, it also presents potential security risks. This lab will walk you through implementing a more secure configuration utilizing user namespaces.
###You will complete the following steps in this lab:
- Step 1 - Daemon and container defaults
- Step 2 - The --user flag
- Step 3 - Enabling user namespaces
You will need all of the following to complete this lab:
A Linux-based Docker Host running Docker 1.10 or higher Root access on the Docker Host Note: The instructions in this lab are tailored to a Docker Host running Ubuntu 15.10. An open documented issue exists with Ubuntu 16.04 Xenial .
In this lab you learned how to start the Docker daemon with user namespace support enabled. This started the daemon in a new namespace and mapped the root user inside of the namespace to a non-privileged user outside of the user namespace. This meant that the root user within the user namespace had full access to processes and containers within that namespace, but did not have elevated permissions outside of the namespace.
You proved that the Docker daemon was running within a user namespace using the
docker info command. You saw that the root user inside of a the user namespace was unable to delete files that existed outside of the namespace.
You can refer to the following resources for more information and help:
- Docker: http://www.docker.com
You've completed your security lab: User Namespaces scenario!
Security Lab: User Namespaces Scenario
Step 1 - Daemon and container defaults
In this step you'll verify that the Docker daemon, and containers, run by default as root. You will also force a single container to run under a different security context.
You must perform this step while logged in as the ubuntu user.
ps command to verify that the Docker daemon is currently running under the root user's security context by running a command
ps aux | grep dockerd
You see the followings:
[email protected]:~$ ps aux | grep dockerd root 8715 0.0 1.0 352332 38820 ? Ssl 12:56 0:01 /usr/bin/dockerd -H fd:// ubuntu 8896 0.0 0.0 8216 2188 pts/0 S+ 13:45 0:00 grep --color=auto dockerd
The first line shows the Docker daemon (dockerd). The second line shows the
ps command you just ran. The first column of the first line shows that the Docker daemon is running as root.
Start a new container that runs the
id command by running a command
sudo docker run --rm alpine id
You see the followings:
[email protected]:~$ sudo docker run --rm alpine id Unable to find image 'alpine:latest' locally latest: Pulling from library/alpine e110a4a17941: Pull complete Digest: sha256:3dcdb92d7432d56604d4545cbd324b14e647b313626d99b889d0626de158f73a Status: Downloaded newer image for alpine:latest uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
The last line of the output above shows that the container is running as root -
This step has shown you that the Docker daemon runs as root by default. You have also seen that new containers also start as root.