Difficulty: Intermediate
Estimated Time: 10 minutes

##Lab: User Namespaces

By default, the Docker daemon runs as root. This allows the daemon to create and work with the kernel structures required to start containers. However, it also presents potential security risks. This lab will walk you through implementing a more secure configuration utilizing user namespaces.

###You will complete the following steps in this lab:

  • Step 1 - Daemon and container defaults
  • Step 2 - The --user flag
  • Step 3 - Enabling user namespaces

Prerequisites

You will need all of the following to complete this lab:

A Linux-based Docker Host running Docker 1.10 or higher Root access on the Docker Host Note: The instructions in this lab are tailored to a Docker Host running Ubuntu 15.10. An open documented issue exists with Ubuntu 16.04 Xenial .

Summary

In this lab you learned how to start the Docker daemon with user namespace support enabled. This started the daemon in a new namespace and mapped the root user inside of the namespace to a non-privileged user outside of the user namespace. This meant that the root user within the user namespace had full access to processes and containers within that namespace, but did not have elevated permissions outside of the namespace.

You proved that the Docker daemon was running within a user namespace using the docker info command. You saw that the root user inside of a the user namespace was unable to delete files that existed outside of the namespace.

Additional Resources

You can refer to the following resources for more information and help:

You've completed your security lab: User Namespaces scenario!

  Restart Scenario
Next Scenario

Security Lab: User Namespaces Scenario

Step 1 of 3

Step 1 - Daemon and container defaults

In this step you'll verify that the Docker daemon, and containers, run by default as root. You will also force a single container to run under a different security context.

You must perform this step while logged in as the ubuntu user.

Task

Use the ps command to verify that the Docker daemon is currently running under the root user's security context by running a command

ps aux | grep dockerd

You see the followings:

   [email protected]:~$ ps aux | grep dockerd

   root      8715  0.0  1.0 352332 38820 ?        Ssl  12:56   0:01 /usr/bin/dockerd -H fd://
   ubuntu    8896  0.0  0.0   8216  2188 pts/0    S+   13:45   0:00 grep --color=auto dockerd

The first line shows the Docker daemon (dockerd). The second line shows the ps command you just ran. The first column of the first line shows that the Docker daemon is running as root.

Task

Start a new container that runs the id command by running a command

sudo docker run --rm alpine id

You see the followings:

   [email protected]:~$ sudo docker run --rm alpine id

   Unable to find image 'alpine:latest' locally
latest: Pulling from library/alpine
e110a4a17941: Pull complete
Digest: sha256:3dcdb92d7432d56604d4545cbd324b14e647b313626d99b889d0626de158f73a
Status: Downloaded newer image for alpine:latest
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)

The last line of the output above shows that the container is running as root - uid=0(root) and gid=0(root).

This step has shown you that the Docker daemon runs as root by default. You have also seen that new containers also start as root.

Terminal