Difficulty: Beginner
Estimated Time: 10 minutes

In this scenario you'll learn how to configure User Namespaces to add additional user isolation and remap container root users to non-privileged users on the host machine.

Don’t stop now! The next scenario will only take about 10 minutes to complete.

User Namespaces

Step 1 of 4

Step 1 - Identify current Docker user

By default, the Docker Daemon runs as root user on the host. By listing all the processes on the box you can identify which user the Docker Daemon runs as.

ps aux | grep docker

As a result of the Daemon running as root, any containers started will have the same security context as the host's root user.

docker run --rm alpine id

This has the side-effect that if files owned by the root user are accessible from the container, then can be modified by the running container.


The following command identifies the risk of running containers as root user. In this case the container is capable of deleting the ps binary from the host.

sudo cp /bin/touch /bin/touch.bak docker run -it -v /bin/:/host/ alpine rm -f /host/touch.bak

As a result, the command no longer exists.

ls -lha /bin/touch.bak