Difficulty: Beginner
Estimated Time: 10 minutes

In this scenario you'll learn how to configure User Namespaces to add additional user isolation and remap container root users to non-privileged users on the host machine.

Don’t stop now! The next scenario will only take about 10 minutes to complete.

User Namespaces

Step 1 of 4

Step 1 - Identify current Docker user

By default, the Docker Daemon runs as root user on the host. By listing all the processes on the box you can identify which user the Docker Daemon runs as.

ps aux | grep docker

As a result of the Daemon running as root, any containers started will have the same security context as the host's root user.

docker run --rm alpine id

This has the side-effect that if files owned by the root user are accessible from the container, then can be modified by the running container.

Task

The following command identifies the risk of running containers as root user.

First, create a copy of the touch command on our host.

sudo cp /bin/touch /bin/touch.bak && ls -lha /bin/touch.bak

Because the container is both root inside the container and on the host, the file can be removed.

docker run -it -v /bin/:/host/ alpine rm -f /host/touch.bak

As a result, the command no longer exists.

ls -lha /bin/touch.bak

In this case, the container is capable of deleting the touch binary from the host.