User Namespace support was introduced as an experimental feature last November under Docker 1.9 version. Docker 1.10 finally brings it as a general availability to the public and promises the security hardening for Enterprise-grade hardening.
What it means?
The newer Docker Engine brings the capabilities for the running containers which can now recognize multiple user roles binding them to the appropriate security policies. If you have root privileges inside the container, you will no longer automatically enjoy root privileges on the host machine. It is possible to run containers without root access(though Docker daemon still need root access).
“Calling Docker 1.10 rootless is still untrue as Docker daemon still uses root privileges”
So what changed since Docker 1.9?
The most significant change is that image layers are no longer sitting on /var/lib/docker/x.x but left in the root of the graph root directory, which has really made upgrade and downgrade to and from 1.10 easy without any major impact.
Let us try to find how the new root directory of docker look like. I assume you have Docker installed on any of the available Ubuntu or CentOS machine. In case you are running an older version of Docker, you can always upgrade to 1.10 version through the following on-line command:
curl -fsSL https://get.docker.com/ | sh
Ensure that docker daemon is running with flag –userns-remap=default enabled as shown below:
root@dell-virtual-machine:~# docker daemon -H 10.94.214.186:5555 -H unix:///var/ run/docker.sock –-userns-remap=default &
[1] 7605
root@dell-virtual-machine:~# WARN[0000] /!\ DON’T BIND ON ANY IP ADDRESS WITHOUT setting -tlsverify IF YOU DON’T KNOW WHAT YOU’RE DOING /!\
INFO[0000] User namespaces: ID ranges will be mapped to subuid/subgid ranges of: dockremap:dockremap
INFO[0000] [graphdriver] using prior storage driver “aufs”
INFO[0000] Graph migration to content-addressability took 0.00 seconds
INFO[0000] Firewalld running: true
INFO[0000] Default bridge (docker0) is assigned with an IP address 172.17.0.0/16 . Daemon option –bip can be used to set a preferred IP address
WARN[0000] Your kernel does not support swap memory limit.
INFO[0000] Loading containers: start.
INFO[0000] Loading containers: done.
INFO[0000] Daemon has completed initialization
INFO[0000] Docker daemon commit=9e83765 execdriv er=native-0.2 graphdriver=aufs version=1.10.1
INFO[0000] API listen on /var/run/docker.sock
INFO[0000] API listen on 10.94.214.186:5555
Let’s check the process information related to Docker through the following command:
root@dell-virtual-machine:/var/lib/docker/231072.231072# ps -aef | grep docker
root 4172 1 0 Feb20 ? 00:00:00 sh -c sleep 3; apt-get update; apt-get install -y -q docker-engine
root 4240 4172 4 Feb20 ? 00:28:00 apt-get install -y -q docker-engine
root 5635 4240 0 Feb20 pts/2 00:00:00 /usr/bin/dpkg –status-fd 66 –configure docker-engine:amd64
root 7475 7152 0 08:19 pts/18 00:00:00 docker daemon -H 0.0.0.0:5555 -H unix:///var/run/docker.sock –userns-remap=default
root 7534 7152 0 08:29 pts/18 00:00:00 grep –color=auto docker
Let’s check what new directory it created under /var/lib/docker:
root@dell-virtual-machine:/var/lib/docker# ls -la
total 228
drwx—–x 14 root root 4096 Feb 21 08:18 .
drwxr-xr-x 79 root root 4096 Nov 1 14:17 ..
drwx—— 9 231072 231072 4096 Feb 21 08:18 231072.231072
drwxr-xr-x 5 root root 4096 Sep 16 00:49 aufs
drwx—— 122 root root 20480 Feb 21 07:59 containers
drwx—— 3 root root 4096 Sep 16 00:49 execdriver
drwx—— 404 root root 45056 Feb 20 20:06 graph
drwx—— 3 root root 4096 Feb 20 20:34 image
drwx—— 2 root root 4096 Nov 11 21:16 init
-rw-r–r– 1 root root 43008 Feb 20 21:10 linkgraph.db
-rw——- 1 root root 54851 Feb 20 21:10 .migration-v1-images.json
-rw-r–r– 1 root root 0 Feb 20 21:10 .migration-v1-tags
drwxr-x— 3 root root 4096 Nov 11 21:23 network
-rw——- 1 root root 6696 Feb 20 20:06 repositories-aufs
drwx—— 2 root root 4096 Feb 21 08:16 tmp
drwx—— 2 root root 4096 Nov 11 21:16 trust
drwx—— 3 root root 4096 Sep 16 01:19 vfs
drwx—— 54 root root 4096 Dec 6 19:18 volumes
You will find UID specific directory created under the root of Docker directory.
If you try to change to UID directory and see what content the new image directory holds:
root@dell-virtual-machine:/var/lib/docker/231072.231072# ls
aufs containers image network tmp trust volumes
root@dell-virtual-machine:/var/lib/docker/231072.231072#
root@dell-virtual-machine:/var/lib/docker/231072.231072# ls -la
total 36
drwx—— 9 231072 231072 4096 Feb 21 08:18 .
drwx—–x 14 root root 4096 Feb 21 08:18 ..
drwx—— 5 231072 231072 4096 Feb 21 08:18 aufs
drwx—— 2 231072 231072 4096 Feb 21 08:18 containers
drwx—— 3 root root 4096 Feb 21 08:18 image
drwxr-x— 3 root root 4096 Feb 21 08:18 network
drwx—— 2 231072 231072 4096 Feb 21 08:18 tmp
drwx—— 2 root root 4096 Feb 21 08:18 trust
drwx—— 2 231072 231072 4096 Feb 21 08:18 volumes
root@dell-virtual-machine:/var/lib/docker/231072.231072#
root@dell-virtual-machine:/var/lib/docker/231072.231072# ps -aef | grep docker
root 4172 1 0 Feb20 ? 00:00:00 sh -c sleep 3; apt-get update; apt-get install -y -q docker-engine
root 4240 4172 4 Feb20 ? 00:28:00 apt-get install -y -q docker-engine
root 5635 4240 0 Feb20 pts/2 00:00:00 /usr/bin/dpkg –status-fd 66 –configure docker-engine:amd64
root 7475 7152 0 08:19 pts/18 00:00:00 docker daemon -H 0.0.0.0:5555 -H unix:///var/run/docker.sock –userns-remap=default
root 7534 7152 0 08:29 pts/18 00:00:00 grep –color=auto docker
To understand how the newly introduced user namespace actually brings the security feature, let us pull and run the ubuntu container as shown below:
root@dell-virtual-machine:~# docker run -it -v /var/log:/var/log –name=collab ubuntu /bin/bash
ERRO[0014] Handler for POST /v1.22/containers/create returned error: No such image: ubuntu:latest
Unable to find image ‘ubuntu:latest’ locally
latest: Pulling from library/ubuntu
a64038a0eeaa: Pull complete
2ec6e7edf8a8: Pull complete
0a5fb6c3c94b: Pull complete
a3ed95caeb02: Pull complete
Digest: sha256:d8b3a9876f7b00798144e75ac6c7f98ab10772867c76dd05f3dbd8687588ab6d
Status: Downloaded newer image for ubuntu:latest
INFO[0278] No non-localhost DNS nameservers are left in resolv.conf. Using default external servers : [nameserver 8.8.8.8 nameserver 8.8.4.4]
INFO[0278] IPv6 enabled; Adding default IPv6 external servers : [nameserver 2001:4860:4860::8888 nameserver 2001:4860:4860::8844]
root@47bc13e67561:/#
If you try to create a folder structure inside /var/log under container, it might allow you to create as you are already loged into the container as root user, but it won’t allow you to play around the host machine. The challenge and the controversial element of user namespaces is that it can potentially enable root system access privileges inside a container. The risk is that by enabling root access, a regular non-administrative Docker user could potentially find a bug in the underlying host operating system.The newer Docker 1.10 tackles this problem by bringing security in terms of user namespaces which allow better separation of applications/containers because each process/container has its own set of users.
In next part of this discussion, we will talk about seccomp profiles, content addressable image IDs and authorization plugins. Stay tuned !!
Comments are closed.