[Container-tools] [Devtools] openshift is way too permissive in the CDK/ADB
Daniel J Walsh
dwalsh at redhat.com
Thu May 19 19:10:39 UTC 2016
On 05/19/2016 03:03 PM, Hardy Ferentschik wrote:
> Hi,
>
> On Thu, 19-May-2016 10:12, Daniel J Walsh wrote:
>> User namespace as you would expect it to work. (Container Isolation) does
>> not work yet. User Namespace can be used with docker-1.10, but only for
>> protecting the host from the container. All containers would run with the
>> same "DockerRoot".
> So one thing which always surprised me, is that Docker seems to recommend in its
> best practices to actually do change the USER - https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/
> Hence, so many images on DockerHub follow this principle and each and every one
> won't run out of the box on OpenShift.
>
> Is it really so wrong? And if it is, why does Docker not change its recommendation?
>
> --Hardy
>
Running a container as not root is what they are recommending, which we
are also recommending. This has
nothing to do with UserNamespace.
UserNamespace is about mapping UIDs in the container to different UIDS
outside of the container. For example you
could map 0-1000 inside the container to 6000-7000 outside the
container. This would allow you to run a container as "root"
inside the container, but if you break out you would be UID=6000.
This is supported in docker-1.10 and later but only at the daemon not
per/container. We need it per container so container
1 would map 0-1000 to 6000-7000 and container 2 to 8000-9000 ...
OpenShift currently implements running containers PID1 as a different
UID, and this is more secure then using usernamespace.
More information about the Container-tools
mailing list