From 50d1d4ecba154fc4866668bfd46cf11fdc35bfe8 Mon Sep 17 00:00:00 2001 From: Lewis Daly Date: Mon, 30 Jan 2017 20:59:13 +1030 Subject: [PATCH] Updated dockerd docs with note about user namespaces Signed-off-by: Lewis Daly Updated uid/gid reference to be more canonical - and signed commit Signed-off-by: Lewis Daly Editorial suggestion I tried my hand at rewriting this a bit for readability. Can you please verify that the facts are correct, especially about the permission changes? You can feel free to squash my commit with yours so that it's signed. You'll need to pull the change from your fork to work on it locally. Editorial suggestion I tried my hand at rewriting this a bit for readability. Can you please verify that the facts are correct, especially about the permission changes? You can feel free to squash my commit with yours so that it's signed. You'll need to pull the change from your fork to work on it locally. --- docs/reference/commandline/dockerd.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/docs/reference/commandline/dockerd.md b/docs/reference/commandline/dockerd.md index e4b5a33a87..e61b5ae53b 100644 --- a/docs/reference/commandline/dockerd.md +++ b/docs/reference/commandline/dockerd.md @@ -993,6 +993,19 @@ with user namespaces enabled or not. If the daemon is configured with user namespaces, the Security Options entry in the response will list "userns" as one of the enabled security features. +#### Behavior differences when user namespaces are enabled + +When you start the Docker daemon with `--userns-remap`, Docker segregates the graph directory +where the images are stored by adding an extra directory with a name corresponding to the +remapped UID and GID. For example, if the remapped UID and GID begin with `165536`, all +images and containers running with that remap setting are located in `/var/lib/docker/165536.165536` +instead of `/var/lib/docker/`. + +In addition, the files and directories within the new directory, which correspond to +images and container layers, are also owned by the new UID and GID. To set the ownership +correctly, you need to re-pull the images and restart the containers after starting the +daemon with `--userns-remap`. + ### Detailed information on `subuid`/`subgid` ranges Given potential advanced use of the subordinate ID ranges by power users, the