From ce28fa45b09dffa9bd31628715220f3b1582e0cb Mon Sep 17 00:00:00 2001 From: Liron Levin Date: Mon, 8 Feb 2016 16:23:24 +0200 Subject: [PATCH] Run privileged containers when userns are specified Following #19995 and #17409 this PR enables skipping userns re-mapping when creating a container (or when executing a command). Thus, enabling privileged containers running side by side with userns remapped containers. The feature is enabled by specifying ```--userns:host```, which will not remapped the user if userns are applied. If this flag is not specified, the existing behavior (which blocks specific privileged operation) remains. Signed-off-by: Liron Levin --- docs/reference/commandline/create.md | 3 +++ docs/reference/commandline/daemon.md | 10 ++++++++++ docs/reference/commandline/run.md | 3 +++ man/docker-create.1.md | 5 +++++ man/docker-run.1.md | 5 +++++ 5 files changed, 26 insertions(+) diff --git a/docs/reference/commandline/create.md b/docs/reference/commandline/create.md index fa68b0feb1..6128411c5f 100644 --- a/docs/reference/commandline/create.md +++ b/docs/reference/commandline/create.md @@ -83,6 +83,9 @@ Creates a new container. --shm-size=[] Size of `/dev/shm`. The format is ``. `number` must be greater than `0`. Unit is optional and can be `b` (bytes), `k` (kilobytes), `m` (megabytes), or `g` (gigabytes). If you omit the unit, the system uses bytes. If you omit the size entirely, the system uses `64m`. -t, --tty Allocate a pseudo-TTY -u, --user="" Username or UID + --userns="" Container user namespace + 'host': Use the Docker host user namespace + '': Use the Docker daemon user namespace specified by `--userns-remap` option. --ulimit=[] Ulimit options --uts="" UTS namespace to use -v, --volume=[host-src:]container-dest[:] diff --git a/docs/reference/commandline/daemon.md b/docs/reference/commandline/daemon.md index e8071e92ec..f94163aefb 100644 --- a/docs/reference/commandline/daemon.md +++ b/docs/reference/commandline/daemon.md @@ -750,6 +750,16 @@ following algorithm to create the mapping ranges: 2. Map segments will be created from each range in increasing value with a length matching the length of each segment. Therefore the range segment with the lowest numeric starting value will be equal to the remapped root, and continue up through host uid/gid equal to the range segment length. As an example, if the lowest segment starts at ID 1000 and has a length of 100, then a map of 1000 -> 0 (the remapped root) up through 1100 -> 100 will be created from this segment. If the next segment starts at ID 10000, then the next map will start with mapping 10000 -> 101 up to the length of this second segment. This will continue until no more segments are found in the subordinate files for this user. 3. If more than five range segments exist for a single user, only the first five will be utilized, matching the kernel's limitation of only five entries in `/proc/self/uid_map` and `proc/self/gid_map`. +### Disable user namespace for a container + +If you enable user namespaces on the daemon, all containers are started +with user namespaces enabled. In some situations you might want to disable +this feature for a container, for example, to start a privileged container (see +[user namespace known restrictions](#user-namespace-known-restrictions)). +To enable those advanced features for a specific container use `--userns=host` +in the `run/exec/create` command. +This option will completely disable user namespace mapping for the container's user. + ### User namespace known restrictions The following standard Docker features are currently incompatible when diff --git a/docs/reference/commandline/run.md b/docs/reference/commandline/run.md index 496ff4865d..a3ef21f79b 100644 --- a/docs/reference/commandline/run.md +++ b/docs/reference/commandline/run.md @@ -85,6 +85,9 @@ parent = "smn_cli" --stop-signal="SIGTERM" Signal to stop a container -t, --tty Allocate a pseudo-TTY -u, --user="" Username or UID (format: [:]) + --userns="" Container user namespace + 'host': Use the Docker host user namespace + '': Use the Docker daemon user namespace specified by `--userns-remap` option. --ulimit=[] Ulimit options --uts="" UTS namespace to use -v, --volume=[host-src:]container-dest[:] diff --git a/man/docker-create.1.md b/man/docker-create.1.md index 16f70a958d..95d171fec3 100644 --- a/man/docker-create.1.md +++ b/man/docker-create.1.md @@ -58,6 +58,7 @@ docker-create - Create a new container [**-P**|**--publish-all**] [**-p**|**--publish**[=*[]*]] [**--pid**[=*[]*]] +[**--userns**[=*[]*]] [**--pids-limit**[=*PIDS_LIMIT*]] [**--privileged**] [**--read-only**] @@ -291,6 +292,10 @@ unit, `b` is used. Set LIMIT to `-1` to enable unlimited swap. **host**: use the host's PID namespace inside the container. Note: the host mode gives the container full access to local PID and is therefore considered insecure. +**--userns**="" + Set the usernamespace mode for the container when `userns-remap` option is enabled. + **host**: use the host usernamespace and enable all privileged options (e.g., `pid=host` or `--privileged`). + **--pids-limit**="" Tune the container's pids limit. Set `-1` to have unlimited pids for the container. diff --git a/man/docker-run.1.md b/man/docker-run.1.md index a22d43762d..c44dd603d0 100644 --- a/man/docker-run.1.md +++ b/man/docker-run.1.md @@ -60,6 +60,7 @@ docker-run - Run a command in a new container [**-P**|**--publish-all**] [**-p**|**--publish**[=*[]*]] [**--pid**[=*[]*]] +[**--userns**[=*[]*]] [**--pids-limit**[=*PIDS_LIMIT*]] [**--privileged**] [**--read-only**] @@ -421,6 +422,10 @@ Use `docker port` to see the actual mapping: `docker port CONTAINER $CONTAINERPO **host**: use the host's PID namespace inside the container. Note: the host mode gives the container full access to local PID and is therefore considered insecure. +**--userns**="" + Set the usernamespace mode for the container when `userns-remap` option is enabled. + **host**: use the host usernamespace and enable all privileged options (e.g., `pid=host` or `--privileged`). + **--pids-limit**="" Tune the container's pids limit. Set `-1` to have unlimited pids for the container.