Guest24897
/
DockerCLI
mirror of https://github.com/docker/cli.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Run privileged containers when userns are specified 

Following #19995 and #17409 this PR enables skipping userns re-mapping
when creating a container (or when executing a command). Thus, enabling
privileged containers running side by side with userns remapped
containers.

The feature is enabled by specifying ```--userns:host```, which will not
remapped the user if userns are applied. If this flag is not specified,
the existing behavior (which blocks specific privileged operation)
remains.

Signed-off-by: Liron Levin <liron@twistlock.com>
This commit is contained in:
Liron Levin 2016-02-08 16:23:24 +02:00 committed by Tibor Vass
parent b2b5bc9937
commit ce28fa45b0
5 changed files with 26 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
docs/reference/commandline/create.md
View File

@ -83,6 +83,9 @@ Creates a new container.
--shm-size=[] Size of `/dev/shm`. The format is `<number><unit>`. `number` must be greater than `0`. Unit is optional and can be `b` (bytes), `k` (kilobytes), `m` (megabytes), or `g` (gigabytes). If you omit the unit, the system uses bytes. If you omit the size entirely, the system uses `64m`. --shm-size=[] Size of `/dev/shm`. The format is `<number><unit>`. `number` must be greater than `0`. Unit is optional and can be `b` (bytes), `k` (kilobytes), `m` (megabytes), or `g` (gigabytes). If you omit the unit, the system uses bytes. If you omit the size entirely, the system uses `64m`.
-t, --tty Allocate a pseudo-TTY -t, --tty Allocate a pseudo-TTY
-u, --user="" Username or UID -u, --user="" Username or UID
--userns="" Container user namespace
'host': Use the Docker host user namespace
'': Use the Docker daemon user namespace specified by `--userns-remap` option.
--ulimit=[] Ulimit options --ulimit=[] Ulimit options
--uts="" UTS namespace to use --uts="" UTS namespace to use
-v, --volume=[host-src:]container-dest[:<options>] -v, --volume=[host-src:]container-dest[:<options>]

10
docs/reference/commandline/daemon.md
View File

@ -750,6 +750,16 @@ following algorithm to create the mapping ranges:
2. Map segments will be created from each range in increasing value with a length matching the length of each segment. Therefore the range segment with the lowest numeric starting value will be equal to the remapped root, and continue up through host uid/gid equal to the range segment length. As an example, if the lowest segment starts at ID 1000 and has a length of 100, then a map of 1000 -> 0 (the remapped root) up through 1100 -> 100 will be created from this segment. If the next segment starts at ID 10000, then the next map will start with mapping 10000 -> 101 up to the length of this second segment. This will continue until no more segments are found in the subordinate files for this user. 2. Map segments will be created from each range in increasing value with a length matching the length of each segment. Therefore the range segment with the lowest numeric starting value will be equal to the remapped root, and continue up through host uid/gid equal to the range segment length. As an example, if the lowest segment starts at ID 1000 and has a length of 100, then a map of 1000 -> 0 (the remapped root) up through 1100 -> 100 will be created from this segment. If the next segment starts at ID 10000, then the next map will start with mapping 10000 -> 101 up to the length of this second segment. This will continue until no more segments are found in the subordinate files for this user.
3. If more than five range segments exist for a single user, only the first five will be utilized, matching the kernel's limitation of only five entries in `/proc/self/uid_map` and `proc/self/gid_map`. 3. If more than five range segments exist for a single user, only the first five will be utilized, matching the kernel's limitation of only five entries in `/proc/self/uid_map` and `proc/self/gid_map`.
### Disable user namespace for a container
If you enable user namespaces on the daemon, all containers are started
with user namespaces enabled. In some situations you might want to disable
this feature for a container, for example, to start a privileged container (see
[user namespace known restrictions](#user-namespace-known-restrictions)).
To enable those advanced features for a specific container use `--userns=host`
in the `run/exec/create` command.
This option will completely disable user namespace mapping for the container's user.
### User namespace known restrictions ### User namespace known restrictions
The following standard Docker features are currently incompatible when The following standard Docker features are currently incompatible when

3
docs/reference/commandline/run.md
View File

@ -85,6 +85,9 @@ parent = "smn_cli"
--stop-signal="SIGTERM" Signal to stop a container --stop-signal="SIGTERM" Signal to stop a container
-t, --tty Allocate a pseudo-TTY -t, --tty Allocate a pseudo-TTY
-u, --user="" Username or UID (format: <name|uid>[:<group|gid>]) -u, --user="" Username or UID (format: <name|uid>[:<group|gid>])
--userns="" Container user namespace
'host': Use the Docker host user namespace
'': Use the Docker daemon user namespace specified by `--userns-remap` option.
--ulimit=[] Ulimit options --ulimit=[] Ulimit options
--uts="" UTS namespace to use --uts="" UTS namespace to use
-v, --volume=[host-src:]container-dest[:<options>] -v, --volume=[host-src:]container-dest[:<options>]

5
man/docker-create.1.md
View File

@ -58,6 +58,7 @@ docker-create - Create a new container
[**-P**|**--publish-all**] [**-P**|**--publish-all**]
[**-p**|**--publish**[=*[]*]] [**-p**|**--publish**[=*[]*]]
[**--pid**[=*[]*]] [**--pid**[=*[]*]]
[**--userns**[=*[]*]]
[**--pids-limit**[=*PIDS_LIMIT*]] [**--pids-limit**[=*PIDS_LIMIT*]]
[**--privileged**] [**--privileged**]
[**--read-only**] [**--read-only**]
@ -291,6 +292,10 @@ unit, `b` is used. Set LIMIT to `-1` to enable unlimited swap.
**host**: use the host's PID namespace inside the container. **host**: use the host's PID namespace inside the container.
Note: the host mode gives the container full access to local PID and is therefore considered insecure. Note: the host mode gives the container full access to local PID and is therefore considered insecure.
**--userns**=""
Set the usernamespace mode for the container when `userns-remap` option is enabled.
**host**: use the host usernamespace and enable all privileged options (e.g., `pid=host` or `--privileged`).
**--pids-limit**="" **--pids-limit**=""
Tune the container's pids limit. Set `-1` to have unlimited pids for the container. Tune the container's pids limit. Set `-1` to have unlimited pids for the container.

5
man/docker-run.1.md
View File

@ -60,6 +60,7 @@ docker-run - Run a command in a new container
[**-P**|**--publish-all**] [**-P**|**--publish-all**]
[**-p**|**--publish**[=*[]*]] [**-p**|**--publish**[=*[]*]]
[**--pid**[=*[]*]] [**--pid**[=*[]*]]
[**--userns**[=*[]*]]
[**--pids-limit**[=*PIDS_LIMIT*]] [**--pids-limit**[=*PIDS_LIMIT*]]
[**--privileged**] [**--privileged**]
[**--read-only**] [**--read-only**]
@ -421,6 +422,10 @@ Use `docker port` to see the actual mapping: `docker port CONTAINER $CONTAINERPO
**host**: use the host's PID namespace inside the container. **host**: use the host's PID namespace inside the container.
Note: the host mode gives the container full access to local PID and is therefore considered insecure. Note: the host mode gives the container full access to local PID and is therefore considered insecure.
**--userns**=""
Set the usernamespace mode for the container when `userns-remap` option is enabled.
**host**: use the host usernamespace and enable all privileged options (e.g., `pid=host` or `--privileged`).
**--pids-limit**="" **--pids-limit**=""
Tune the container's pids limit. Set `-1` to have unlimited pids for the container. Tune the container's pids limit. Set `-1` to have unlimited pids for the container.