The software described in this documentation is either no longer supported or is in extended support.
Oracle recommends that you upgrade to a current supported release.

3.3 Configuring User Namespace Remapping

The following procedure applies to version 1.10 and later of Docker.

To force processes running in Docker containers to run with an alternate user namespace mapping on the host system,use the --userns-remap option as a startup parameter for the Docker engine. This functionality provides an additional layer of security to the host system. The processes that are running in each container are run with the UIDs and GIDs of a subordinate mapping defined in /etc/subuid and /etc/subgid. The shadow-utils project provides subordinate user mappings, which are a function of user namespaces within the Linux kernel. For more information, see https://docs.docker.com/edge/engine/reference/commandline/dockerd/#daemon-user-namespace-options.

To implement user namespace remapping:

  1. Create and edit the /etc/subuid file.

    Although the Docker documentation suggests that this file is created and populated automatically, this function is dependent on code available in the usermod command, not currently included in Oracle Linux. Create the file manually if it does not yet exist, and populate it with the user mapping that you require.

    user:start_uid:uid_count

    Add an entry for the dockremap user if you plan to configure default user namespace remapping. Alternately, add an entry for the unprivileged user that you are going to use for this purpose. For example:

    dockremap:100000:65536

    In the example above, dockremap represents the unpriveleged system user that is used for the remapping. 100000 represents the first UID in the range of available UIDs that processes within the container may run with. 65536 represents the maximum number of UIDs that may be used by a container. Based on this example entry, a process running as the root user within the container is launched so that on the host system it runs with the UID 100000. If a process within the container is run as a user with UID 500, on the host system it would run with the UID 100500.

  2. Create and edit the /etc/subgid file. The same principles apply to group ID mappings as to user ID mappings.

    Add an entry for the dockremap group if you plan to configure default user namespace remapping. Alternately, add an entry for the group that you are going to use for this purpose. For example:

    dockremap:100000:65536
  3. Configure the docker service to run with the --userns-remap parameter enabled, by editing /etc/sysconfig/docker and appending the relevant remap parameter to the OPTIONS line, for example:

    # /etc/sysconfig/docker 
    # Modify these options if you want to change the way the docker daemon runs
    OPTIONS='--userns-remap=default

    When --userns-remap is set to default, Docker automatically creates a user and group named dockremap. Entries for the dockremap user and group must exist in /etc/subuid and /etc/subgid. Alternately, set the --userns-remap option to run using another unprivileged user and group that already exist on the system. If you select to do this, replace the dockremap user in the /etc/subuid and /etc/subgid files with the appropriate user name and group name.

  4. Restart the docker service to activate changes to the service configuration:

    # service docker restart

    The Docker engine applies the same user namespace remapping rules to all containers, regardless of who runs a container or who executes a command within a container.