role of intermediate host user when mapping users (user namespaces)
by vincix from LinuxQuestions.org on (#53VW2)
Hi,
I'm trying to understand the role of the user created on the host for docker (this is ultimately just an example, but I'm guessing the principle should be the same everywhere).
When I activate docker's user name mapping ("userns-remap": "default"), so that the containers run in a different username space, docker makes use by default of a user called dockremap.
Code:root@rusty:/# grep dockremap /etc/passwd
dockremap:x:111:115::/home/dockremap:/bin/falseThe mapping I can see in /etc/subuid:
Code:dockremap:558752:65536The processes running as root inside the container are shown using the 558752 UID:
Code:root@rusty:/# ps aux | grep apache2
558752 1823 0.0 0.8 280572 35956 ? Ss 16:20 0:00 apache2 -DFOREGROUNDLikewise docker creates a special extra folder for all containers/volumes etc. when running with this special user, and the effective permissions correspond to the mapped UID (the big number):
Code:root@rusty:/var/lib/docker# ls -l
total 88
drwx------ 14 558752 558752 4096 May 24 16:20 558752.558752Which again is to be expected, 'cause that's the effective UID that the processes are using to access the resources inside that folder.
But I still don't understand how the actual user (i.e. its 111 UID) on the hostname is being used.
Thanks in advance!
I'm trying to understand the role of the user created on the host for docker (this is ultimately just an example, but I'm guessing the principle should be the same everywhere).
When I activate docker's user name mapping ("userns-remap": "default"), so that the containers run in a different username space, docker makes use by default of a user called dockremap.
Code:root@rusty:/# grep dockremap /etc/passwd
dockremap:x:111:115::/home/dockremap:/bin/falseThe mapping I can see in /etc/subuid:
Code:dockremap:558752:65536The processes running as root inside the container are shown using the 558752 UID:
Code:root@rusty:/# ps aux | grep apache2
558752 1823 0.0 0.8 280572 35956 ? Ss 16:20 0:00 apache2 -DFOREGROUNDLikewise docker creates a special extra folder for all containers/volumes etc. when running with this special user, and the effective permissions correspond to the mapped UID (the big number):
Code:root@rusty:/var/lib/docker# ls -l
total 88
drwx------ 14 558752 558752 4096 May 24 16:20 558752.558752Which again is to be expected, 'cause that's the effective UID that the processes are using to access the resources inside that folder.
But I still don't understand how the actual user (i.e. its 111 UID) on the hostname is being used.
Thanks in advance!