Home Explore Blog CI



docker
3rd chunk of `content/manuals/engine/security/userns-remap.md`
3c35c7ee4e6de553c19d28e099b6fae280f061b7545971d00000000100000be1
    Along the same lines, if you disable `userns-remap` you can't access any
    of the resources created while it was enabled.

5.  Check the [limitations](#user-namespace-known-limitations) on user
    namespaces to be sure your use case is possible.

## Enable userns-remap on the daemon

You can start `dockerd` with the `--userns-remap` flag or follow this
procedure to configure the daemon using the `daemon.json` configuration file.
The `daemon.json` method is recommended. If you use the flag, use the following
command as a model:

```console
$ dockerd --userns-remap="testuser:testuser"
```

1.  Edit `/etc/docker/daemon.json`. Assuming the file was previously empty, the
    following entry enables `userns-remap` using user and group called
    `testuser`. You can address the user and group by ID or name. You only need to
    specify the group name or ID if it is different from the user name or ID. If
    you provide both the user and group name or ID, separate them by a colon
    (`:`) character. The following formats all work for the value, assuming
    the UID and GID of `testuser` are `1001`:

    - `testuser`
    - `testuser:testuser`
    - `1001`
    - `1001:1001`
    - `testuser:1001`
    - `1001:testuser`

    ```json
    {
      "userns-remap": "testuser"
    }
    ```

    > [!NOTE]
    >
    > To use the `dockremap` user and have Docker create it for you,
    > set the value to `default` rather than `testuser`.

    Save the file and restart Docker.

2.  If you are using the `dockremap` user, verify that Docker created it using
    the `id` command.

    ```console
    $ id dockremap

    uid=112(dockremap) gid=116(dockremap) groups=116(dockremap)
    ```

    Verify that the entry has been added to `/etc/subuid` and `/etc/subgid`:

    ```console
    $ grep dockremap /etc/subuid

    dockremap:231072:65536

    $ grep dockremap /etc/subgid

    dockremap:231072:65536
    ```

    If these entries are not present, edit the files as the `root` user and
    assign a starting UID and GID that is the highest-assigned one plus the
    offset (in this case, `65536`). Be careful not to allow any overlap in the
    ranges.

3.  Verify that previous images are not available using the `docker image ls`
    command. The output should be empty.

4.  Start a container from the `hello-world` image.

    ```console
    $ docker run hello-world
    ```

5.  Verify that a namespaced directory exists within `/var/lib/docker/` named
    with the UID and GID of the namespaced user, owned by that UID and GID,
    and not group-or-world-readable. Some of the subdirectories are still
    owned by `root` and have different permissions.

    ```console
    $ sudo ls -ld /var/lib/docker/231072.231072/

    drwx------ 11 231072 231072 11 Jun 21 21:19 /var/lib/docker/231072.231072/

    $ sudo ls -l /var/lib/docker/231072.231072/

    total 14
    drwx------ 5 231072 231072 5 Jun 21 21:19 aufs
    drwx------ 3 231072 231072 3 Jun 21 21:21 containers
    drwx------ 3 root   root   3 Jun 21 21:19 image
Title: Enabling and Verifying User Namespace Remapping on the Docker Daemon
Summary
To enable `userns-remap`, configure `/etc/docker/daemon.json` with the user or user ID, then restart Docker. If using the 'dockremap' user, verify Docker created it and added entries to `/etc/subuid` and `/etc/subgid`. Check that previous images are unavailable using `docker image ls` and run a container from the 'hello-world' image. Finally, verify the existence of a namespaced directory within `/var/lib/docker/` owned by the namespaced user's UID and GID.