27

Following docker instructions, I've run a docker with dockerd --userns-remap=default which added this line to the /etc/subuid file:

dockremap:165536:65536

I don't understand what it means, please explain.

diggusbickus
  • 130
  • 9
Gilgamesz
  • 470
  • 1
  • 4
  • 7

1 Answers1

30

The subordinate uid file contains a list of users and the user ids that the user is allowed to impersonate.

In the example:

dockremap:165536:65536

  • dockremap is the name of the system user. This can be a UID as well.

  • 165536 is the system UID to start the UID mapping at (Which will be UID 0 in the container)

  • 65536 is the number of UIDs allowed on top of UID 0 to be mapped. So 165536 + 65536 = 231072 will be the highest UID mapped to the dockremap user.

In Docker terms, dockremap is the user the container will run as when you specify --userns=dockremap. UID 0 in the container will be UID 165536 on the system. UID 1 in the container will be 165537 etc.

Matt
  • 8,841
  • 1
  • 26
  • 32
  • 2
    So, it means that if docker does not use user namespace then UID 0 in the container will be UID 0 on the system. So, the root (uid=0) in the container is root on the system, yes? – Gilgamesz Oct 10 '17 at 08:27
  • Correct, and any other UID used in a container will map to that UID outside the container as well. – Matt Oct 10 '17 at 08:57
  • Although containers do provide some limitations so a user inside a container doesn't have access to everything a user would outside a container. – Matt Oct 10 '17 at 08:58
  • thanks. "Although containers do provide some limitations so a user inside a container doesn't have access to everything a user would outside a container. " How do they do it? You can refer me somewhere. I suppose that the process that is run under container has less capabilities, but it is only my suspicion – Gilgamesz Oct 10 '17 at 10:20
  • The [docker security](https://docs.docker.com/engine/security/security/) page is a good resource. – Matt Oct 10 '17 at 10:42
  • thanks for a link. But, especially it says: that "By default Docker drops all capabilities except those needed, a whitelist instead of a blacklist approach." It means that it drops some capabilities for container. I am not sure whether I understand it. What does it mean to drop capabilities for a **container**? (What is a container in that sense?) – Gilgamesz Oct 10 '17 at 20:34
  • A "container" is the main process and it's children that are in a cgroup and namespace for the container – Matt Dec 10 '17 at 08:47
  • Shouldn't the highest UID mapped to `dockremap` be 165536+65536-1 = 231071 ? – ebk Apr 03 '20 at 11:50
  • @ebk I don't believe so, but my wording needs fixing. UID's in the container start at 0. 65536 would actually be the highest UID rather than "number of uids allowed". Docker uses the phrase "and the next N integers in sequence" – Matt Apr 04 '20 at 00:13
  • @Matt I think you're right. I just found the following description in `man newuidmap`: "_... each of the UIDs in the range [loweruid, loweruid+count] is allowed to the caller according to /etc/subuid ..._". Thank you for making it clearer – ebk Apr 04 '20 at 02:34
  • @ebk There seems to be conflicting information from manual pages. From [`man subuid`](https://manpages.debian.org/buster/passwd/subuid.5.en.html), the number is “*numerical subordinate user ID count*”. – Franklin Yu Sep 21 '20 at 06:03
  • @FranklinYu After digging into the source code of package `shadow` (e.g. see [here](https://github.com/shadow-maint/shadow/blob/a0efca4581b3542ca4ac6311784a886272ea8481/src/newuidmap.c#L52)), I'm pretty sure that `man subuid` is correct. The range of available IDs should be [loweruid, loweruid+count). Thank you for pointing it out. – ebk Sep 23 '20 at 12:14
  • Just filed an [issue report of man newuidmap/newgidmap](https://github.com/shadow-maint/shadow/issues/280) to the repository of `shadow`. – ebk Sep 23 '20 at 14:20
  • The relevant docker document about this currently is https://docs.docker.com/engine/security/userns-remap/ – user27221 Aug 23 '22 at 10:36