LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Containers
User Name
Password
Linux - Containers This forum is for the discussion of all topics relating to Linux containers. Docker, LXC, LXD, runC, containerd, CoreOS, Kubernetes, Mesos, rkt, and all other Linux container platforms are welcome.

Notices


Reply
  Search this Thread
Old 05-24-2020, 10:32 AM   #1
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,149

Rep: Reputation: 85
role of intermediate host user when mapping users (user namespaces)


Hi,

I'm trying to understand the role of the user created on the host for docker (this is ultimately just an example, but I'm guessing the principle should be the same everywhere).

When I activate docker's user name mapping ("userns-remap": "default"), so that the containers run in a different username space, docker makes use by default of a user called dockremap.
Code:
root@rusty:/# grep dockremap /etc/passwd
dockremap:x:111:115::/home/dockremap:/bin/false
The mapping I can see in /etc/subuid:
Code:
dockremap:558752:65536
The processes running as root inside the container are shown using the 558752 UID:
Code:
root@rusty:/# ps aux | grep apache2
558752    1823  0.0  0.8 280572 35956 ?        Ss   16:20   0:00 apache2 -DFOREGROUND
Likewise docker creates a special extra folder for all containers/volumes etc. when running with this special user, and the effective permissions correspond to the mapped UID (the big number):
Code:
root@rusty:/var/lib/docker# ls -l
total 88
drwx------ 14 558752 558752  4096 May 24 16:20 558752.558752
Which again is to be expected, 'cause that's the effective UID that the processes are using to access the resources inside that folder.
But I still don't understand how the actual user (i.e. its 111 UID) on the hostname is being used.

Thanks in advance!
 
Old 05-26-2020, 06:15 AM   #2
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 14,633

Rep: Reputation: 4758Reputation: 4758Reputation: 4758Reputation: 4758Reputation: 4758Reputation: 4758Reputation: 4758Reputation: 4758Reputation: 4758Reputation: 4758Reputation: 4758
This feature is not really docker related, just used by docker (amongst others).

probably this helps: https://www.man7.org/linux/man-pages...espaces.7.html
(and this: https://www.man7.org/linux/man-pages...wuidmap.1.html)
 
Old 05-28-2020, 07:25 AM   #3
cyphar
LQ Newbie
 
Registered: May 2020
Location: Sydney
Distribution: openSUSE
Posts: 4

Rep: Reputation: Disabled
Technically the usage of a fake "dockremap" user is a odd quirk of Docker and is a slight misuse of the /etc/sub[ug]id files. The idea behind /etc/sub[ug]id files is that they allow you to specify which IDs are available for users to use for user namespace purposes (using the new[ug]idmap set-uid helper binaries). Since Docker is a privileged program (running as root) it doesn't need any such entry, but Docker supports it so that admins can specify separate ranges for Docker and other users. LXD can be configured in a similar way, but they use "root" as the user (which is slightly more correct semantically, but means you cannot specify separate a separate range just for LXD if another program wants to use the root users' reserved mappings).
 
Old 05-29-2020, 07:36 AM   #4
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,149

Original Poster
Rep: Reputation: 85
Can you please expand on that a little bit? Your post is very helpful, but I haven't understood the whole of it.
How are separate ranges actually achieved by docker if they create this fake user? And how would the LXD be limited when they use 'root'?
 
Old 05-29-2020, 09:35 AM   #5
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 14,633

Rep: Reputation: 4758Reputation: 4758Reputation: 4758Reputation: 4758Reputation: 4758Reputation: 4758Reputation: 4758Reputation: 4758Reputation: 4758Reputation: 4758Reputation: 4758
Only one line is used from /etc/subuid, based on the username. You can set this user in the config of docker daemon. It can be either a valid user or this dockremap "virtual" user (default). This username (or userid) is not used, only once when the daemon started. dockerd reads the line belongs to this name (from etc/subuid).
 
Old 05-29-2020, 10:18 AM   #6
cyphar
LQ Newbie
 
Registered: May 2020
Location: Sydney
Distribution: openSUSE
Posts: 4

Rep: Reputation: Disabled
Quote:
Originally Posted by vincix View Post
Can you please expand on that a little bit? Your post is very helpful, but I haven't understood the whole of it.
How are separate ranges actually achieved by docker if they create this fake user? And how would the LXD be limited when they use 'root'?
Docker doesn't use the fake user (Docker runs as root), it's just an odd method of configuration. Neither LXD nor Docker are "limited" in a strict sense (they both run as root after all, so they can map any users they want into a user namespace). However, the idea of /etc/sub[ug]id is that you have a single place on the system where you allocate IDs for use in user namespaces (similar to /etc/passwd or /etc/group).

Privileged runtimes use the configuration of those files when deciding which range of IDs to map inside user namespaces (for Docker, the container gets the entire range while LXD lets you map independent ranges for each container to stop cross-container attacks). This means if an admin configures both LXD and Docker on a single system, they can allocate separate ranges for each runtime (meaning that the containers by the different runtimes won't use the same IDs -- which blocks some cross-container attacks). Again, Docker and LXD aren't forced to obey this, it's just a configuration option (they both run as root and can map any users they want to -- and LXD even lets you configure this dynamically per-container).

However, the intended use of /etc/sub[ug]id is that it lists which IDs unprivileged users are allowed to map into their containers. The set-uid helpers new[ug]idmap then allow those unprivileged users to map those IDs when they are creating containers (this is needed for the same reason that newgrp is needed).
 
1 members found this post helpful.
Old 05-29-2020, 12:14 PM   #7
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 14,633

Rep: Reputation: 4758Reputation: 4758Reputation: 4758Reputation: 4758Reputation: 4758Reputation: 4758Reputation: 4758Reputation: 4758Reputation: 4758Reputation: 4758Reputation: 4758
Quote:
Originally Posted by cyphar View Post

However, the intended use of /etc/sub[ug]id is that it lists which IDs unprivileged users are allowed to map into their containers. The set-uid helpers new[ug]idmap then allow those unprivileged users to map those IDs when they are creating containers (this is needed for the same reason that newgrp is needed).
That is true. Docker use dockerd to run containers (docker itself is just a dumb client to send requests to dockerd), so the user who initiated it is [more or less] irrelevant. That is a "big" problem with docker, the daemon runs as root and actually has no any idea about the original user. Probably it will be changed in the future, but actually the only restriction is that the user should belong to the group docker (and the user id is lost).
 
1 members found this post helpful.
Old 05-29-2020, 01:27 PM   #8
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,149

Original Poster
Rep: Reputation: 85
Thank you both for the answer, it's slowly becoming clearer.

One more thing related to /etc/subuid. pan64 says that only line can be used from /etc/subuid, but that doesn't seem to be the case with docker. I think that's exactly how you set several ranges different ranges, if I'm not mistaken.

Code:
root@rusty:~# cat /etc/subuid
lxd:100000:65536
root:100000:65536
vagrant:165536:65536
ubuntu:231072:65536
prometheus:362144:65536
node_exporter:427680:65536
pushgateway:493216:65536
dockremap:558752:65536
dockremap:658752:65536

root@rusty:~# docker run ubuntu cat /proc/self/uid_map
         0     558752      65536
     65536     658752      65536

Last edited by vincix; 05-29-2020 at 03:45 PM.
 
Old 05-29-2020, 02:01 PM   #9
cyphar
LQ Newbie
 
Registered: May 2020
Location: Sydney
Distribution: openSUSE
Posts: 4

Rep: Reputation: Disabled
Quote:
Originally Posted by vincix View Post
One more thing related to /etc/subuid. pan64 says that only line can be used from /etc/subuid, but that doesn't seem to be the case with docker. I think that's exactly how you set several ranges different ranges, if I'm not mistaken.
pan64 was mistaken (probably since they hadn't seen an /etc/sub[ug]id file with more than one range for a user before since it's a little bit of an unusual setup). Docker appends all the ranges specified in /etc/sub[ug]id and maps them all, but that's just how they decided to implement its usage of /etc/sub[ug]id -- though I think LXD does the same thing.
 
Old 05-30-2020, 03:24 AM   #10
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 14,633

Rep: Reputation: 4758Reputation: 4758Reputation: 4758Reputation: 4758Reputation: 4758Reputation: 4758Reputation: 4758Reputation: 4758Reputation: 4758Reputation: 4758Reputation: 4758
Quote:
Originally Posted by cyphar View Post
pan64 was mistaken (probably since they hadn't seen an /etc/sub[ug]id file with more than one range for a user before since it's a little bit of an unusual setup). Docker appends all the ranges specified in /etc/sub[ug]id and maps them all, but that's just how they decided to implement its usage of /etc/sub[ug]id -- though I think LXD does the same thing.
That was my fault. Only one user will be used, which is specified in daemon.json, that is the correct statement. Sorry.
 
  


Reply

Tags
namespace, userid


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Podman and user namespaces: A marriage made in heaven LXer Syndicated Linux News 0 12-15-2018 07:50 PM
LXer: Hardening Docker Hosts with User Namespaces LXer Syndicated Linux News 0 08-31-2017 11:03 PM
LXer: Useful Meld tips/tricks for intermediate users LXer Syndicated Linux News 0 01-26-2017 08:31 PM
issue with installing hyper-v role on a 2008x64 virtualbox vm on ubuntu64 host JET-33 Linux - Virtualization and Cloud 6 08-24-2010 03:03 AM
Any good distros for intermediate users? mag1strate General 8 10-03-2009 03:41 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Containers

All times are GMT -5. The time now is 03:53 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration