Docker Community Forums

Share and learn in the Docker community.

Container Wide user namespaces

dockersecurityscan
docker

(Wajihulhassan) #1

Is it possible to assign each container different user namespace and have different uid mapping. Right now, I can only assign daemon wide user namespace using --user-remap=default option but in this case, all the containers get the same mapping.

The reason I am asking this question is that I am running multiple containers on my host and I have turned on Linux Audit System auditd which generates logs of system events. But Linux Audit system does not know about containers and cannot differentiate between different audit logs from different containers. So I was thinking to use UID field in the audit logs to separates each container logs.
Let me know your thoughts.


(Rhonnav) #2

As you said, UID mapping doesn’t help as it applies daemon wide. But I read about a hack to use session IDs as container IDs here: https://lwn.net/Articles/703939/. This is not foolproof as daemons create their own session IDs.

I am exploring a better way as well. Please let me know if you found a way to have a container aware audit logging.


(Rhonnav) #3

I have come up with a userland work around to solve this problem. I have forked go-audit and added my changes to add container id in audit logs.
Please find the github link: https://github.com/ubercoolsec/go-audit-container
Please find my blog on Medium describing the details: https://medium.com/@rhonnava/audit-logging-with-container-id-tagging-65e92c570f12