The root requirement was to harden Docker in such way that there are no privilege escalation and container should run non root user
I used user-remap feature for this purpose. The user-remap resolved the above two issue but it created anther issue.
The container gives permission denied error for the directories mounted to until unless we the directory is not given others/world (o+w) permission on the host machine.
If I give the world permission then it again leads to privilege escalation since any other user on the host machine will have write access to all the containers directories.
The subgid and subuid files contains the following lines:
I need solution to avoid the privilege escalation by either ways:
- dockremap user only have the access to containers directories
- another approach by avoid privileges escalation and run containers as non-root user.
PS: i am using photon os.