Is it possible to specify multiple substitute UID to "userns-remap" in /etc/docker/daemon.json


Based on the instructions in the web page, I was able to deploy a container, with UID 0 within the container user-namespace and mapped to UID 231072 on the host.

Now, is it possible to pass multiple substitute UID in daemon.json, such that, I can spawn container A with mapped UID 1001 on the host and container B with mapped UID 1002 on the host?

root@docker:~# cat /etc/docker/daemon.json 
"userns-remap": "testuser"
root@docker:~# cat /etc/subuid | grep testuser
root@docker:~# cat /etc/subgid | grep testuse


Hi @alphonseha,

Belated response, but it may help.

As far as I know Docker does not have the functionality you are asking. That is, Docker always uses the exact same userns ID mapping for all containers (which is not ideal for cross-container isolation).

However, I recently founded a company called Nestybox that has developed a container runtime (we call it sysbox-runc) that enables Docker to deploy containers that use exclusive userns-ID mappings per container. Deploying the container is as simple as “docker run --runtime=sysbox-runc some-image”.

By using this new container runtime, not only will the Docker container you deploy be more secure, but it also supports running system software inside the container (such as systemd and docker itself) without resorting to privileged containers. We call them “system containers”, since they run system software (in addition to apps of course).

If this sounds interesting, give it a shot, it’s free to download at the Nestybox website. There is a video there showing how it works. And we also have a blog site with several articles, among them one that describes the security features of this new runtime, including the exclusive userns ID mappings you were asking about.

Hope this helps!