Docker Community Forums

Share and learn in the Docker community.

Is “User” a namespace that is disabled by default?

Is “User” a Linux kernel namespace that is disabled by default and must be enabled at Docker engine runtime to be used?

Belated response:

Docker does not use the Linux user-namespace by default. That means that the root user in the container is the root user on the host (and user 1000 in the container is user 1000 on the host). Having said this, processes in the container run with reduced capabilities, are confined to the container’s chroot jail, and are not allowed to perform certain actions (as dictated by Docker via seccomp and app-armor profiles). This way you get a decent level of security around the container.

Now, Docker has a mode called “userns-remap” that you can enable (see here). In this mode, Docker does use the Linux user-namespace for containers, which means the root user in the container maps to an unprivileged user on the host. This gives the container an extra layer of isolation and at the same time allows processes to run with full capabilities inside the container (but only for resources assigned to the container), so it allows you to run programs that require full capabilities inside the container without compromising your host.

Finally, if you wish to run containers with the user-namespace, another alternative is to use the sysbox runtime. It not only enables user-namespace in the containers, but it also allows them to run applications as well as system-level workloads (such as docker, systemd, k8s, etc.)

Hope this helps!