Docker Community Forums

Share and learn in the Docker community.

Need docker to report UID of user starting image to authorization plugin

Hello,

I have added plugin opa-docker-authz to docker to control what users can/cannot do. I want the users to only be able to mount/bind their own home directory, but I can’t configure that because docker isn’t reporting username/UID to the authorization plugin. This is probably because there’s no authentication going on (users ssh into server and then start docker). Is it possible to configure some form of “authentication” that will only pass the user’s name/UID to docker and then to the authorization plugin?

Thanks,
Tom

You can start dockerd with the --userns-remap flag or follow this procedure to configure the daemon using the daemon.json configuration file. The daemon.json method is recommended. If you use the flag, use the following command as a model:

$ dockerd --userns-remap=“testuser:testuser”
Edit /etc/docker/daemon.json. Assuming the file was previously empty, the following entry enables userns-remap using user and group called testuser. You can address the user and group by ID or name. You only need to specify the group name or ID if it is different from the user name or ID. If you provide both the user and group name or ID, separate them by a colon (:slight_smile: character. The following formats all work for the value, assuming the UID and GID of testuser are 1001:

testuser
testuser:testuser
1001
1001:1001
testuser:1001
1001:testuser
{
“userns-remap”: “testuser”
}
Note: To use the dockremap user and have Docker create it for you, set the value to default rather than testuser.

Save the file and restart Docker.

If you are using the dockremap user, verify that Docker created it using the id command.

$ id dockremap

uid=112(dockremap) gid=116(dockremap) groups=116(dockremap)
Verify that the entry has been added to /etc/subuid and /etc/subgid:

$ grep dockremap /etc/subuid

dockremap:231072:65536

$ grep dockremap /etc/subgid

dockremap:231072:65536
If these entries are not present, edit the files as the root user and assign a starting UID and GID that is the highest-assigned one plus the offset (in this case, 65536). Be careful not to allow any overlap in the ranges.

Verify that previous images are not available using the docker image ls command. The output should be empty.

Start a container from the hello-world image.

$ docker run hello-world
Verify that a namespaced directory exists within /var/lib/docker/ named with the UID and GID of the namespaced user, owned by that UID and GID, and not group-or-world-readable. Some of the subdirectories are still owned by root and have different permissions.

$ sudo ls -ld /var/lib/docker/231072.231072/

drwx------ 11 231072 231072 11 Jun 21 21:19 /var/lib/docker/231072.231072/

$ sudo ls -l /var/lib/docker/231072.231072/

total 14
drwx------ 5 231072 231072 5 Jun 21 21:19 aufs
drwx------ 3 231072 231072 3 Jun 21 21:21 containers
drwx------ 3 root root 3 Jun 21 21:19 image
drwxr-x— 3 root root 3 Jun 21 21:19 network
drwx------ 4 root root 4 Jun 21 21:19 plugins
drwx------ 2 root root 2 Jun 21 21:19 swarm
drwx------ 2 231072 231072 2 Jun 21 21:21 tmp
drwx------ 2 root root 2 Jun 21 21:19 trust
drwx------ 2 231072 231072 3 Jun 21 21:19 volumes
Your directory listing may have some differences, especially if you use a different container storage driver than aufs.

The directories which are owned by the remapped user are used instead of the same directories directly beneath /var/lib/docker/ and the unused versions (such as /var/lib/docker/tmp/ in the example here) can be removed. Docker does not use them while userns-remap is enabled.

Facinating finding. I wasn’t aware of this plugin.

Please keep us posted if you should ever solve the problem :slight_smile:

I took a short look at the doku and found an example, where they declare HttpHeaders in a users docker client config file (~/.docker/config.json) and process them as input in the rules. I can image this approach can be used to pass any user specific information to the opa plugin. Instead of using usernames you could generate per user tokens to prevent easy guessing of other user accounts (or use jwt? I am curious how to integrate it into the mix)

May I ask how you determin the uid of the bind-mount on the host in the Rego OPA rules?