Docker Community Forums

Share and learn in the Docker community.

Removing security options --userns and --privileged from docker cli

(Secremove) #1


I’ve setup user namespaces in the docker daemon to isolate containers from the host.

Unfortunately, users who can run docker cli are still able to start containers with --userns=host to expose the host.

I’d like to disallow this behavior.

Is removing the --userns and --privileged options from docker-ce/master/components/cli/cli/command/container/opts.go enough to accomplish what I want?

Any other suggestions to accomplish my goal of unconditionally enforcing the defined uid/gid mappings for containers?