Docker Community Forums

Share and learn in the Docker community.

Switching from Privileged to User Namespace

I have an existing docker host with containers on Linux (Alpine Linux) running in privileged mode and want to switch to user namespace isolation for added security.

I know how to enable user namespace (outlined here and here) but not sure of the correct order of sequence for doing this on an existing host with existing containers and data.

For instance do I need to delete all containers first ?

I see from the docker documentation I will need to re-pull all images but is there an order I need to do things?

Here’s my starter for 10 if anyone wanted to correct…

  1. Shutdown and delete all containers (keep volumes intact)
  2. Delete all images
  3. Enable User Namespace isolation (restart docker)
  4. Recreate all docker volumes
  5. Move docker volume data from previous location (ensure permissions are correct)
  6. Recreate all containers

Its a good idea to start from a clean state.
If you dont, when you enable namespace your docker installation would appear empty (no images/containers/volumes…)
and thats because docker would now look in the namespace you created, instead of the default one.

So its a good idea to stop all containers and do a: docker system prune -a (which will clear everything!!) before going to namespaces.

But it dosnt really matter if you have the disk space for it, because if you want to revert back from namespace, you will see all your old stuff there instead

1 Like

So having done some initial work on this I noticed the following.
Some of containers I’m running require privileged access (require host network, monitoring host etc.).

I’m exempting these from user namespace isolation using “–userns=host”.

More of an operational question but… as I’ll be running some containers outside user namespace isolation is it still worth implementing this and going with the overhead?