Document side effect on the --userns=host flag (#7537)

* Document side effect on the --userns=host flag As explained in https://github.com/moby/moby/issues/34064#issuecomment-430985552 * Fixed typos & added reference to binaries with the setuid flag
2018-10-30 12:29:59 +01:00 · 2018-10-30 12:29:59 +01:00 · f045723263
parent 2b9c509a73
commit f045723263
1 changed files with 4 additions and 0 deletions
--- a/engine/security/userns-remap.md
+++ b/engine/security/userns-remap.md
@ -245,6 +245,10 @@ for some of these limitations.
 To disable user namespaces for a specific container, add the `--userns=host`
 flag to the `docker container create`, `docker container run`, or `docker container exec` command.

+There is a side effect when using this flag: user remapping will not be enabled for that container but, because the read-only (image) layers are shared between containers, ownership of the the containers filesystem will still be remapped.
+
+What this means is that the whole container filesystem will belong to the user specified in the `--userns-remap` daemon config (`231072` in the example above). This can lead to unexpected behavior of programs inside the container. For instance `sudo` (which checks that its binaries belong to user `0`) or binaries with a `setuid` flag.
+
 ## User namespace known limitations

 The following standard Docker features are incompatible with running a Docker