Configure Docker to run with User Namespaces

[miradam]

This is feature request.

There are various attacks possible on Docker and K8s environments. One such category of attacks is related to Linux kernel resource sharing scheme and namespaces.
User Namespaces greatly improve Docker and K8s deployment security mapping 'host' PID to a different 'container' PID. In other words when User Namespaces are in play process PIDs executed within Docker runtime never overlap with Linux host PIDs providing expected separation.
More information:
https://success.docker.com/Datacenter/Apply/Introduction_to_User_Namespaces_in_Docker_Engine

Enabling user namespaces on Ubuntu 16.04:

• Create PID mapping:
  adduser dockremap
  echo dockremap:500000:65536 > /etc/subuid
  echo dockremap:500000:65536 > /etc/subgid

• Override default Docker startup options:
  cat << 'EOF' >> /etc/systemd/system/docker.service.d/userns-remap.conf
  [Service]
  ExecStart=
  ExecStart=/usr/bin/dockerd --userns-remap=default -H fd:// $DOCKER_OPTS
  EOF

• Restart Docker daemon:
  systemctl restart docker.service

• Verify that mapping is being applied:
  ps xauw | grep dockerd

Environment:
Ubuntu 16.04

[bogdando]

Good point. We have kubelet and network plugins containers running under the root, so those must be as well reworked to use host usernamespace to be remapped from the host's root.
@holser JFYI ^^ and thanks for that idea!

[The-Loeki]

This unfortunately is still broken: kubernetes/kubernetes#33508

Apparently there's a feature req going on here: kubernetes/enhancements#127

[adelton]

@miradam, you might want to change the 'PID' occurrences in your description to 'UID'. ;-)

[fejta-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

[fejta-bot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

[k8s-ci-robot]

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.