User namespace and the network agent container

One of the new security feaures in docker 1.10.x is user namespaces. This enables container processes to run as the ‘root’ user (from the perspective of the container), but that user is mapped to a different (and by default un-privileged) account on the host. Clearly this is an important security mitigation and one which we would like to configure.

However, some containers, and amongst them the Rancher Network Agent, run as a privileged container. It appears to be possible to continue to run such containers in that mode using --userns=host for docker ‘run’, but my question is, given that this container is deployed automatically by Rancher and (at present) the --userns-remap=xxx is a daemon level setting, can Rancher Labs confirm (or otherwise) that using user namespaces is supported ?

Also, there are other limitations from using user namespaces (see: https://docs.docker.com/engine/reference/commandline/daemon/#daemon-user-namespace-options), are any of these likely to be problematic in a Rancher environment ?

Kind Regards

Fraser.

1 Like

Hi Fraser - did you ever get any feedback on this issue? I am wondering the same thing.

Hey Dennis,

No, no-one from Rancher has come back to me thus far. That said I will ask again thru a more direct route and report back if anything comes of that. We are about to start a security sweep of our entire docker estate so I’m sure this one is going to come up.