One of the new security feaures in docker 1.10.x is user namespaces. This enables container processes to run as the ‘root’ user (from the perspective of the container), but that user is mapped to a different (and by default un-privileged) account on the host. Clearly this is an important security mitigation and one which we would like to configure.
However, some containers, and amongst them the Rancher Network Agent, run as a privileged container. It appears to be possible to continue to run such containers in that mode using --userns=host for docker ‘run’, but my question is, given that this container is deployed automatically by Rancher and (at present) the --userns-remap=xxx is a daemon level setting, can Rancher Labs confirm (or otherwise) that using user namespaces is supported ?
Also, there are other limitations from using user namespaces (see: https://docs.docker.com/engine/reference/commandline/daemon/#daemon-user-namespace-options), are any of these likely to be problematic in a Rancher environment ?
Kind Regards
Fraser.