How to create docker containers with exclusive access to a non-root user

How to create docker containers with exclusive access to a non-root user

ISSUE:

With normal installation of docker engine, the docker daemon runs as a root user. For a non-root user to access that daemon in order to start running docker commands, it needs to be added to the 'docker' group which comes out of the box. But this group is quite privileged in the system. Essentially, the members of this group have root privilege.

The processes (processes running inside a container) started by this user, will be running as a root in the host system. This is a security loophole. As any compromised process inside the container, can actually get the full access to the host system.

Moreover, if you have multiple non-root users part of 'docker' group to manage different containers, they all have access to all the docker objects in the system. This essentially means, both the users can access each other's containers with full permissions. One can turn on/off the container, login to the container's file system and modify or delete or read anything.

Docker has a feature called user namespace remapping. The docker daemon started with remapped user namespace doesn't have full privilege on the system. So a compromised process inside a container cannot go out and mess with the host system as root. Following listing provides the steps:

HOW TO STEPS:

The below example creates a group named 'dgrp' and  a user  named 'alice'. It creates a systemd service unit which can start a docker daemon for a particular user. Here, root user starts the docker daemon for the user 'alice'.

# Create a group
$ groupadd dgrp

# Create a user
$ useradd -m -d /home/alice -g dgrp alice

# Change the password of that user
$ passwd alice

####################################################################################
# Add an entry in /etc/group if not present
# Many times, group entry will be there but the entry will not have contain the user
# so add the user in that entry at the end
dgrp:x:1000:alice
####################################################################################

####################################################################################
# User Namespaces
# Create 2 files if not present already /etc/subuid & /etc/subgid
# /etc/subuid
alice:1000:1
alice:100000:65536
# /etc/subgid
dgrp:1000:1
dgrp:100000:65536
####################################################################################

####################################################################################
# Make sudoer entry
$ visudo
# or open file /etc/sudoers

# Add the following line at the end
alice ALL=(root) NOPASSWD: /usr/bin/docker -H unix\:///var/run/docker-alice.sock *, ! /usr/bin/docker *--priviledged*, ! /usr/bin/docker *host*
####################################################################################

####################################################################################
# Add the systemd unit file as "/usr/lib/systemd/system/docker@.service" with following contents:
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=network.target containerd.socket containerd.service lvm2-monitor.service SuSEfirewall2.service
Requires=containerd.socket containerd.service

[Service]
EnvironmentFile=/etc/sysconfig/docker

# While Docker has support for socket activation (-H fd://), this is not
# enabled by default because enabling socket activation means that on boot your
# containers won't start until someone tries to administer the Docker daemon.
# The 3 lines that contain "%i" are newly added in order to make it a user-specific daemon
ExecStart=/usr/bin/dockerd \
--containerd /run/containerd/containerd.sock \
--add-runtime oci=/usr/sbin/docker-runc \
--userns-remap="%i:dgrp" \
--host unix:///var/run/docker-%i.sock \
--pidfile /var/run/docker-%i.pid \
$DOCKER_NETWORK_OPTIONS \
$DOCKER_OPTS
ExecReload=/bin/kill -s HUP $MAINPID

# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity

# Uncomment TasksMax if your systemd version supports it.
# Only systemd 226 and above support this property.
TasksMax=infinity

# Set delegate yes so that systemd does not reset the cgroups of docker containers
# Only systemd 218 and above support this property.
Delegate=yes

# This is not necessary because of how we set up containerd.
#KillMode=process

[Install]
WantedBy=multi-user.target
####################################################################################

####################################################################################
# Add a wrapper docker command in following shell script file

###/home/alice/bin/docker
#!/bin/sh
sudo docker -H unix:///var/run/docker-$(whoami).sock "$@"

## Give execute permission to this file
$ chmod +x /home/alice/bin/docker
####################################################################################

# Start the user-specific docker daemon
service docker@alice start

# Login to the machine as user 'alice' and start using the docker commands.

 

I have copied the default docker systemd service unit file (for SLES12 SP3@/usr/lib/systemd/system/docker) and edited it. The content might be different in your linux distribution.

Labels (2)

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Top Contributors
Version history
Revision #:
1 of 1
Last update:
‎2019-07-26 10:47
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.