Containers isolation by namespace
This page gives the additional steps required to isolate containers with Linux user namespaces
.
Ensure that Docker and Cyberwatch are installed
Create user
cyberwatch
:sudo useradd --create-home --shell /bin/bash cyberwatch
Edit file
/etc/subuid
:cyberwatch:231072:65536 cyberwatch:1001:1
The first line defines the mapping of user ids in a user namespace. This line is generally added automatically by the system when creating the user, but some systems do not do it automatically (some versions of CentOS for example).
For example,
cyberwatch:231072:65536
means that usercyberwatch
can use 65536 user ids from id 231072.The
cyberwatch:1001:1
line allows files created by root to be owned by the user with id 1001 (replace with thecyberwatch
user id).Edit file
/etc/subgid
:cyberwatch:231072:65536 cyberwatch:1001:1
Restart the server:
sudo reboot
Configure docker to enable the
userns-remap
option:cat >> /etc/docker/daemon.json <<EOL { "userns-remap": "cyberwatch" } EOL
Restart docker:
systemctl restart docker
Troubleshooting
The problems that can arise from activating userns-remap
are usually related to volume rights. It may be interesting to consult the logs of the database container in order to rule out permissions issues:
sudo cyberwatch logs db