Containers isolation by namespace

This page gives the additional steps required to isolate containers with Linux user namespaces.

  1. Ensure that Docker and Cyberwatch are installed.

  2. Create user cyberwatch:

    sudo useradd --create-home --shell /bin/bash cyberwatch
    
  3. Edit file /etc/subuid:

    cyberwatch:231072:65536
    cyberwatch:1001:1
    

    The first line defines the mapping of user ids in a user namespace. This line is generally added automatically by the system when creating the user, but some systems do not do it automatically (some versions of CentOS for example).

    For example, cyberwatch:231072:65536 means that user cyberwatch can use 65536 user ids from id 231072.

    The cyberwatch:1001:1 line allows files created by root to be owned by the user with id 1001 (replace with the cyberwatch user id).

  4. Edit file /etc/subgid:

    cyberwatch:231072:65536
    cyberwatch:1001:1
    
  5. Restart the server:

    sudo reboot
    
  6. Configure docker to enable the userns-remap option:

    cat >> /etc/docker/daemon.json <<EOL
    {
      "userns-remap": "cyberwatch"
    }
    EOL
    
  7. Restart docker:

    systemctl restart docker
    

Troubleshooting

The problems that can arise from activating userns-remap are usually related to volume rights. It may be interesting to consult the logs of the database container in order to rule out permissions issues:

sudo cyberwatch logs db