previously downloaded images disappear when user namespaces is enabled in Docker 1.10

838 views
Skip to first unread message

Adi

unread,
Apr 1, 2016, 4:16:06 AM4/1/16
to docker-dev

Folks,


Until Docker 1.9, the user inside the container is root; more specifically uid = 0, gid = 0. If a breakout occurs, the container user is root on the host system. This was a major security hole, which was addressed by providing support for user-namespaces in the latest Docker 1.10 release.

 

In 1.10, when I explicitly enable userns-remap as follows, in /etc/systemd/system/docker.service, like so:

 

ExecStart=/usr/bin/docker daemon --userns-remap=default -H fd://

 

followed by:

systemctl daemon-reload ; systemctl restart docker

 

User-namespace works as expected ( which is awesome !! ), but all my previously downloaded docker images are no longer visible on the host.  They are not deleted; they just become invisible. So I need to download new images from dockerHub.  This behavior is quite puzzling . 

I’ve tried this on multiple machines, and it seems to be a consistent problem. Once I disable user-namespaces and restart Docker daemon, the original images reappear. Also, it is not a “pilot error”; other folks have also seen it happen…..and consider it as an issue/bug for enabling user namespaces in a production envt

http://raesene.github.io/blog/2016/02/04/Docker-User-Namespaces/

Is this by design?  If so, would appreciate if someone could explain the rationale behind this ?  
If not, then by when can we hope to get a fix ?

Thanks,
Adi  

Phil Estes

unread,
Apr 1, 2016, 10:37:59 AM4/1/16
to Adi, docker-dev
Hi there,
This segregation of image & layer content separated by user/group mapping is required because of file ownership within these image layers. If we tried to use the same layers in a remapped range environment it would nearly operate as a read-only environment, or worse, given the UIDs/GIDs used within your user namespaced process would have no write access to most directories and probably also not have read access to many as well due to permission bits in the original content.

So, instead of trying to do all kinds of funny "chown" tricks on use of the content (which would then need to be "chowned" back later in case you then run your daemon with different mappings or with user namespaces off), we basically create a new "root" cache that is empty when you start with a specific uid/gid mapping.  As you pull content it acts the same as any daemon and will be there for use when that mapping is enabled.  If you restart your daemon with user namespaces disabled, then all the prior content is there as you noted.

These details are also explained in my blog post on the topic: https://integratedcode.us/2015/10/13/user-namespaces-have-arrived-in-docker/ as well as the official documentation on user namespaces: https://docs.docker.com/engine/reference/commandline/daemon/#daemon-user-namespace-options

Thanks,
Phil

Adi wrote:
--
You received this message because you are subscribed to the Google Groups "docker-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to docker-dev+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply all
Reply to author
Forward
0 new messages