[TheDong]

Wrong. Without usernamespacing your containers do run as root. If you type `docker run busybox id` it will print uid=0, and that uid is 0 in the container and out of it.

You are namespaced, so the linux kernel promises that even though you're root, you're not dangerous, and there is syscall filtering and shit going on.... but that historically has not really fared that well!

But your statement is false. You're root with and without privileged. Privileged gives you back CAPABILITIES which are different than USER, so your claim is bullshit.

[tmzt]

Where in the kernel is 0==uid still privileged? Are there still places where the uid is checked instead of caps?

[TheDong]

He said "but your containers are not running as root".

That is objectively false.

uid = 0 is "privileged" basically everywhere in the kernel, from filesystem management (reading a file bindmounted in that's owned by root e.g.) to binding to low ports (like 80).

[fapjacks]

Whatever dude. You keep spreading your FUD. You clearly do not understand what Docker is and what Docker does.

[TheDong]

Why does anyone care about usernamespacing then? https://docs.docker.com/engine/reference/commandline/dockerd...

As you can see from the docs, it says "the most important security improvement is that, by default, container processes running as the root user will have expected administrative privilege (with some restrictions) inside the container but will effectively be mapped to an unprivileged uid on the host."

This implies the reverse, that if you don't use userns then your process as root in the container will be mapped to a privilege uid on the host.

This is all I'm saying is true. You clearly don't understand what I'm saying.