Hacker News new | ask | show | jobs
by TheDong 3530 days ago
He said "but your containers are not running as root".

That is objectively false.

uid = 0 is "privileged" basically everywhere in the kernel, from filesystem management (reading a file bindmounted in that's owned by root e.g.) to binding to low ports (like 80).
1 comments
fapjacks 3530 days ago
Whatever dude. You keep spreading your FUD. You clearly do not understand what Docker is and what Docker does.
link
TheDong 3529 days ago
Why does anyone care about usernamespacing then? https://docs.docker.com/engine/reference/commandline/dockerd...

As you can see from the docs, it says "the most important security improvement is that, by default, container processes running as the root user will have expected administrative privilege (with some restrictions) inside the container but will effectively be mapped to an unprivileged uid on the host."

This implies the reverse, that if you don't use userns then your process as root in the container will be mapped to a privilege uid on the host.

This is all I'm saying is true. You clearly don't understand what I'm saying.

link