3

My dockerd (CentOS7: 17.12.0-ce, build c97c6d6) is running with user namespaces enabled for better isolation.

Now I build a image which is supposed to read for monitoring purposes also from /proc of the kernel. Thus I tried to mount /proc onto /host/proc in the container

host> docker run --network=host --userns=host --pid=host --privileged -v /proc:/host/proc:ro --name mycontainer  my/container20180204

and bind-mount during container start-up over the containers proc namespace view

docker> mount -o bind /host/proc /proc

However, event with the user namespace of the host, the container's root process is apparently run within the dockerd's user namespace mapping, as the container's root cannot bind mount /proc

mount: only root can use "--options" option (effective UID is 100000)

Running as non-privileged user does not work, as it tries to mount it as real file system(?!?) from the layers

 /var/lib/docker/100000.100000/btrfs/subvolumes/${SHA256}/proc\\\\\\\" cannot be mounted because it is located inside \\\\\\\"/proc\\\\\\\"\\\"\"": unknown.

So, I fear that the user namespace limitations are for good and not bypassable...? https://docs.docker.com/engine/security/userns-remap/#user-namespace-known-limitations

THX
  • 213
  • 1
  • 9
  • This may be relevant to this question: https://serverfault.com/questions/897299/how-do-i-mount-a-private-proc-inside-a-namespace-inside-a-docker-container/897476#897476 – Omnifarious Apr 17 '19 at 18:03

0 Answers0