I'm trying to figure out how to achieve true namespacing for each container on my system, and I'm feeling quite frustrated. I read that I could create a separate namespace on the Linux host for each container, change ownership of the bind mounts to match these new namespace user IDs (UIDs) and group IDs (GIDs), and then refer to service users in my YAML files. But after testing this, I didn't see any difference when I included the namespace user in my Docker Compose files, which suggests something's not working as expected.
I want to implement individual namespaces for each container because I'm concerned about security. If a hacker were to break out of a container, I don't want them accessing the bind mounts of other containers. I'm running Docker Engine on Ubuntu with multiple containers and stacks managed through Docker.
Can someone please guide me on how to achieve the kind of isolation I'm looking for? Thanks!
2 Answers
You mentioned wanting to avoid running containers as root, which is a good idea for security. You can achieve this by setting up user namespaces in Docker. This allows you to map the user IDs in your containers to different IDs on the host system, giving you that separation you’re looking for. Just remember, if you want each container totally isolated, you should look into configuring separate Docker daemons or use a tool like Kubernetes for more advanced management.
It sounds like you're asking about Linux namespaces, which are crucial for the way containers work. Just so you know, Docker uses namespaces by default, and you'd actually need to make a special effort to opt out of them. That means each container already runs in its own namespace unless you configure it differently. You might want to double-check your configuration settings to ensure they're correctly set up to isolate each container as intended.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures