Docker Namespace and Cgroups

Kasun Rathnayaka
Feb 18, 2018 · 4 min read

Namespaces are one of a feature in the Linux Kernel and fundamental aspect of containers on Linux.On the other hand namespaces provide a layer of isolation.Docker uses namespaces of various kinds to provide the isolation that containers need in order to remain portable and refrain from affecting the remainder of the host system.Each aspect of a container runs in a separate namespace and its access is limited to that namespace.

Namespace Types:

  1. Process ID
  2. Mount
  3. IPC (Inter process communication)
  4. User (currently experimental support for)
  5. Network

In my knowledge most effective way to prevent privilege-escalation attacks from within a container is to configure your container’s applications to run as unprivileged users. For containers whose processes must run as the root user within the container, you can re-map this user to a less-privileged user on the Docker host. The mapped user is assigned a range of UIDs (0- 65536),but have no privileges on the host machine itself.

when we run docker with root use that easy for install packages and manage container .Unfortunately the issue is with in docker container users can access underline host machine as below.That’s big risk …

# Run a container and mount host /etc onto /root/etc
$ docker run --rm -v /etc:/root/etc -it ubuntu
# Make some change on /root/etc/hosts
root@29373h1f1332:/# vi /root/etc/hosts
# Exit from the container
root@29373h1f1332:/# exit
# Check /etc/hosts and try to delete it
$ cat /etc/hosts
$ rm /etc/hosts

As you can see, it is surprizingly easy, and it’s obvious that Docker wasn’t designed for shared computers. But now, with the User Namespaces, Docker lets you avoid this problem.

Enabling User Namespaces

Mainly Namespace Remapping manage two files:

  1. /etc/subuid
  2. /etc/subgid

You can follow below example to understand how to setup namespace in docker environment.

# Create a user called "dockremap"
$ sudo adduser dockremapper
# Setup subuid and subgid
$ sudo sh -c 'echo dockremap:400000:65536 > /etc/subuid'
$ sudo sh -c 'echo dockremap:400000:65536 > /etc/subgid'
$ kasunr@kasunr-desktop:~$ vim /etc/docker/daemon.json {
"userns-remap": "dockremap"
}

And restart Docker:

$ sudo /etc/init.d/docker restart

Then you could see new docker containers couldn't have permission to the host machine /etc/

# Run a container and mount host1's /etc onto /root/etc
root@kasunr-desktop:# docker run --rm -v /etc:/root/etc -it ubuntu
# try to delete host machine files
$ root@88373h1f1332:/# rm /root/etc/hosts
rm: cannot remove 'hosts': Permission denied

check the permission and file hierarchic new docker setup

root@kasunr-desktop:/var/lib/docker/400000.400000# cd ../
root@kasunr-desktop:/var/lib/docker# ls /var/lib/docker/400000.400000/
aufs builder containerd containers image network plugins runtimes swarm tmp trust volumes
root@kasunr-desktop:/var/lib/docker# ls /var/lib/docker/400000.400000/ -l
total 48
drwx------ 5 400000 400000 4096 Feb 16 12:09 aufs
drwx------ 2 root root 4096 Feb 16 12:09 builder
drwx--x--x 3 root root 4096 Feb 16 12:09 containerd
drwx------ 3 400000 400000 4096 Feb 16 15:06 containers
drwx------ 3 root root 4096 Feb 16 12:09 image
drwxr-x--- 3 root root 4096 Feb 16 12:09 network
drwx------ 4 root root 4096 Feb 16 12:09 plugins
drwx------ 2 root root 4096 Feb 16 12:09 runtimes
drwx------ 2 root root 4096 Feb 16 12:09 swarm
drwx------ 2 400000 400000 4096 Feb 16 12:10 tmp
drwx------ 2 root root 4096 Feb 16 12:09 trust
drwx------ 2 400000 400000 4096 Feb 16 12:09 volumes

To disable user namespaces for a specific container, add the --userns=host flag to the docker container create, docker container run, or docker container exec command.

More about linux namespace : https://www.linux.com/news/understanding-and-securing-linux-namespaces

Cgroups provide resource limitation and reporting capability within the container space.They allow granular control over what host resources are allocated to the containers and when they are allocated.

Common control groups

  1. CPU
  2. Memory
  3. Network Bandwidth
  4. Disk
  5. Priority

we could have lot of flexibility manage every cgroup according to our requirements.

Note : More information: Cgroups

For example you could see systemd-cgls and systemd-cgtop commands show how cgroup working on the underline host server.

kasunr@~:# $ systemd-cgls

Control group list

Using these cgroup policies is very simple. If you for instance want to lock down a Docker container to the first CPU core, you’d append --cpuset-cpus=0 to your docker run command.And also you could setup the cpu shares which you required.

$ docker run -d --name='kasun_priority_1' --cpuset-cpus=0 --cpu-shares=20 kasuntest1

$ docker run -d --name='kasun_priority_2' --cpuset-cpus=2 --cpu-shares=30 kasuntest2

And we could use below command to change running container CPU shards.

sudo systemctl set-property docker-7d7ds9s7dhdsda044b29cb873cac460b429cfcbdd0e877c0868eb2a901dbf80.scope CPUShares=512

In Summery Namespace give the isolation for the container with underline host where Cgroup give the ability to allocate things to that containers.In my point of view , we would get some understanding and practical experience with namespace and Cgroups in the blog.I will share my more experience with next post !.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade