First off if you don't understand any of the shell commands I use try and use this website to explain them: https://explainshell.com/

Docker namespace remapping

Explaination

So, I found this article, and it seems to have some pretty decent ideas for trying to harden docker. I was mainly interested in doing container namespace remapping though, as I had seen this on a pentest recently and that was the only thing between us and owning a major service for the customer.

When I was walking through step 7's instructions though I realized that there are some things that aren't necessary or should be altered, so I am putting them here so I don't forget 🙃️

So, to start out with during the creation of the dockremap user, there are some extra flags you can add since this user doesn't need to login to your system and doesn't need a home directory.

sudo adduser dockremap --disabled-{password,login} --no-create-home

NOTE: since explainshell doesn't explain this, the --disabled-{password,login} part of my command is me using a bashish that expands out my arguments to --disabled-password --disabled-login, but in essentially shorthand for bash.

I tried to also include the --system flag, but for some reason the docker daemon was failing to start when I used it. At first I thought it was because it didn't have a group as well, but I also added the --group flag and that still didn't work. Oh well... 😔️ just need my docker back and dont' want to debug.

Then when I was about to run these commands on my rpi

sudo sh -c 'echo dockremap:400000:65536 > /etc/subuid'
sudo sh -c 'echo dockremap:400000:65536 > /etc/subgid'
  1. there is a better way to do it than spawn a whole new subshell as root
  2. I actually checked to see if those files existed (because the > overwrite the file if it was there before), and they did...so they were telling me to delete already existing file that could be used by the system...

So, here are my alterations:

echo dockremap:400000:65536 | sudo tee -a /etc/subuid
echo dockremap:400000:65536 | sudo tee -a /etc/subgid

Lastly, use systemd instead of init.d:

sudo systemctl restart docker

Misc

for some reason, I guess after I restarted the docker service the ids of 40000 changed... so, do this for any files that your container will write to if you do a bind mount sudo chown -R 165536:65536 *.