The procedure below has been tested on a Digital Ocean VM with CentOS 7.4
# Install docker from RHEL’s standard repos
yum install -y docker
#
# We’ll activate the ‘user namespaces’ feature that defends against
# evil code within containers by remapping intra-container UIDs to
# a high-UID range on the host.
#
# While we're at it, we'll also enable live restore and allow
# any member of group 'dockerroot' to control docker. Note that anyone
# added to this group is effectivelly being trusted with root privileges
# (it's trivial to gain root if you can talk to the docker daemon).
cat > /etc/docker/daemon.json <<-EOT
{
"userns-remap": "default",
"live-restore": true,
"group": "dockerroot"
}
EOT
#
# For this to work, we have to create a ‘dockremap’ user on the host.
#
useradd -M -s /bin/false dockremap
#
# We need to add the mappings to subuid and subgid file. This means
# that UID 0 in the containers will map to UID 666666 on the host, and
# subsequent UIDs will map to the next 64k of UIDs on the host.
#
# IMPORTANT: Existing UIDs on the host must not fall into the range
# of UIDs chosen.
#
echo "dockremap:666666:65536" >> /etc/subuid
echo "dockremap:666666:65536" >> /etc/subgid
#
# RHEL has namespaces disabled on the kernel level by default.
# Need to enable them and reboot.
#
grubby --args="namespace.unpriv_enable=1 user_namespace.enable=1" --update-kernel="$(grubby --default-kernel)"
echo "user.max_user_namespaces=15076" >> /etc/sysctl.conf
reboot
# Ready to rock
systemctl start docker
# Verify things worked — run this in one window and...
docker run --rm -it rhel7 /bin/bash
# … check on the host that bash is now running as user 6666666 (and not 0)
ps auxww | grep 666666
# Now enable the docker daemon
systemctl enable docker