pangyuteng/README.md

Last active February 5, 2025 02:13

Star (0) You must be signed in to star a gist
Fork (0) You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/pangyuteng/20526ac488b56886b6bdb64e107fe9e5.js"></script>
Save pangyuteng/20526ac488b56886b6bdb64e107fe9e5 to your computer and use it in GitHub Desktop.

Download ZIP

prevent docker containers running as root

Raw

prevent docker containers running as root

OPTION A. [WIP] use apparmor

install

sudo apt install apparmor-profiles

OPTION B. [SORTA WORKING] enable userns-remap for docker

add new user https://askubuntu.com/questions/592507/how-do-i-create-a-new-user-account

groupadd -g 1001 testuser
useradd testuser -u 1001 -g 1001 -m -s /bin/bash

verify user records exists

grep testuser /etc/subuid
grep testuser /etc/subgid

add below to /etc/docker/daemon.json https://docs.docker.com/engine/security/userns-remap/

{
  "userns-remap": "testuser"
}

restart docker deamon

systemctl restart docker

confirm docker is running as default user

run.py

import time
while True:
    print('ok')
    time.sleep(5)

docker run -w /opt -v ./run.py:/opt/run.py  python:3.10-bullseye python run.py

docker run -u 1000:1000 --userns=host -w /opt -v ./run.py:/opt/run.py  python:3.10-bullseye python run.py

check that python is running as default user

ps aux | grep python

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment