Linux namespaces provide isolation for running processes, limiting their access to system resources without the running process being aware of the limitations.
The best way to prevent privilege-escalation attacks from within a container is to configure your container’s applications to run as unprivileged users. For containers whose processes must run as the root user within the container, you can re-map this user to a less-privileged user on the Docker host. The mapped user is assigned a range of UIDs which function within the namespace as normal UIDs from 0 to 65536, but have no privileges on the host machine itself.
In case you did not enable namespaces initially you will loose all of your images and containers after enabling the docker daemon namespaced. Hence, we need to migrate the data. Follow the Backup and restore documenation and copy the backup archive to your host.
# stop the daemon
$ sudo service docker stop
# Create a user called "dockremap"
$ sudo adduser dockremap
# Setup subuid and subgid
$ sudo sh -c 'echo dockremap:500000:65536 > /etc/subuid'
$ sudo sh -c 'echo dockremap:500000:65536 > /etc/subgid'
# add json for daemon
$ sudo vim /etc/docker/daemon.json
{
"userns-remap": "testuser"
}
# in case of geonode-project give invoke.log 777
# $ chmod 777 invoke.log
# start the daemon
$ sudo service docker start
- https://coderwall.com/p/s_ydlq/using-user-namespaces-on-docker
- https://docs.docker.com/engine/security/userns-remap/
Copy the archive created in step 1) to django4geonode container and restore the data as described here: