Question

To enhance container security by remapping a container&#x27;s `root` user to a non-root user on the host system, what specific daemon feature must be enabled?

Accepted Answer

To enhance container security by remapping a container&#x27;s `root` user to a non-root user on the host system, the specific daemon feature that must be enabled is User Namespace Remapping. A User Namespace is a Linux kernel feature that isolates user and group IDs, allowing a process to have a privileged `root` user within its own namespace without being the `root` user (UID 0) on the host system. This separation is crucial for security. When User Namespace Remapping is active, the container engine daemon, such as the Docker daemon, creates a new User Namespace for each container. Inside this namespace, the container&#x27;s `root` user, which has UID 0 within the container, is mapped to a distinct, unprivileged User ID (UID) on the host system. Similarly, other User IDs and Group IDs (GIDs) within the container are mapped to a range of unprivileged UIDs and GIDs on the host. This mapping means that any process running as `root` inside the container does not possess `root` privileges on the host. If an attacker manages to gain `root` access within a container, their effective permissions on the host system are limited to those of the remapped, non-root user. This significantly reduces the attack surface and prevents privilege escalation, where a compromise of the container&#x27;s `root` could otherwise lead to a compromise of the host&#x27;s `root`. To enable this feature, the host system must be configured with subordinate User IDs (`subuid`) and subordinate Group IDs (`subgid`) for the user account that will own the remapped namespaces, typically defined in files like `/etc/subuid` and `/etc/subgid`. The container engine daemon then requires explicit configuration, often within its configuration file like `daemon.json` for Docker, to activate User Namespace Remapping, specifying the user or ID range for the remapping, for example, by setting `userns-remap=default` or `userns-remap=username`.

Home → All Courses → Engineering and Technology Courses → Docker Certified Associate (DCA) → Flashcard

To enhance container security by remapping a container's `root` user to a non-root user on the host system, what specific daemon feature must be enabled?