0
0
Dockerdevops~10 mins

User namespace remapping in Docker - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - User namespace remapping
Docker daemon starts
Check userns-remap config
If enabled
Map container user IDs to host user IDs
Create subuid and subgid ranges
Run container with remapped IDs
Container user ID != Host user ID
Improved host security
End
Docker daemon checks if user namespace remapping is enabled, then maps container user IDs to different host user IDs to improve security.
Execution Sample
Docker
dockerd --userns-remap=default

docker run -it alpine id
Starts Docker daemon with user namespace remapping enabled, then runs a container to show user ID mapping.
Process Table
StepActionUser ID in ContainerMapped Host User IDResult
1Docker daemon starts with --userns-remap=default--User namespace remapping enabled
2Docker creates subuid and subgid ranges for remapping--Ranges assigned to dockremap user
3Run container with 'id' command0 (root inside container)100000 (mapped host user)Container root mapped to non-root host user
4Container process runs as remapped user1000 (normal user inside container)101000 (mapped host user)Normal user remapped accordingly
5Container exits--User namespace remapping ends with container lifecycle
💡 Container stops; user namespace remapping applies only during container runtime
Status Tracker
VariableStartAfter Step 3After Step 4Final
Container User ID-01000-
Mapped Host User ID-100000101000-
Docker Daemon StateNo remapRemap enabledRemap enabledRemap enabled
Key Moments - 3 Insights
Why does the container root user (ID 0) map to a high host user ID like 100000?
Because user namespace remapping shifts container user IDs to a safe range on the host to avoid running as real root, as shown in execution_table step 3.
Does the container user ID inside the container change when remapping is enabled?
No, inside the container the user IDs remain the same (e.g., 0 for root), but they map to different host IDs, as seen in execution_table steps 3 and 4.
What happens if user namespace remapping is not enabled?
Container user IDs map directly to the same host user IDs, meaning root in container is root on host, which is less secure. This is implied by the initial daemon state in variable_tracker.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table at step 3: what is the mapped host user ID for container root user?
A101000
B0
C100000
D500
💡 Hint
Check the 'Mapped Host User ID' column at step 3 in the execution_table.
At which step does the container process run as a remapped normal user (ID 1000 inside container)?
AStep 3
BStep 4
CStep 2
DStep 5
💡 Hint
Look for '1000 (normal user inside container)' in the 'User ID in Container' column in execution_table.
If user namespace remapping was disabled, what would happen to the container root user ID mapping?
AIt would remain as 0 on the host
BIt would map to a high host user ID like 100000
CIt would map to 101000
DIt would map to 500
💡 Hint
Refer to key_moments about what happens without remapping and variable_tracker Docker Daemon State.
Concept Snapshot
User namespace remapping shifts container user IDs to different host IDs.
Enables running containers as root inside but non-root on host.
Configured via dockerd --userns-remap.
Improves host security by isolating container users.
Container user IDs stay same inside container.
Host sees remapped user IDs in a safe range.
Full Transcript
User namespace remapping in Docker lets the container run users like root inside, but maps those user IDs to different, non-root user IDs on the host. When Docker daemon starts with --userns-remap, it creates subuid and subgid ranges for remapping. For example, container root user ID 0 maps to host user ID 100000. This prevents containers from having real root privileges on the host, improving security. Inside the container, user IDs remain unchanged, but on the host they are shifted. This remapping applies only during container runtime and ends when the container stops.