Docker Security Features: User Namespace Isolation, SELinux Support, PID Limits, and Additional Kernel Hardening Tools

Background

Previously we introduced Docker security features such as capability restrictions, image signing, AppArmor MAC, and Seccomp. This article continues with other Docker security capabilities.

1 User Namespace Isolation

Linux namespaces isolate processes; mapping the container root to an unprivileged host UID prevents privilege escalation. The mapping is defined in /etc/subuid and /etc/subgid . Example entry: testuser:231072:65536 . After Docker 1.10 you can enable it with the --userns-remap daemon flag.

Demonstration steps:

1. Verify Docker daemon runs as root:

lynzabo@ubuntu:~$ ps -ef | grep dockerd
root 1557 1 0 12:54 ? 00:05:08 /usr/bin/dockerd -H fd://
lynzabo 36398 23696 0 21:41 pts/1 00:00:00 grep --color=auto dockerd
lynzabo@ubuntu:~$

2. Run a container and check its UID:

lynzabo@ubuntu:~$ docker run --rm alpine id
Unable to find image 'alpine:latest' locally
latest: Pulling from library/alpine
4fe2ade4980c: Pull complete 
Digest: sha256:621c2f39f8133acb8e64023a94dbdf0d5ca81896102b9e57c0dc184cadaf5528
Status: Downloaded newer image for alpine:latest
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon)...
lynzabo@ubuntu:~$

3. Run a container as a non‑root user:

lynzabo@ubuntu:~$ docker run --rm --user 1000:1000 alpine id
uid=1000 gid=1000
lynzabo@ubuntu:~$

When the container runs as root but the host mapping points to an unprivileged UID, the process has no host privileges.

Full demo:

sudo systemctl stop docker
sudo dockerd --userns-remap=default &
# Verify the mapping user
lynzabo@ubuntu:~$ id dockremap
uid=123(dockremap) gid=132(dockremap) groups=132(dockremap)
# Verify entries in /etc/subuid and /etc/subgid
lynzabo@ubuntu:~$ grep dockremap /etc/subuid
dockremap:165536:65536
lynzabo@ubuntu:~$ grep dockremap /etc/subgid
dockremap:165536:65536
# Check Docker info for the new root directory
lynzabo@ubuntu:~$ docker info
...Docker Root Dir: /home/docker/165536.165536...
lynzabo@ubuntu:~$ ls -ld /home/docker/165536.165536
drwx------ 14 165536 165536 4096 Sep 17 21:44 /home/docker/165536.165536

2 SELinux Support

SELinux implements mandatory access control (MAC) to restrict program access to files. It has three modes: Enforcing, Permissive, and Disabled. Docker disables SELinux by default; you can enable it with --selinux-enabled and apply labels with --security-opt or the :z mount option.

Example of a permission error when mounting nginx.conf without the :z label, and the fix using the :z option:

# Start Docker with SELinux enabled
root@localhost conf# ps -ef|grep dockerd
root 4401 1 0 08:15 ? 00:00:00 /usr/bin/dockerd --selinux-enabled
# Run Nginx container without :z (fails)
root@localhost conf# docker run --name test-selinux-nginx -v /root/nginx/conf/nginx.conf:/etc/nginx/nginx.conf -d nginx
...Exited (1) ... Permission denied
# Run Nginx container with :z (succeeds)
root@localhost conf# docker run -v /root/nginx/conf/nginx.conf:/etc/nginx/nginx.conf:z -d nginx
...Up ...

3 PID Limits Support

Docker supports --ulimit for file descriptors and process limits, and since Docker 1.10 the --pids-limit flag to cap the number of processes inside a container regardless of user.

# Limit file descriptors and processes
docker run -it --ulimit nofile=2048 --ulimit nproc=100 busybox sh
/ # ulimit -a
... -n: file descriptors 2048
... -p: processes 100
# Use --pids-limit to restrict total processes
docker run -d --name test-pids-limit --pids-limit=5 busybox top
# Inside the container
/ # ps -ef
PID USER TIME COMMAND
1 root 0:00 top
5 root 0:00 sh
9 root 0:00 ps -ef
/ # nohup top &
sh: can't fork: Resource temporarily unavailable

4 Other Kernel Security Tools

Additional tools such as docker-bench-security , Sysdig Falco, and GRSecurity/PAX can further harden container environments.

The article concludes with an invitation to join the community and a reminder that the discussed security features are intended to help secure Docker deployments.