[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Docker Universe: mapping of container's root to other UID/GID?

On 03/10/2016 06:53 AM, Thomas Hartmann wrote:
Hi all,

I stumbled over [1] and am wondering, if it would make sense to map at
least root to another UID/GID - assuming it would reduce(?) the risks by
some hypothetical exploit allowing root to escape a container?


Note that HTCondor will never start a docker container (or any other job, in any other universe, for that matter) as root.

I think that going forward, if we wanted to map uids, we'd use the new username feature of Docker when that is widely available.