Using Mouthful with User Namespaces

[leem32]

Is it possible to use Mouthful with Dockers user namespaces?
I'd like to do this for security reasons.

I'm using Mouthful on a Centos 7 OS with a Nginx server.
How would namespacing work with mouthful? How would I make Mouthful use the Nginx user if I created a namespace for Nginx.

Docker namespace resources:
https://success.docker.com/article/introduction-to-user-namespaces-in-docker-engine
https://coderwall.com/p/s_ydlq/using-user-namespaces-on-docker
https://raesene.github.io/blog/2016/02/04/Docker-User-Namespaces/
https://www.linux.com/blog/learn/2017/8/hardening-docker-hosts-user-namespaces
https://www.jujens.eu/posts/en/2017/Jul/02/docker-userns-remap/

[leem32]

I got this working myself, so you can close this issue now.

[leem32]

Correction. Although the comments loads in the webpage with namespaces enabled, I am not able to post comments.

Each time I attempt to post a comment I get a 500 response code in the console. In the docker logs it shows:

attempt to write a readonly database
[GIN] 2018/12/16 - 11:57:23 | 500 |    1.956915ms |        10.0.0.0 | POST     /v1/comments

Inside the mouthful container I notice the config.json and database file are set as nobody user.

/app # ls -la /app/data
total 40
drwxr-xr-x    2 nobody   nobody        4096 Dec 15 21:48 .
drwxr-xr-x    1 root     root          4096 Aug 27 16:25 ..
-rw-r--r--    1 nobody   nobody        1460 Dec 16 11:55 config.json
-rw-r--r--    1 nobody   nobody       24576 Dec 15 21:48 mouthful.db

If I run mouthful with namespaces disabled (using --userns=host) mouthful runs OK and I am able to post comments.
Inside the container with namespaces disabled the files permissions are set as root.

/app # ls -la /app/data
total 40
drwxr-xr-x    2 root     root          4096 Dec 16 12:20 .
drwxr-xr-x    1 123000   123000        4096 Aug 27 16:25 ..
-rw-r--r--    1 root     root          1460 Dec 16 12:18 config.json
-rw-r--r--    1 root     root         24576 Dec 16 12:20 mouthful.db

The problem with this is the process on the host is also set as root.

ps au | grep [b]in/sh
root      8420  0.5  0.0   1560   516 pts/0    Ss+  12:24   0:00 /bin/sh

Thats the reason why running a container without namespaces is such a security risk. I'ts too easy for someone to gain root access to the host.

So, my question is is there a way around this issue?? How can I use mouthful with namespaces enabled??

[vkuznecovas]

I was not aware that a thing called user namespaces existed, will look into it and investigate.

[leem32]

OK, thanks. Scrap the part where I said " How would I make Mouthful use the Nginx user if I created a namespace for Nginx." though. I didn't understand Docker namespaces properly and that question is not relevant.