Part of knowledge is very important that the management control on rights in the Linux system; rights management Linux systems is the responsibility of the uid and gid, Linux system checks created uid process and gid, in order to determine if it has sufficient privileges to modify the file rather than a confirmation by user name and user group. Similarly, all the containers running on the host in the docker container share the same kernel can also be understood as sharing permissions management.
Docker container rights management is divided into three cases:
1. root privileges to use by default
whether in the root user or as a normal user (have permission to start docker container) start docker container, which processes and user privileges within the container are root!
New users of the sleep to sleep user rights and privileges to start container test disk has root privileges.
docker run -v /data/sleep:/sleep -d --name sleep-1 ubuntu sleep infinity
In the host / data / sleep path leo_zhou new file and writes the "docker" the file, and then enters the sleep-1 container
docker exec -it sleep-1 bash
Still files with root privileges can operate normally.
2. Docker container limit users to start
new --user argument, the container becomes the launch customer of sleep designated user, and can not find the operation of a file with root privileges. Will find the same number of containers and the actual host uid uid number, also verify kernel docker containers host computer. Permissions can be managed to a certain extent.
3. Use the namespace isolation technology
namespace is an isolation technology, docker isolation technique is to use to open a specific namespace to create some special process, but using a namespace is conditional. Dockremap will be created, by / etc / subuid and / etc subuid / corresponding to the id value to be mapped to the container; actual or using general dockremap authority, to achieve automatic isolation effect.
① open Centos kernel closed user namespace functions.
grubby --args="namespace.unpriv_enable=1 user_namespace.enable=1" --update-kernel="$(grubby --default-kernel)" echo "user.max_user_namespaces=15076" >> /etc/sysctl.conf
② modify / etc / docker / daemon.jso the n-configured, the new "userns-remap": "default " option, default is the default user docker automatically created dockremap, and then restart the docker.
This configuration requires careful modification, if already deployed a docker environment, this option is enabled, it will switch to the isolation environment, before docker container can not be used! 
③Centos need to manually enter id value of the mapping range
after last systemctl restart docker test results again, find the file permissions has become a nobody, but still inside the docker container is "root" of rights management, but actually only normal user rights, so as to achieve rights isolation effect.
