Container launch does not distinguish between numeric UIDs and string usernames. A malicious image can provide a username to UID mapping at a high privileged level. This means that innoculous looking launches such as: docker -u 1000 ... actually result in the image processes running as root. This ambiguity also confuses OpenShift's UID-based controls.
Acknowledgments: Name: Mrunal Patel (Red Hat)
Created docker tracking bugs for this issue: Affects: fedora-all [bug 1329454]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2016:1034 https://rhn.redhat.com/errata/RHSA-2016-1034.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2016:2634 https://rhn.redhat.com/errata/RHSA-2016-2634.html