I am currently evaluating using docker-rootless on a 19.03 installation and I am facing several questions and issues on how it works. On my system I have multiple users with high uids (> 1000000000) and I want to offer them docker-rootless acess.
In the documentation https://docs-stage.docker.com/engine/security/userns-remap/ it is said that the uid mapping shall map the root user (uid 0) on the first value of a range I set.
However in rootless mode when my root user creates a file, the owner on the host is not the first value of the subuid range but the uid of the user who started the daemon.
For instance I have created a user named “foo” with uid 2000000 and put the following in /etc/subuid
Then I started a new container and shared a folder of the host:
docker run --rm -ti --name test -v /tmp/test:/mnt/local centos:8 bash
When executing “touch /mnt/local/test1” as root in the container, the file appears to be owned by “foo” (uid 2000000) on the host.
My second issue is about copying files with docker cp.
If I create a file on the host
/tmp/test1 owned by “foo” and execute
docker cp /tmp/test1 test:/mnt/local/test1 as “foo” , the operation fails with a lchown invalid argument. This seems to be triggered by the fact that docker is trying to map the owner of the file (2000000) into the range 1000:1000 and fails as there’s not enough uids available. Changing the range in /etc/subuid to:
makes it work.
The problem is that on my system I cannot change the high UID of users and I have got multiple users. So it is impossible to obtain a mapping with no overlap for all of them and to use docker cp.
Not that pulling images containing files with uid not complying with the mapping also leads to a failure for the same reasons.
Does anyone have any idea about how to solve that ?