Docker-rootless high UIDs issues

Hi there,

I am currently evaluating using docker-rootless on a 19.03 installation and I am facing several questions and issues on how it works. On my system I have multiple users with high uids (> 1000000000) and I want to offer them docker-rootless acess.

In the documentation https://docs-stage.docker.com/engine/security/userns-remap/ it is said that the uid mapping shall map the root user (uid 0) on the first value of a range I set.

However in rootless mode when my root user creates a file, the owner on the host is not the first value of the subuid range but the uid of the user who started the daemon.

For instance I have created a user named “foo” with uid 2000000 and put the following in /etc/subuid
foo:1000:1000
Then I started a new container and shared a folder of the host:
docker run --rm -ti --name test -v /tmp/test:/mnt/local centos:8 bash

When executing “touch /mnt/local/test1” as root in the container, the file appears to be owned by “foo” (uid 2000000) on the host.

My second issue is about copying files with docker cp.
If I create a file on the host /tmp/test1 owned by “foo” and execute docker cp /tmp/test1 test:/mnt/local/test1 as “foo” , the operation fails with a lchown invalid argument. This seems to be triggered by the fact that docker is trying to map the owner of the file (2000000) into the range 1000:1000 and fails as there’s not enough uids available. Changing the range in /etc/subuid to:
foo:2000001:2000000
makes it work.
The problem is that on my system I cannot change the high UID of users and I have got multiple users. So it is impossible to obtain a mapping with no overlap for all of them and to use docker cp.
Not that pulling images containing files with uid not complying with the mapping also leads to a failure for the same reasons.

Does anyone have any idea about how to solve that ?

Here are some thoughts that may help.

First: when you say “docker-rootless”, I assume you mean configuring Docker with userns-remap, rather than rootless docker (they are not the same thing).

Assuming this is about Docker in userns-remap mode:

For problem 1:

The /etc/subuid file should have the range of subuids associated with user foo. Those subuids are typically in a range that does not overlap with the uids of actual users on the host (e.g., foo:231072:65536). Thus, the /etc/subuid with foo:1000:1000 that you showed does not look right since uid 1000 is likely an actual user on your system.

If you were to program the /etc/subuid file with foo:231072:65536, and then add "userns-remap": "foo" to the /etc/docker/daemon.json, then when you launch a container you’ll see that the root user (uid 0) in the container would map to uid 231072 on the host. And uid 1 would map to 231073, and so on, until you exhaust the range of 65536 subuids.

For problem 2: I suspect it’s related to the bad setup that led to problem 1.

Finally: you may want to look into Sysbox. It’s a new type of runc that works under Docker and sets up containers to use the Linux user-namespace automatically. So

docker run --runtime=sysbox-runc --rm -ti centos:8 bash

would give you a container isolated with the user-namespace (and one in which you can run apps or even system software such as systemd, docker, and even k8s inside if you wanted to).