Docker Community Forums

Share and learn in the Docker community.

Map more UID on rootless Docker and mount volume

Since the rootless mode reached general availability, I am trying it out.
I have a problem, though.

When I mount my working directory with docker-compose, the UID mapper works fine.
Every file created with UID 0 (root) inside the container got mapped to my user on the host system.

However, when I create a file with a user other than root inside the container, the file owner will be set to a UID without a user on the host system. And now we are back to square one, with the same permission related issues.

Can I map more UIDs apart from 0 to my user on the host system?
If not, how do you deal with the mounted file permission during the application development?

The installation script is available at https://get.docker.com/rootless.

$ curl -fsSL https://get.docker.com/rootless | sh
Make sure to run the script as a non-root user. To install Rootless Docker as the root user, see the Manual installation steps.

The script shows environment variables that are required:

$ curl -fsSL https://get.docker.com/rootless | sh

Docker binaries are installed in /home/testuser/bin

WARN: dockerd is not in your current PATH or pointing to /home/testuser/bin/dockerd

Make sure the following environment variables are set (or add them to ~/.bashrc):

export PATH=/home/testuser/bin:$PATH
export PATH=$PATH:/sbin
export DOCKER_HOST=unix:///run/user/1001/docker.sock

To control docker service run:

systemctl --user (start|stop|restart) docker

Manual installation
To install the binaries manually without using the installer, extract docker-rootless-extras-.tgz along with docker-.tgz from https://download.docker.com/linux/static/stable/x86_64/

If you already have the Docker daemon running as the root, you only need to extract docker-rootless-extras-.tgz. The archive can be extracted under an arbitrary directory listed in the $PATH. For example, /usr/local/bin, or $HOME/bin.

Not sure how it related to the question.
Are you a human or a spamming bot?

AFAIK lewis95 is a bot, so the context of questions is often misinterpreted.

This recently confused me.

I eventually found this article, which really cleared things up. https://medium.com/@tonistiigi/experimenting-with-rootless-docker-416c9ad8c0d6

Can I map more UIDs apart from 0 to my user on the host system?

No, in rootless docker, only UID 0 maps to the host user.

It’s weird because I think the capability is there if you could disable userns-remap like podman does when you use --userns=keep=id described here https://www.redhat.com/sysadmin/user-flag-rootless-containers

However, that option does not appear to be exposed.

If not, how do you deal with the mounted file permission during the application development?

Group permissions, maybe?

Thanks
That clarify things up for me.

In summary, rootless mode is more about security than usability. They would rather map user to nobody than an actual user.

If that is the case, it is not for me. I would rather look into userns-remap in normal mode for my development machine than rootless mode. And I don’t have much issue with my production machines in the first place.

Group permission does work in some of my use cases, but not all.

If somebody reading this topic in the future, feel free to add more info. Maybe rootless mode got better then. I will still monitor the reply, and would love to hear the news.

Is the conclusion that userns-remap does not work with rootless docker?

I tried using rootless docker with both a domain user, and a local user, on Ubuntu 20.04 but only got errors. /etc/subuid and /etc/subgid have the username:startid:idrange entries

Example commands and errors:

$ dockerd-rootless.sh --userns-remap=ljason:ljason
...
INFO[2021-01-22T17:06:09.607299361-08:00] Starting up                                  
WARN[2021-01-22T17:06:09.607732164-08:00] Running in rootless mode. This mode has feature limitations. 
INFO[2021-01-22T17:06:09.607939765-08:00] Running with RootlessKit integration         
INFO[2021-01-22T17:06:09.608571470-08:00] User namespaces: ID ranges will be mapped to subuid/subgid ranges of: ljason 
Cannot create daemon root: /home/ljason/.local/share/docker/305536.305536: chown /home/ljason/.local/share/docker/305536.305536: invalid argument
[rootlesskit:child ] error: command [/home/ljason/bin/dockerd-rootless.sh --userns-remap=ljason:ljason] exited: exit status 1
[rootlesskit:parent] error: child exited: exit status 1

and after modifying docker-rootless.sh to get “jason:domain user” past the argument quoting…

$ dockerd-rootless.sh
...
exec dockerd --userns-remap=jason:domain users
INFO[2021-01-22T17:17:55.673903034-08:00] Starting up                                  
WARN[2021-01-22T17:17:55.674328737-08:00] Running in rootless mode. This mode has feature limitations. 
INFO[2021-01-22T17:17:55.674496638-08:00] Running with RootlessKit integration         
INFO[2021-01-22T17:17:55.688611729-08:00] User namespaces: ID ranges will be mapped to subuid/subgid ranges of: jason 
Cannot create daemon root: /home/jason/.local/share/docker/170000.170000: chown /home/jason/.local/share/docker/170000.170000: invalid argument
[rootlesskit:child ] error: command [/home/jason/bin/dockerd-rootless.sh] exited: exit status 1
[rootlesskit:parent] error: child exited: exit status 1

I don’t get very far with the rootless mode myself, but from what I understand, the entire rootless mode was built on top of userns remapping.

So, no, you can’t use userns-remap on top of rootless mode. However, my understanding might not accurate as I don’t experience them firsthand.