You can start dockerd with the --userns-remap flag or follow this procedure to configure the daemon using the daemon.json configuration file. The daemon.json method is recommended. If you use the flag, use the following command as a model:
$ dockerd --userns-remap=“testuser:testuser”
Edit /etc/docker/daemon.json. Assuming the file was previously empty, the following entry enables userns-remap using user and group called testuser. You can address the user and group by ID or name. You only need to specify the group name or ID if it is different from the user name or ID. If you provide both the user and group name or ID, separate them by a colon ( character. The following formats all work for the value, assuming the UID and GID of testuser are 1001:
Note: To use the dockremap user and have Docker create it for you, set the value to default rather than testuser.
Save the file and restart Docker.
If you are using the dockremap user, verify that Docker created it using the id command.
$ id dockremap
uid=112(dockremap) gid=116(dockremap) groups=116(dockremap)
Verify that the entry has been added to /etc/subuid and /etc/subgid:
$ grep dockremap /etc/subuid
$ grep dockremap /etc/subgid
If these entries are not present, edit the files as the root user and assign a starting UID and GID that is the highest-assigned one plus the offset (in this case, 65536). Be careful not to allow any overlap in the ranges.
Verify that previous images are not available using the docker image ls command. The output should be empty.
Start a container from the hello-world image.
$ docker run hello-world
Verify that a namespaced directory exists within /var/lib/docker/ named with the UID and GID of the namespaced user, owned by that UID and GID, and not group-or-world-readable. Some of the subdirectories are still owned by root and have different permissions.
$ sudo ls -ld /var/lib/docker/231072.231072/
drwx------ 11 231072 231072 11 Jun 21 21:19 /var/lib/docker/231072.231072/
$ sudo ls -l /var/lib/docker/231072.231072/
drwx------ 5 231072 231072 5 Jun 21 21:19 aufs
drwx------ 3 231072 231072 3 Jun 21 21:21 containers
drwx------ 3 root root 3 Jun 21 21:19 image
drwxr-x— 3 root root 3 Jun 21 21:19 network
drwx------ 4 root root 4 Jun 21 21:19 plugins
drwx------ 2 root root 2 Jun 21 21:19 swarm
drwx------ 2 231072 231072 2 Jun 21 21:21 tmp
drwx------ 2 root root 2 Jun 21 21:19 trust
drwx------ 2 231072 231072 3 Jun 21 21:19 volumes
Your directory listing may have some differences, especially if you use a different container storage driver than aufs.
The directories which are owned by the remapped user are used instead of the same directories directly beneath /var/lib/docker/ and the unused versions (such as /var/lib/docker/tmp/ in the example here) can be removed. Docker does not use them while userns-remap is enabled.