User Namespace and Volume Mount

We want to use docker in user namespace as the files created in the docker container should be owned by the correct host user.

OS: CentOS 7.7

What we have done so far:

  • enableing user namespace on kernel with sudo grubby --args="namespace.unpriv_enable=1 user_namespace.enable=1" --update-kernel=/boot/vmlinuz-3.10.0-1062.el7.x86_64
  • setting max_user_namespace with sudo su -c 'echo "user.max_user_namespaces=15064" > /etc/sysctl.d/00-namespaces.conf'
  • reboot the machine

The daemon.json looks like

"insecure-registries":[ "xxx"
"registry-mirrors": ["xxx"],
"userns-remap": "myuser"

also the SUB-IDs are existing
Also SUB-IDs are there
/etc/subgid → myuser:165536:65536
/etc/subuid → myuser:165536:65536

on /var/lib/docker/ we see also
drwx--x--- 13 root 165536 167 Jan 14 11:43 165536.165536

When running docker run hello-world everything works as expected

Running docker run --rm -it -v /home/myuser/test:/test/ -it busybox end in following error

docker: Error response from daemon: OCI runtime create failed: container_linux.go:380: starting container process caused: process_linux.go:545: container init caused: rootfs_linux.go:76: mounting "/home/myuser/test" to rootfs at "/test" caused: stat /home/myuser/test: permission denied: unknown.

Why does that happen and how can we solve that?

This blog post is about podman but everything else seems to be similar.

To summarize it, try to run this command:

docker run --rm -it -v /home/myuser/test:/test/:Z -it busybox