Why is rootless docker still running as root inside container?

From a non-root testuser which is a non sudo account, I have installed a rootless docker following the instruction here (Ubuntu without package).

When I start a container and go inside it by running docker exec -it my_container bash then checking whoami I get: root instead of testuser. In addition, files and folders which are named volumes owned by testuser are not mounted and owned by root.
The docker daemon is running from testuser since I am running that daemon from a systemctl --user.

This is quite confusing.

  1. Why is the docker not running as root inside the container?
  2. Why are the mounted volumes all of a sudden with a different ownership?

I checked this answer here, but it notes that when the daemon is running as root - that’s normal, however that’s not the case with my rootless setup.

It uses username namespace mapping. When you start a container, a different unprivileged host user id will be mapped against the user id inside the container. Of course this affects file ownership (your 2nd question).

I have no idea what your first question means. Though, I assume the question is why the user inside the container is the root user, even though you run rootless docker, right? Even if it might be uid 0 inside the container, the user is actually mapped against the userid of an unprivileged user on the host and not the host’s root user.

Hi @meyay
Thanks for the reply.
In this case, can you please share how can I fix the problem I have, which is:

  • I have files and folders owned by user with UID 1002 (non-root).
  • I’d like to spin up a container, on which I mount these files and folders and save more data to the mounted volume. The new data is saved as the same user 1002.

Now I fail to achieve this as the data when mounted is owned by root and I run the container by user 1002 (by adding the --user 1002:1002 flag) and it fails.

That’s where my question comes form and I have been struggling to address it. : (

I am afraid you have to wait for someone that actually uses rootless docker.

Not many people use rootless docker?

In that case, do you know if I can achieve this without rootless docker?

I am not sure I fully understand the questions either, but rootless Docker means the user on behalf of which the Docker daemon is running becomes root inside the container. So if you see files originally owned by testuser suddenly owned by root that is because every process in the container “thinks” that user is the root. Any file that you create inside the container as root on a mounted filesystem will be saved on the host as testuser. Other files on the host that testuser doesn’t own will be shown in the container as owned by the user “nobody” with the group “nogroup”

It looks like you are mixing two solutions. You could use --user 1002:1002 with rootful docker, because root is alowed to run processes on behalf of another user. If you do it with rootless Docker, the real user id on the host would be something like 330423. I have just used a random number, I am not sure if it is valid. The point is that 1002 will be converted to a large number. Large enough so the ID most likely doesn’t belong to an existing username on the host. This way you are no longer root in the container and you don’t even have permission to change files on the host owned by testuser with UID 1002.

If you want to run rootless Docker and still allow for example www-data (usually UID 33) to be able to read and write files you need to figure out the userid on the host. You can create a folder writable by everyone, start the container, create the file in the container as www-data and check the ownership of the file on the host.

Or you can check the content of /etc/subuid. Here is mine on a test virtual machine where the user is “ubuntu”:

cat /etc/subuid
ubuntu:100000:65536

The content means that UID 1 will actually be 100000 so UID 33 will be 100032 and the container will be allowed to use maximum 65536 UIDs.

1 Like