Rootless Docker - non-root container user cannot write to shared volume

Question

On Ubuntu 21.10 I have installed rootless Docker following the instructions at https://docs.docker.com/engine/security/rootless/

My /etc/subuid and /etc/subgid appear to be configured correctly:

$ grep ^$(whoami): /etc/subuid
jtreminio:100000:65536

$ grep ^$(whoami): /etc/subgid
jtreminio:100000:65536

From my (admittedly shallow) understanding of namespace mapping, I would expect rootless containers to map their internal root user 0:0 to my host's user 1000:1000. This seems to be the case:

$ docker container run --rm -it -v $PWD:/app -w /app bash touch foobar
$ ls -lah foobar
-rw-r--r-- 1 jtreminio jtreminio 0 Feb 11 16:50 foobar

However, when I try to use any other user ID within the container, I lose all write permissions:

$ docker container run --rm -it -v $PWD:/app -w /app -u 1000:1000 bash touch barfoo
touch: barfoo: Permission denied

If I create a directory with permissions set to 777 it seems this works:

$ mkdir barfoo && chmod 777 barfoo
$ docker container run --rm -it -v $PWD:/app -w /app -u 1000:1000 bash touch barfoo/foobar

$ ls -lah barfoo/
total 8.0K
drwxrwxrwx 2 jtreminio jtreminio 4.0K Feb 11 16:51 .
drwxr-xr-x 5 jtreminio jtreminio 4.0K Feb 11 16:51 ..
-rw-r--r-- 1    100999    100999    0 Feb 11 16:51 foobar

My confusion here is that the contents of my /etc/subuid and /etc/subgid should be catching this? Am I completely misunderstanding how user namespaces work?

Answer 1

There's no filesystem mapping of uid/gid on files across bind mounts. So the uid in the container will be the same as in the host side of the mount. User namespaces shift those uids in the container, so:

$ grep ^$(whoami): /etc/subuid
jtreminio:100000:65536

$ grep ^$(whoami): /etc/subgid
jtreminio:100000:65536

Means to map the container uids 0-65536 to host uids 100000-165536 (and the same for gids), so those are the uids in the host you'll see from files created in the container.