Files owned by Docker userns-remap user end up owned by nobody inside the container


I am messing around with Docker user namespace remapping:

I have enabled Docker user namespace remapping by modifying /etc/docker/daemon.json. Content currently looks like this:

  "userns-remap": "default"

I have restarted the Docker daemon. The default dockremap user was created as promised by the docs:

[email protected]:~$ id dockremap
uid=125(dockremap) gid=134(dockremap) groups=134(dockremap)

There’s also an entry in /etc/subuid:


Now, I have a folder with a shared file that I wish to bind-mount inside a container to make it available for reading. On the host OS the file has following owner and permission setup:

-rwxrwx--- 1 dockremap dockremap 0 april 8 19:19 shared_file.txt

The file should NOT be world-writable. My actual intention is to safely share a file with some secret information inside it between the host OS and a container.

Parent directory is world-writable, if it makes any difference:

drwxrwxrwx 3 dockremap dockremap 4,0K april 8 19:20 .

I bind-mount this into an Alpine container like so:

docker run --rm -it -w /work -v $(pwd)/shared_file.txt:/work/shared_file.txt remaptest ls -lah

I now expect the file to be owned by root with UID 0 inside the container and thus be available for reading. Instead, it is owned by nobody and not readable by root:

-rwxrwx--- 1 nobody nobody 0 Apr 8 16:19 shared_file.txt

nobody inside container has the following ids:

/work # id nobody
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)

Do I have wrong expectations about how user namespace remapping and bind-mount file system permissions work together or is there something wrong here? I have tested this out on two different PCs. One of them running Ubuntu and the other one running Mint. I also tested with a Ubuntu-based container instead of Alpine-based one, but results were pretty much the same. I could of course modify the Dockerfile that is used to build the image, but I am under the impression that the way I’m doing this above should work. The actual Dockerfile I want to use this with comes from a Docker Hub and I wouldn’t want to mess with how it is set up.

Source: Docker Questions