Rootless containers user id remapping in Podman

When running a container rootless with podman, if the container inner user is root it is mapped in the host to the id of the user that is running the container.

For example , if the user with id 1000 launched a container the runs internally some application as root, which has id 0, and this application writes to a volume mapped to the host filesystem, then from the host point of view the user writing to the filesystem has id 1000. In this example the container inner root user id is being mapped to a non-root user with id 1000.

In podman a container runs in rootless mode when a non-root user launches the container. To run it in root mode it must be launched by the root user, or using sudo.

When running a container in root mode, the container inner user id is directly used in the host. For rootless containers user id remapping is performed.

User id remapping in rootless mode

Rootless container user id remapping in the host works in the following way:

• Container inner user id 0 is mapped to host id 1000.
• Container inner user id 1 or higher is mapped to host id 1000 + inner id. For example a container inner user id 2 is mapped to host id 1002.

Finding out the mapping scheme on your system

To find out the remapping that is applied in a host, run the following command.

podman unshare cat /proc/self/uid_map

Further reading

• Getting started with Podman
• Rootless containers
• Rootless containers with podman