Rootless containers user id remapping in Podman
When running a container rootless with podman, if the container inner user is root it is mapped in the host to the id
of the user that is running the container.
For example , if the user with id
1000 launched a container the runs internally some application as root
, which has id
0, and this application writes to a volume mapped to the host filesystem, then from the host point of view the user writing to the filesystem has id
1000.
In this example the container inner root
user id is being mapped to a non-root user with id
1000.
In podman a container runs in rootless mode when a non-root user launches the container.
To run it in root mode it must be launched by the root user, or using sudo
.
When running a container in root mode, the container inner user id
is directly used in the host.
For rootless containers user id remapping is performed.
User id remapping in rootless mode
Rootless container user id remapping in the host works in the following way:
- Container inner user id
0
is mapped to host id1000
. - Container inner user id
1
or higher is mapped to host id1000 + inner id
. For example a container inner user id2
is mapped to host id1002
.
Finding out the mapping scheme on your system
To find out the remapping that is applied in a host, run the following command.
podman unshare cat /proc/self/uid_map