Menu
I'm evaluating Podman in rootless mode and facing an issue with the user id mapping.
I run podman with "myuser" who has the ID 1000.
cat /etc/subuid
myuser:100000:65536
When running a pod, where the pod user is root, the created files on the mounted volume belongs to "myuser" from host perspective, I can access them and so everything is fine.
When running a pod, where the pod user is not root, for example UID 2002, the created files on the mounted volume belongs to UID "102002" from host perspective which results in the situation, that I can not access those files on the host.
As expected, podman unshare looks like following
podman unshare cat /proc/self/uid_map
0 1000 1
1 100000 65536
Is there any chance, that I can get access to this files by correct configuration of the podman run or config files?
440
asked Nov 27 '25 03:11
Podman 4.3.0 introduced the options uid and gid that can be given to --userns keep-id.
The UID and GID mapping that is described with --uidmap and --gidmap in this answer can now be given as --userns keep-id:uid=$uid,gid=$gid instead. The only difference is that the new syntax is shorter and thus saves you some keyboard typing.
See also the troubleshooting tip:
Podman run fails with "Error: unrecognized namespace mode keep-id:uid=1000,gid=1000 passed"
Yes, you can remap UIDs by using the command-line option --uidmap.
It looks like the container UID you are using is
102002-100000+1=2003
The digit 1 is there because the normal UID on the host is mapped to root in the container by default.
This example demonstrates such a calculation (1002002-100000+1=2003)
$ id -un
testuser
$ grep testuser /etc/subuid
testuser:100000:65536
$ grep testuser /etc/subgid
testuser:100000:65536
$ mkdir dir1
$ chmod 777 dir1
$ podman run --rm -v ./dir1:/dir1:Z \
--user 2003:2003 \
docker.io/library/ubuntu touch /dir1/a
$ ls -l dir1/a
-rw-r--r--. 1 102002 102002 0 Jan 19 19:35 dir1/a
$
Let's define some variables so that this Stackoverflow answer can be more reusable for others.
uid=2003
subuidStart=100000
subuidSize=65536
You could try passing these three options at the same time to podman run
--uidmap $uid:0:1--uidmap 0:1:$uid--uidmap $(($uid+1)):$(($uid+1)):$(($subuidSize-$uid))Note $(( expression )) is Bash syntax so you need to use a bash shell.
Map the UID $uid in the container to your normal UID on the host.
| host UID | intermediate UID | container UID |
|---|---|---|
| normal host UID | 0 | $uid |
Map the UIDs between 0 and $uid - 1 in the container to the lower part of the subuids (subordinate UIDs) (from $subuidStart to $subuidStart+$uid-1).
| host UID | intermediate UID | container UID |
|---|---|---|
| $subuidStart | 1 | 0 |
| $subuidStart + 1 | 2 | 1 |
| ... | ... | ... |
| $subuidStart + $uid - 1 | $uid | $uid - 1 |
Map the UIDs between $uid+1 and $subuidSize in the container to the remaining subuids.
| host UID | intermediate UID | container UID |
|---|---|---|
| $subuidStart + $uid | $uid + 1 | $uid + 1 |
| $subuidStart + $uid + 1 | $uid + 2 | $uid + 2 |
| ... | ... | ... |
| $subuidStart + $subuidSize - 1 | $subuidSize | $subuidSize |
Note that the mapping between host UIDs and the intermediate UIDs can't be modified by the user. The normal host UID is always mapped to the intermediate UID 0.
Note that in the general case there might be more than one range of subuids.
There is a similar command-line option --gidmap for GIDs.
I wrote a troubleshooting tip about this in the Podman documentation.
179
Using --userns=keep-id is an easy alternative solution compared to using the complex mapping of uidmap/gidmap.
https://docs.podman.io/en/latest/markdown/podman-run.1.html
38
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
