I'm running my docker containers in rootless mode in Debian as a systemd user unit without root privileges (e.g. as user 1111). Additionally, rootless mode uses userns-remap to run my containers with subuids/subgids, so a container started by 1111 will actually run as 363143.
This causes more trouble than it's worth, the main goal for me is achieved by running the docker daemon as a non-root. How can I disable userns-remap and just run all containers as 1111?
Or alternatively if disabling userns-remap isn't possible, can I configure it to not use subuids starting from 363143 but always use 1111 instead?
A comprehensive analysis of this problem is here: https://github.com/mamba-org/micromamba-docker/issues/407#issuecomment-2088523507
Unfortunately, Docker in rootless mode does currently not support disabling the use of a user namespace; the option „—userns=host“ is ignored.
You have only the following options:
Switch to Podman. Podman supports the option —-userns=keep-id, which maps the host user to the container user. Newer versions allow even specifying the UID and thr GID of the container user to which the host user is being mapped with —-userns=keep-id,uid=1111,gid=1111.
You can try to carefully construct the settings in /etc/subuid and /etc/subgid in combination with choosing the host and container user‘s UID and GID so that the mapping results in the same UID and GID on both sides. Or create a user group on the host that matches the GID that results from the user mapping.
I did not manage to do this, as described in my post regarding Docker rootless volume mounts, but it may be possible. But this is a brittle solution anyway.
Use a root user inside the container. Rootleskit used by Docker maps the container user UID 0 (root) to the host user, so it is not as bad as one may assume (unless the host user has sudo privileges).
Hope and pray that Docker will implement —-userns=keep-id same as in Podman.