• Need to remove any acls or set to new namespaced uids

• ACL after enabling docker namespace. Failing setfacl on bind mount

  setfacl -R -x 'u:root' -x 'u:33' basedir
  setfacl -R -x 'default:u:root' -x 'default:u:33' basedir
  getfacl -R dir |less

• See ACL on link below

# internal uid, external uid, length of map
cat /proc/self/uid_map 

/etc/subuid
/etc/subgid

cat docker/daemon.json
{
  "bip": "172.22.23.1/24",
  "iptables": true,
  "userns-remap": "default",
  "metrics-addr" : "0.0.0.0:9323",
  "experimental" : true
}

# on host
mkdir ./test
chmod 777 ./test
docker run --rm -it -v ./test:/local alpine sh
# inside
touch /local/filename
cat /proc/self/uid_map
         0     300000      65536
ls -l /local/
total 0
-rw-r--r--    1 root     root             0 Feb  8 19:38 filename
exit

# on host
ls -l test
total 0
-rw-r--r-- 1 300000 300000 0 Feb  8 12:36 filename

• Stackoverflow on managing volumes

• https://integratedcode.us/2016/04/08/user-namespaces-sharing-the-docker-unix-socket/

cat /etc/subuid
sudo socat UNIX-LISTEN:/var/run/docker-userns.sock,user=300000,group=300000,mode=0600,fork UNIX-CLIENT:/var/run/docker.sock
docker run -ti -v /var/run/docker-userns.sock:/var/run/docker.sock docker docker version

# in compose file
      - /var/run/docker-userns.sock:/var/run/docker.sock:rw