Hi Christian, Hi ext4 mailing list, I'm currently exploring the ID-mapped mount feature in a real-world scenario and looking for guidance on setting it up in combination with Docker containers on an Ubuntu 24.04 host (kernel 6.8). My goal is to use ID-mapped mounts with an ext4 filesystem to achieve: - Seamless user access (no need to chown directories to match container UIDs) - Security (containers see files as "owned", but the host retains real ownership) - Multi-user safety (same directory can be exposed to different containers with different user views) - Mount once, map many (flexibly remount the same data for different users securely) I have referred to the LWN article “User ID mappings and mounted filesystems” (https://lwn.net/Articles/896255/) to better understand the feature and its intended use cases. ### Setup On the host: $ ls -l /mnt/ext4/users/ drwxr-xr-x 3 test1-user test1-user 4096 Apr 8 12:14 test1-user drwxr-xr-x 2 test2-user test2-user 4096 Apr 8 10:57 test2-user Created two ID-mapped bind mounts: $ sudo mount --bind -o X-mount.idmap=b:0:1001:1 /mnt/ext4/users/test1-user /mnt/ext4_1 $ sudo mount --bind -o X-mount.idmap=b:0:1002:1 /mnt/ext4/users/test2-user /mnt/ext4_2 $ mount | grep /mnt/ext4 /dev/vdf on /mnt/ext4 type ext4 (rw,relatime) /dev/vdf on /mnt/ext4_1 type ext4 (rw,relatime,idmapped) /dev/vdf on /mnt/ext4_2 type ext4 (rw,relatime,idmapped) Docker subuid/subgid are configured: $ cat /etc/subuid pravin-user:100000:65536 test1-user:165536:65536 test2-user:231072:65536 Scenario 1: ID-mapped mount used in container (FAILS) docker run -it --rm --userns=host --user 0:0 \ --mount type=bind,source=/mnt/ext4_1,target=/mnt/ext4_1 \ test-container bash Inside the container: # ls -l drwxr-xr-x 2 nobody nogroup 4096 Apr 8 12:14 dir1 -rw-r--r-- 1 nobody nogroup 0 Apr 8 12:14 file1 # touch file2 touch: cannot touch 'file2': Value too large for defined data type Scenario 2: Using unshare with ID-mapped mount (FAILS) $ sudo mount --bind -o X-mount.idmap=b:0:1001:1 /mnt/ext4/users/test1-user /mnt/ext4_1 $ sudo unshare -Urnm bash # docker run -it --rm --mount type=bind,source=/mnt/ext4_1,target=/mnt/ext4_1 test-container bash Same "Value too large for defined data type" error occurs when trying to write to the directory. Scenario 3: Map directly to container UID (WORKS, but defeats purpose) $ sudo mount --bind -o X-mount.idmap=b:1001:1001:1 /mnt/ext4/users/test1-user /mnt/ext4_1 $ docker run -it --rm --userns=host --user 1001:1001 \ --mount type=bind,source=/mnt/ext4_1,target=/mnt/ext4_1 \ test-container bash This works (I can create files), but it doesn't use the 0-based remapping that ID-mapped mounts are designed to provide—so the flexibility and isolation benefits are lost. Question Is there a recommended way to make ID-mapped mounts usable inside Docker containers in this scenario? - Am I missing a userns configuration in Docker that would allow the container root (UID 0) to correctly map to the host UID used in the bind mount? - Should the bind mount target be made inside a container-specific user namespace before starting the container? - Or is this a current limitation of Docker's handling of user namespaces + idmapped mounts? I'd really appreciate any pointers on making this work in a secure, multi-user, real-world container setup. Thanks a lot for your time and for all the work on this feature—it has great potential for secure container setups! Thanks & Regards PraviN
