Linux Container Permission Errors — User Namespaces and Rootless Containers
About Linux Container Permission Errors
Fix Linux container permission errors related to user namespaces, rootless Docker/Podman, volume mounts with wrong UIDs, and seccomp profile restrictions. This guide covers everything you need to know about this topic, including common causes, step-by-step solutions, and answers to frequently asked questions.
Here are the key things to understand: User namespaces map container UIDs to unprivileged host UIDs for security isolation. Rootless Docker/Podman runs containers without root on the host but has limitations. Volume mounts show 'permission denied' when container UID does not map to host file owner. Seccomp profiles restrict which system calls containers can make. Capabilities (NET_ADMIN, SYS_PTRACE, etc.) can be added or dropped per container. Understanding these fundamentals will help you diagnose and resolve this issue more effectively.
The most common reasons this occurs include: Container process running as root inside container but mapped to unprivileged user on host. Volume mount ownership mismatch between host UID and container UID. Seccomp profile blocking a system call the application needs. Missing Linux capabilities required by the containerized application. Rootless container trying to bind to privileged port (<1024). Identifying the root cause is the first step toward finding the right solution.
To resolve this, follow these recommended steps: Check container user: docker exec container id to see UID inside the container. Map UIDs: use --userns-remap in Docker daemon config for user namespace mapping. Fix volume permissions: podman unshare chown <uid>:<gid> /host/path for rootless Podman. Add capabilities: docker run --cap-add NET_ADMIN for specific capabilities. Allow privileged port in rootless: sysctl -w net.ipv4.ip_unprivileged_port_start=80. Debug seccomp: run with --security-opt seccomp=unconfined temporarily to test (not for production). If these steps do not resolve the issue, consider consulting additional resources or a qualified professional.
This article is part of our Linux Error Codes collection on Error Codes Wiki. We provide comprehensive, up-to-date information to help you find solutions quickly.
Quick Answer
What is rootless Docker?
Rootless Docker runs the Docker daemon and containers as a regular user, not root. This improves security but has limitations: cannot bind privileged ports, some volume mount restrictions, and no kernel module loading.
Overview
Fix Linux container permission errors related to user namespaces, rootless Docker/Podman, volume mounts with wrong UIDs, and seccomp profile restrictions.
Key Details
- User namespaces map container UIDs to unprivileged host UIDs for security isolation
- Rootless Docker/Podman runs containers without root on the host but has limitations
- Volume mounts show 'permission denied' when container UID does not map to host file owner
- Seccomp profiles restrict which system calls containers can make
- Capabilities (NET_ADMIN, SYS_PTRACE, etc.) can be added or dropped per container
Common Causes
- Container process running as root inside container but mapped to unprivileged user on host
- Volume mount ownership mismatch between host UID and container UID
- Seccomp profile blocking a system call the application needs
- Missing Linux capabilities required by the containerized application
- Rootless container trying to bind to privileged port (<1024)
Steps
- 1Check container user: docker exec container id to see UID inside the container
- 2Map UIDs: use --userns-remap in Docker daemon config for user namespace mapping
- 3Fix volume permissions: podman unshare chown <uid>:<gid> /host/path for rootless Podman
- 4Add capabilities: docker run --cap-add NET_ADMIN for specific capabilities
- 5Allow privileged port in rootless: sysctl -w net.ipv4.ip_unprivileged_port_start=80
- 6Debug seccomp: run with --security-opt seccomp=unconfined temporarily to test (not for production)