Why do my files show as 'nobody' in a rootless container?

User namespace remapping changes UIDs. Host UID 1000 may map to a different UID inside the container. Use podman unshare to manage file ownership in the remapped namespace.

Should I use rootless or rootful containers?

Rootless for production security. Rootful for development convenience. Podman defaults to rootless. Docker requires explicit rootless mode setup. The security benefit of rootless is significant.

Linux Container Permission Errors — User Namespaces and Rootless Containers

Warningdocker

Overview

Fix Linux container permission errors related to user namespaces, rootless Docker/Podman, volume mounts with wrong UIDs, and seccomp profile restrictions.

Key Details

User namespaces map container UIDs to unprivileged host UIDs for security isolation
Rootless Docker/Podman runs containers without root on the host but has limitations
Volume mounts show 'permission denied' when container UID does not map to host file owner
Seccomp profiles restrict which system calls containers can make
Capabilities (NET_ADMIN, SYS_PTRACE, etc.) can be added or dropped per container

Common Causes

Container process running as root inside container but mapped to unprivileged user on host
Volume mount ownership mismatch between host UID and container UID
Seccomp profile blocking a system call the application needs
Missing Linux capabilities required by the containerized application
Rootless container trying to bind to privileged port (<1024)

Steps

1Check container user: docker exec container id to see UID inside the container
2Map UIDs: use --userns-remap in Docker daemon config for user namespace mapping
3Fix volume permissions: podman unshare chown <uid>:<gid> /host/path for rootless Podman
4Add capabilities: docker run --cap-add NET_ADMIN for specific capabilities
5Allow privileged port in rootless: sysctl -w net.ipv4.ip_unprivileged_port_start=80
6Debug seccomp: run with --security-opt seccomp=unconfined temporarily to test (not for production)

Related Items

linux-docker-container-errors-detailed

More in Docker

linux-docker-common-errorsLinux Docker Common Errors — Container, Network & Volume Troubleshooting

Error

linux-docker-container-errors-detailedDocker Container Errors — Exit Codes, OOMKilled, and Networking Issues

Error

linux-kubernetes-pod-crashloopbackoffKubernetes CrashLoopBackOff — Pod Restart Loop and Container Crash Debugging

Error

linux-kubernetes-pod-imagepullbackoffKubernetes ImagePullBackOff — Container Image Download and Registry Errors

Error

linux-docker-compose-network-errorDocker Compose Network Errors — Container Communication and DNS Resolution Failures

Warning

Frequently Asked Questions

Rootless Docker runs the Docker daemon and containers as a regular user, not root. This improves security but has limitations: cannot bind privileged ports, some volume mount restrictions, and no kernel module loading.

Linux Container Permission Errors — User Namespaces and Rootless Containers

Overview

Key Details

Common Causes

Steps

Tags

Related Items

More in Docker

Frequently Asked Questions