Rootless + userns-remap permission denied

[AGhost-7]

Description

I am trying to use user namespaces in conjunction with rootless mode. I want my (non-root) user inside the container to be able to write to some volumes on the host. The directories on the host are owned by the same user running the rootless daemon.

Steps to reproduce the issue:

1. Configure rootless docker with userns-remap to remap 1000 to 1000
2. docker run --rm -ti -v $HOME:/host-home aghost7/ubuntu-dev-base:focal sh

Describe the results you received:

docker: Error response from daemon: mkdir /run/user/1000.100000.10000: permission denied.

Describe the results you expected:
The user inside the container (with uid 1000) will be able to write to the /host-home volume.

Additional information you deem important (e.g. issue happens only occasionally):

Output of docker version:

Client:
 Version:           20.10.6
 API version:       1.41
 Go version:        go1.13.15
 Git commit:        370c289
 Built:             Fri Apr  9 22:42:10 2021
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.6
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       8728dd2
  Built:            Fri Apr  9 22:46:14 2021
  OS/Arch:          linux/amd64
  Experimental:     true
 containerd:
  Version:          v1.4.4
  GitCommit:        05f951a3781f4f2c1911b05e61c160e9c30eaa8e
 runc:
  Version:          1.0.0-rc93
  GitCommit:        12644e614e25b05da6fd08a38ffa0cfe1903fdec
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

Output of docker info:

Client:
 Context:    default
 Debug Mode: false

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 3
 Server Version: 20.10.6
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: false
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: none
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 05f951a3781f4f2c1911b05e61c160e9c30eaa8e
 runc version: 12644e614e25b05da6fd08a38ffa0cfe1903fdec
 init version: de40ad0
 Security Options:
  seccomp
   Profile: default
  userns
  rootless
 Kernel Version: 5.4.0-72-generic
 Operating System: Ubuntu 20.04.2 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 8
 Total Memory: 15.57GiB
 Name: jonathan-Z97X-Gaming-5
 ID: S3CM:D7UH:4ZUW:2N4D:WBN4:24VX:OYBS:EC2F:7VZD:WXLF:MIEQ:CDS7
 Docker Root Dir: /home/jonathan/.local/share/docker/100000.10000
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: true
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false
 Product License: Community Engine

Additional environment details (AWS, VirtualBox, physical, etc.):
/etc/subgid:

jonathan:10000:1800000

/etc/subuid:

jonathan:100000:1800000

~/.config/systemd/user/docker.service:

Unit]
Description=Docker Application Container Engine (Rootless)
Documentation=https://docs.docker.com

[Service]
Environment=PATH=/home/jonathan/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ExecStart=/home/jonathan/.local/bin/dockerd-rootless.sh --experimental --userns-remap="1000:1000"
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
StartLimitBurst=3
StartLimitInterval=60s
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
TasksMax=infinity
Delegate=yes
Type=simple

[Install]
WantedBy=default.target

[pkit]

Please remove the rootless tag, as it's exactly the same problem for "rooted" dockerd too.
In short: bind mounts are not writable for uid: 0 inside the container even though they are correctly owned by subuid that userns maps to. Which means that bind mounts are totally ususable with userns