Docker change existing stack to start with user namespace but keep images, volumes and containers

To mitigate the problem with root access from a container to its host I like to start the docker service with a namespace as the docker docs suggest. This is how I did

sudo adduser dockremap
sudo sh -c 'echo dockremap:500000:65536 > /etc/subuid'
sudo sh -c 'echo dockremap:500000:65536 > /etc/subgid'
sudo vim /etc/docker/daemon.json
   {
     "userns-remap": "dockremap"
   }
sudo service docker restart

While this leads to the desired behaviour of having root inside a container that is mapped to dockremap on the host, I cannot see all of the images and containers created earlier anymore.

Question: Is it possible to restart the docker daemon as shown but to keep all of my volumes, images and containers? If not what else can be suggested (docker rootless, apparmore groups <- hard to find a start)

Solution 1:

No, it is not possible. From Docker's documentation on user namespaces:

Enabling userns-remap effectively masks existing image and container layers, as well as other Docker objects within /var/lib/docker/. This is because Docker needs to adjust the ownership of these resources and actually stores them in a subdirectory within /var/lib/docker/. It is best to enable this feature on a new Docker installation rather than an existing one.

Docker would like to make this easier, but at the filesystem level, uid/gid's on files cannot be transparently mapped in a filesystem agnostic way. There are some efforts to get this functionality added and the progress is most visible with the rootless development. Things to look at include the efforts behind shiftfs, fuse-overlayfs, and similar projects.