dockerd use --userns-remap=default and docker run use --userns=host, why rootfs owner is not root?

[howu911]

dockerd config:
/usr/bin/dockerd --userns-remap=default -H fd:// --containerd=/run/containerd/containerd.sock

image is busybox
docker run -it --userns=host c98db043bed9 sh

the owner of rootfs is user-map uid,like this:
/ # ls -ald /
drwxr-xr-x 1 296608 296608 4096 Sep 8 07:10 /

why rootfs owner is not root? Does this cause security issues?

docker version:
Client:
Version: 20.10.7
API version: 1.41
Go version: go1.13.8
Git commit: 20.10.7-0ubuntu5~18.04.3
Built: Mon Nov 1 01:04:14 2021
OS/Arch: linux/amd64
Context: default
Experimental: true

Server:
Engine:
Version: 20.10.7
API version: 1.41 (minimum version 1.12)
Go version: go1.13.8
Git commit: 20.10.7-0ubuntu518.04.3
Built: Fri Oct 22 00:57:37 2021
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.5.5-0ubuntu318.04.2
GitCommit:
runc:
Version: 1.1.4
GitCommit: v1.1.4-0-g5fd4c4d1
docker-init:
Version: 0.19.0
GitCommit:

[cpuguy83]

It is not root because you are doing --userns=host but when using --userns-remap, the image/container filesystems are chown'd to adjusted to match the user mapping.
So --userns=host turns off the actual runtime view of the filesystem but the filesystem ownership doesn't change along with that.

Basically this is working as intended... at least in terms of how this had to be implemented (and mostly still has to be implemented).
It should not be a security issue.

[howu911]

when use --userns=host, Why doesn't runc chown the owner of rootfs before mounting the root filesystem?
Is there any problem with doing this?

[cpuguy83]

It's very expensive to do this.