Map root and application user from inside container to the same user on host

[r3dpan]

Hello,

i'm currently trying to get better at using podman with quadlets. I therefore am trying to set up a rootless grafana loki container on my current linux host. I already have a working configuration figured out but am now facing a weird issue when trying to use named volumes.

Inside my configuration i use a named volume for storing the local configuration file of grafana loki (sidenote: grafana loki runs as the loki user inside the container by default). After spinning up the container i can now see and access the named volume from my host (owned by host user per default). However, all files inside the named volume are owned by a different user and are unaccessible to my host user.
When looking at the same files from inside the container i can see that those files are owned by the loki user (uid=gid=10001).
If i now adjust my my configuration with 'UserNS=keep-id:uid=10001,gid=10001' and spin the container up again to recreate the volume i can no longer access the named volume from my host (it is now owned by an unknown user and group).

After playing around a bit with different configurations and inspecting the affected files from the host and inside the container i came to the conclusion, that this is cause by the named volume always beeing owned by root (from inside container) and the underlying files always beeing owned by the application user (from inside container).
I am therefore now trying to map my host user to both the root and the application user. I am however unable to do so as it seems my host user is always only mapped to root or to the application user.

Is there even a way to achieve something like this?
I am also interested in possible security concerns about this setup.

I would appreciate any help.

[Luap99]

ID Mappings are one to one, that is the rule given by the kernel, so you cannot map one host id to several container ids.

[eriksjolund]

Just a fun fact, this reminded me of a kernel feature request:

Map different uids/gids to the same uids/gids?

If implemented there would no longer always be a one-to-one map.

[eriksjolund]

this is cause by the named volume always beeing owned by root (from inside container)

Have you tried the uid and gid option?
Here is an example

$ podman volume create test -o=o=gid=1000,uid=1000
test
$ podman run --rm -v test:/dir alpine ls -ld /dir
drwxr-xr-x    2 1000     1000             6 Aug 22 06:03 /dir

podman version: 5.5.2

click me for "podman version" output

$ podman version
Client:        Podman Engine
Version:       5.5.2
API Version:   5.5.2
Go Version:    go1.24.4
Git Commit:    e7d8226745ba07a64b7176a7f128e4ef53225a0e
Built:         Tue Jun 24 00:00:00 2025
Build Origin:  Fedora Project
OS/Arch:       linux/arm64