docker 打开userns-remap后无法运行

背景

开启docker的隔离机制之后，重启docker 发现无法运行

参考文档

https://www.cnblogs.com/sparkdev/archive/2018/09/13/9614326.html

https://geofftools.cn/blog/mount-docker-without-creating-root-file/#:~:text=%E5%9C%A8docker%E6%8C%82,ot%3Aroot%E3%80%82

https://docs.docker.com/engine/security/userns-remap/

/etc/docker/daemon.json

{
    "registry-mirrors": [
            "http://hub-mirror.c.163.com",
            "https://registry.docker-cn.com",
            "https://docker.mirrors.ustc.edu.cn",
            "https://2oslzh3e.mirror.aliyuncs.com"
    ],
        "userns-remap": "1001:1001"
}

cat /etc/subuid

lighthouse:100000:65536
ziop:165535:65536

cat /etc/subgid

lighthouse:100000:65536
ziop:165535:65536

测试

运行

docker run hello-world

报错

Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
2db29710123e: Pull complete
Digest: sha256:53f1bbee2f52c39e41682ee1d388285290c5c8a76cc92b42687eecf38e0af3f0
Status: Downloaded newer image for hello-world:latest

docker: Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: can't get final child's PID from pipe: EOF: unknown.
ERRO[0002] error waiting for container: context canceled

原因

containers 虽然组别已经变成166535了但是仍然属于root

userns-remap 是配运行用户？