@@ -26,9 +26,10 @@ var keySize = []byte("size")

 // Opt defines options for creating the snapshotter

 type Opt struct {

-	GraphDriver graphdriver.Driver

-	LayerStore  layer.Store

-	Root        string

+	GraphDriver     graphdriver.Driver

+	LayerStore      layer.Store

+	Root            string

+	IdentityMapping *idtools.IdentityMapping

 }

 type graphIDRegistrar interface {

@@ -79,7 +80,7 @@ func (s *snapshotter) Name() string {

 }

 func (s *snapshotter) IdentityMapping() *idtools.IdentityMapping {

-	return nil

+	return s.opt.IdentityMapping

 }

 func (s *snapshotter) Prepare(ctx context.Context, key, parent string, opts ...snapshots.Opt) error {

@@ -253,6 +254,7 @@ func (s *snapshotter) Mounts(ctx context.Context, key string) (snapshot.Mountabl

 		id := identity.NewID()

 		var rwlayer layer.RWLayer

 		return &mountable{

+			idmap: s.opt.IdentityMapping,

 			acquire: func() ([]mount.Mount, error) {

 				rwlayer, err = s.opt.LayerStore.CreateRWLayer(id, l.ChainID(), nil)

 				if err != nil {

@@ -278,6 +280,7 @@ func (s *snapshotter) Mounts(ctx context.Context, key string) (snapshot.Mountabl

 	id, _ := s.getGraphDriverID(key)

 	return &mountable{

+		idmap: s.opt.IdentityMapping,

 		acquire: func() ([]mount.Mount, error) {

 			rootfs, err := s.opt.GraphDriver.Get(id, "")

 			if err != nil {

@@ -440,6 +443,7 @@ type mountable struct {

 	acquire  func() ([]mount.Mount, error)

 	release  func() error

 	refCount int

+	idmap    *idtools.IdentityMapping

 }

 func (m *mountable) Mount() ([]mount.Mount, error) {

@@ -480,5 +484,5 @@ func (m *mountable) Release() error {

 }

 func (m *mountable) IdentityMapping() *idtools.IdentityMapping {

-	return nil

+	return m.idmap

 }

@@ -17,6 +17,7 @@ import (

 	"github.com/docker/docker/builder"

 	"github.com/docker/docker/daemon/config"

 	"github.com/docker/docker/daemon/images"

+	"github.com/docker/docker/pkg/idtools"

 	"github.com/docker/docker/pkg/streamformatter"

 	"github.com/docker/docker/pkg/system"

 	"github.com/docker/libnetwork"

@@ -73,6 +74,7 @@ type Opt struct {

 	ResolverOpt         resolver.ResolveOptionsFunc

 	BuilderConfig       config.BuilderConfig

 	Rootless            bool

+	IdentityMapping     *idtools.IdentityMapping

 }

 // Builder can build using BuildKit backend

@@ -38,7 +38,7 @@ import (

 )

 func newController(rt http.RoundTripper, opt Opt) (*control.Controller, error) {

-	if err := os.MkdirAll(opt.Root, 0700); err != nil {

+	if err := os.MkdirAll(opt.Root, 0711); err != nil {

 		return nil, err

 	}

@@ -55,9 +55,10 @@ func newController(rt http.RoundTripper, opt Opt) (*control.Controller, error) {

 	}

 	sbase, err := snapshot.NewSnapshotter(snapshot.Opt{

-		GraphDriver: driver,

-		LayerStore:  dist.LayerStore,

-		Root:        root,

+		GraphDriver:     driver,

+		LayerStore:      dist.LayerStore,

+		Root:            root,

+		IdentityMapping: opt.IdentityMapping,

 	})

 	if err != nil {

 		return nil, err

@@ -112,7 +113,7 @@ func newController(rt http.RoundTripper, opt Opt) (*control.Controller, error) {

 		return nil, err

 	}

-	exec, err := newExecutor(root, opt.DefaultCgroupParent, opt.NetworkController, opt.Rootless)

+	exec, err := newExecutor(root, opt.DefaultCgroupParent, opt.NetworkController, opt.Rootless, opt.IdentityMapping)

 	if err != nil {

 		return nil, err

 	}

@@ -8,6 +8,7 @@ import (

 	"strconv"

 	"sync"

+	"github.com/docker/docker/pkg/idtools"

 	"github.com/docker/libnetwork"

 	"github.com/moby/buildkit/executor"

 	"github.com/moby/buildkit/executor/runcexecutor"

@@ -20,7 +21,7 @@ import (

 const networkName = "bridge"

-func newExecutor(root, cgroupParent string, net libnetwork.NetworkController, rootless bool) (executor.Executor, error) {

+func newExecutor(root, cgroupParent string, net libnetwork.NetworkController, rootless bool, idmap *idtools.IdentityMapping) (executor.Executor, error) {

 	networkProviders := map[pb.NetMode]network.Provider{

 		pb.NetMode_UNSET: &bridgeProvider{NetworkController: net, Root: filepath.Join(root, "net")},

 		pb.NetMode_HOST:  network.NewHostProvider(),

@@ -32,6 +33,7 @@ func newExecutor(root, cgroupParent string, net libnetwork.NetworkController, ro

 		DefaultCgroupParent: cgroupParent,

 		Rootless:            rootless,

 		NoPivot:             os.Getenv("DOCKER_RAMDISK") != "",

+		IdentityMapping:     idmap,

 	}, networkProviders)

 }

@@ -5,12 +5,13 @@ import (

 	"errors"

 	"io"

+	"github.com/docker/docker/pkg/idtools"

 	"github.com/docker/libnetwork"

 	"github.com/moby/buildkit/cache"

 	"github.com/moby/buildkit/executor"

 )

-func newExecutor(_, _ string, _ libnetwork.NetworkController, _ bool) (executor.Executor, error) {

+func newExecutor(_, _ string, _ libnetwork.NetworkController, _ bool, _ *idtools.IdentityMapping) (executor.Executor, error) {

 	return &winExecutor{}, nil

 }

@@ -318,6 +318,7 @@ func newRouterOptions(config *config.Config, d *daemon.Daemon) (routerOptions, e

 		ResolverOpt:         d.NewResolveOptionsFunc(),

 		BuilderConfig:       config.Builder,

 		Rootless:            d.Rootless(),

+		IdentityMapping:     d.IdentityMapping(),

 	})

 	if err != nil {

 		return opts, err