@@ -9,6 +9,7 @@ DOCKER_ENVS := \

 	-e DOCKER_DEBUG \

 	-e DOCKER_EXECDRIVER \

 	-e DOCKER_EXPERIMENTAL \

+	-e DOCKER_REMAP_ROOT \

 	-e DOCKER_GRAPHDRIVER \

 	-e DOCKER_STORAGE_OPTS \

 	-e DOCKER_USERLANDPROXY \

@@ -18,6 +18,8 @@ import (

 	"github.com/docker/docker/daemon/daemonbuilder"

 	"github.com/docker/docker/graph"

 	"github.com/docker/docker/graph/tags"

+	"github.com/docker/docker/pkg/archive"

+	"github.com/docker/docker/pkg/chrootarchive"

 	"github.com/docker/docker/pkg/ioutils"

 	"github.com/docker/docker/pkg/parsers"

 	"github.com/docker/docker/pkg/progressreader"

@@ -393,7 +395,13 @@ func (s *router) postBuild(ctx context.Context, w http.ResponseWriter, r *http.R

 		}

 	}()

-	docker := daemonbuilder.Docker{s.daemon, output, authConfigs}

+	uidMaps, gidMaps := s.daemon.GetUIDGIDMaps()

+	defaultArchiver := &archive.Archiver{

+		Untar:   chrootarchive.Untar,

+		UIDMaps: uidMaps,

+		GIDMaps: gidMaps,

+	}

+	docker := daemonbuilder.Docker{s.daemon, output, authConfigs, defaultArchiver}

 	b, err := dockerfile.NewBuilder(buildConfig, docker, builder.DockerIgnoreContext{context}, nil)

 	if err != nil {

@@ -30,6 +30,7 @@ type CommonConfig struct {

 	LogConfig      runconfig.LogConfig

 	Mtu            int

 	Pidfile        string

+	RemappedRoot   string

 	Root           string

 	TrustKeyPath   string

 	DefaultNetwork string

new file mode 100644

@@ -0,0 +1,119 @@

+// +build experimental

+

+package daemon

+

+import (

+	"fmt"

+	"strconv"

+	"strings"

+

+	"github.com/docker/docker/pkg/idtools"

+	flag "github.com/docker/docker/pkg/mflag"

+	"github.com/opencontainers/runc/libcontainer/user"

+)

+

+func (config *Config) attachExperimentalFlags(cmd *flag.FlagSet, usageFn func(string) string) {

+	cmd.StringVar(&config.RemappedRoot, []string{"-userns-remap"}, "", usageFn("User/Group setting for user namespaces"))

+}

+

+const (

+	defaultIDSpecifier string = "default"

+	defaultRemappedID  string = "dockremap"

+)

+

+// Parse the remapped root (user namespace) option, which can be one of:

+//   username            - valid username from /etc/passwd

+//   username:groupname  - valid username; valid groupname from /etc/group

+//   uid                 - 32-bit unsigned int valid Linux UID value

+//   uid:gid             - uid value; 32-bit unsigned int Linux GID value

+//

+//  If no groupname is specified, and a username is specified, an attempt

+//  will be made to lookup a gid for that username as a groupname

+//

+//  If names are used, they are verified to exist in passwd/group

+func parseRemappedRoot(usergrp string) (string, string, error) {

+

+	var (

+		userID, groupID     int

+		username, groupname string

+	)

+

+	idparts := strings.Split(usergrp, ":")

+	if len(idparts) > 2 {

+		return "", "", fmt.Errorf("Invalid user/group specification in --userns-remap: %q", usergrp)

+	}

+

+	if uid, err := strconv.ParseInt(idparts[0], 10, 32); err == nil {

+		// must be a uid; take it as valid

+		userID = int(uid)

+		luser, err := user.LookupUid(userID)

+		if err != nil {

+			return "", "", fmt.Errorf("Uid %d has no entry in /etc/passwd: %v", userID, err)

+		}

+		username = luser.Name

+		if len(idparts) == 1 {

+			// if the uid was numeric and no gid was specified, take the uid as the gid

+			groupID = userID

+			lgrp, err := user.LookupGid(groupID)

+			if err != nil {

+				return "", "", fmt.Errorf("Gid %d has no entry in /etc/group: %v", groupID, err)

+			}

+			groupname = lgrp.Name

+		}

+	} else {

+		lookupName := idparts[0]

+		// special case: if the user specified "default", they want Docker to create or

+		// use (after creation) the "dockremap" user/group for root remapping

+		if lookupName == defaultIDSpecifier {

+			lookupName = defaultRemappedID

+		}

+		luser, err := user.LookupUser(lookupName)

+		if err != nil && idparts[0] != defaultIDSpecifier {

+			// error if the name requested isn't the special "dockremap" ID

+			return "", "", fmt.Errorf("Error during uid lookup for %q: %v", lookupName, err)

+		} else if err != nil {

+			// special case-- if the username == "default", then we have been asked

+			// to create a new entry pair in /etc/{passwd,group} for which the /etc/sub{uid,gid}

+			// ranges will be used for the user and group mappings in user namespaced containers

+			_, _, err := idtools.AddNamespaceRangesUser(defaultRemappedID)

+			if err == nil {

+				return defaultRemappedID, defaultRemappedID, nil

+			}

+			return "", "", fmt.Errorf("Error during %q user creation: %v", defaultRemappedID, err)

+		}

+		userID = luser.Uid

+		username = luser.Name

+		if len(idparts) == 1 {

+			// we only have a string username, and no group specified; look up gid from username as group

+			group, err := user.LookupGroup(lookupName)

+			if err != nil {

+				return "", "", fmt.Errorf("Error during gid lookup for %q: %v", lookupName, err)

+			}

+			groupID = group.Gid

+			groupname = group.Name

+		}

+	}

+

+	if len(idparts) == 2 {

+		// groupname or gid is separately specified and must be resolved

+		// to a unsigned 32-bit gid

+		if gid, err := strconv.ParseInt(idparts[1], 10, 32); err == nil {

+			// must be a gid, take it as valid

+			groupID = int(gid)

+			lgrp, err := user.LookupGid(groupID)

+			if err != nil {

+				return "", "", fmt.Errorf("Gid %d has no entry in /etc/passwd: %v", groupID, err)

+			}

+			groupname = lgrp.Name

+		} else {

+			// not a number; attempt a lookup

+			group, err := user.LookupGroup(idparts[1])

+			if err != nil {

+				return "", "", fmt.Errorf("Error during gid lookup for %q: %v", idparts[1], err)

+			}

+			groupID = group.Gid

+			groupname = idparts[1]

+		}

+	}

+	return username, groupname, nil

+}

new file mode 100644

@@ -0,0 +1,8 @@

+// +build !experimental

+

+package daemon

+

+import flag "github.com/docker/docker/pkg/mflag"

+

+func (config *Config) attachExperimentalFlags(cmd *flag.FlagSet, usageFn func(string) string) {

+}

@@ -27,6 +27,7 @@ type Config struct {

 	CorsHeaders          string

 	EnableCors           bool

 	EnableSelinuxSupport bool

+	RemappedRoot         string

 	SocketGroup          string

 	Ulimits              map[string]*ulimit.Ulimit

 }

@@ -77,4 +78,6 @@ func (config *Config) InstallFlags(cmd *flag.FlagSet, usageFn func(string) strin

 	cmd.BoolVar(&config.Bridge.EnableUserlandProxy, []string{"-userland-proxy"}, true, usageFn("Use userland proxy for loopback traffic"))

 	cmd.BoolVar(&config.EnableCors, []string{"#api-enable-cors", "#-api-enable-cors"}, false, usageFn("Enable CORS headers in the remote API, this is deprecated by --api-cors-header"))

 	cmd.StringVar(&config.CorsHeaders, []string{"-api-cors-header"}, "", usageFn("Set CORS headers in the remote API"))

+

+	config.attachExperimentalFlags(cmd, usageFn)

 }

@@ -553,7 +553,12 @@ func (container *Container) export() (archive.Archive, error) {

 		return nil, err

 	}

-	archive, err := archive.Tar(container.basefs, archive.Uncompressed)

+	uidMaps, gidMaps := container.daemon.GetUIDGIDMaps()

+	archive, err := archive.TarWithOptions(container.basefs, &archive.TarOptions{

+		Compression: archive.Uncompressed,

+		UIDMaps:     uidMaps,

+		GIDMaps:     gidMaps,

+	})

 	if err != nil {

 		container.Unmount()

 		return nil, err

@@ -20,6 +20,7 @@ import (

 	"github.com/docker/docker/daemon/network"

 	derr "github.com/docker/docker/errors"

 	"github.com/docker/docker/pkg/directory"

+	"github.com/docker/docker/pkg/idtools"

 	"github.com/docker/docker/pkg/nat"

 	"github.com/docker/docker/pkg/stringid"

 	"github.com/docker/docker/pkg/system"

@@ -302,6 +303,14 @@ func populateCommand(c *Container, env []string) error {

 	processConfig.SysProcAttr = &syscall.SysProcAttr{Setsid: true}

 	processConfig.Env = env

+	remappedRoot := &execdriver.User{}

+	rootUID, rootGID := c.daemon.GetRemappedUIDGID()

+	if rootUID != 0 {

+		remappedRoot.UID = rootUID

+		remappedRoot.GID = rootGID

+	}

+	uidMap, gidMap := c.daemon.GetUIDGIDMaps()

+

 	c.command = &execdriver.Command{

 		ID:                 c.ID,

 		Rootfs:             c.rootfsPath(),

@@ -310,6 +319,9 @@ func populateCommand(c *Container, env []string) error {

 		WorkingDir:         c.Config.WorkingDir,

 		Network:            en,

 		Ipc:                ipc,

+		UIDMapping:         uidMap,

+		GIDMapping:         gidMap,

+		RemappedRoot:       remappedRoot,

 		Pid:                pid,

 		UTS:                uts,

 		Resources:          resources,

@@ -1343,19 +1355,23 @@ func (container *Container) hasMountFor(path string) bool {

 }

 func (container *Container) setupIpcDirs() error {

+	rootUID, rootGID := container.daemon.GetRemappedUIDGID()

 	if !container.hasMountFor("/dev/shm") {

 		shmPath, err := container.shmPath()

 		if err != nil {

 			return err

 		}

-		if err := os.MkdirAll(shmPath, 0700); err != nil {

+		if err := idtools.MkdirAllAs(shmPath, 0700, rootUID, rootGID); err != nil {

 			return err

 		}

 		if err := syscall.Mount("shm", shmPath, "tmpfs", uintptr(syscall.MS_NOEXEC|syscall.MS_NOSUID|syscall.MS_NODEV), label.FormatMountLabel("mode=1777,size=65536k", container.getMountLabel())); err != nil {

 			return fmt.Errorf("mounting shm tmpfs: %s", err)

 		}

+		if err := os.Chown(shmPath, rootUID, rootGID); err != nil {

+			return err

+		}

 	}

 	if !container.hasMountFor("/dev/mqueue") {

@@ -1364,13 +1380,16 @@ func (container *Container) setupIpcDirs() error {

 			return err

 		}

-		if err := os.MkdirAll(mqueuePath, 0700); err != nil {

+		if err := idtools.MkdirAllAs(mqueuePath, 0700, rootUID, rootGID); err != nil {

 			return err

 		}

 		if err := syscall.Mount("mqueue", mqueuePath, "mqueue", uintptr(syscall.MS_NOEXEC|syscall.MS_NOSUID|syscall.MS_NODEV), ""); err != nil {

 			return fmt.Errorf("mounting mqueue mqueue : %s", err)

 		}

+		if err := os.Chown(mqueuePath, rootUID, rootGID); err != nil {

+			return err

+		}

 	}

 	return nil

@@ -37,6 +37,7 @@ import (

 	"github.com/docker/docker/pkg/discovery"

 	"github.com/docker/docker/pkg/fileutils"

 	"github.com/docker/docker/pkg/graphdb"

+	"github.com/docker/docker/pkg/idtools"

 	"github.com/docker/docker/pkg/ioutils"

 	"github.com/docker/docker/pkg/namesgenerator"

 	"github.com/docker/docker/pkg/nat"

@@ -121,6 +122,8 @@ type Daemon struct {

 	discoveryWatcher discovery.Watcher

 	root             string

 	shutdown         bool

+	uidMaps          []idtools.IDMap

+	gidMaps          []idtools.IDMap

 }

 // Get looks for a container using the provided information, which could be

@@ -632,6 +635,15 @@ func NewDaemon(config *Config, registryService *registry.Service) (daemon *Daemo

 	// on Windows to dump Go routine stacks

 	setupDumpStackTrap()

+	uidMaps, gidMaps, err := setupRemappedRoot(config)

+	if err != nil {

+		return nil, err

+	}

+	rootUID, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps)

+	if err != nil {

+		return nil, err

+	}

+

 	// get the canonical path to the Docker root directory

 	var realRoot string

 	if _, err := os.Stat(config.Root); err != nil && os.IsNotExist(err) {

@@ -642,14 +654,13 @@ func NewDaemon(config *Config, registryService *registry.Service) (daemon *Daemo

 			return nil, fmt.Errorf("Unable to get the full path to root (%s): %s", config.Root, err)

 		}

 	}

-	config.Root = realRoot

-	// Create the root directory if it doesn't exists

-	if err := system.MkdirAll(config.Root, 0700); err != nil {

+

+	if err = setupDaemonRoot(config, realRoot, rootUID, rootGID); err != nil {

 		return nil, err

 	}

 	// set up the tmpDir to use a canonical path

-	tmp, err := tempDir(config.Root)

+	tmp, err := tempDir(config.Root, rootUID, rootGID)

 	if err != nil {

 		return nil, fmt.Errorf("Unable to get the TempDir under %s: %s", config.Root, err)

 	}

@@ -663,7 +674,7 @@ func NewDaemon(config *Config, registryService *registry.Service) (daemon *Daemo

 	graphdriver.DefaultDriver = config.GraphDriver

 	// Load storage driver

-	driver, err := graphdriver.New(config.Root, config.GraphOptions)

+	driver, err := graphdriver.New(config.Root, config.GraphOptions, uidMaps, gidMaps)

 	if err != nil {

 		return nil, fmt.Errorf("error initializing graphdriver: %v", err)

 	}

@@ -696,7 +707,7 @@ func NewDaemon(config *Config, registryService *registry.Service) (daemon *Daemo

 	daemonRepo := filepath.Join(config.Root, "containers")

-	if err := system.MkdirAll(daemonRepo, 0700); err != nil {

+	if err := idtools.MkdirAllAs(daemonRepo, 0700, rootUID, rootGID); err != nil && !os.IsExist(err) {

 		return nil, err

 	}

@@ -706,13 +717,13 @@ func NewDaemon(config *Config, registryService *registry.Service) (daemon *Daemo

 	}

 	logrus.Debug("Creating images graph")

-	g, err := graph.NewGraph(filepath.Join(config.Root, "graph"), d.driver)

+	g, err := graph.NewGraph(filepath.Join(config.Root, "graph"), d.driver, uidMaps, gidMaps)

 	if err != nil {

 		return nil, err

 	}

 	// Configure the volumes driver

-	volStore, err := configureVolumes(config)

+	volStore, err := configureVolumes(config, rootUID, rootGID)

 	if err != nil {

 		return nil, err

 	}

@@ -777,7 +788,7 @@ func NewDaemon(config *Config, registryService *registry.Service) (daemon *Daemo

 	var sysInitPath string

 	if config.ExecDriver == "lxc" {

-		initPath, err := configureSysInit(config)

+		initPath, err := configureSysInit(config, rootUID, rootGID)

 		if err != nil {

 			return nil, err

 		}

@@ -812,6 +823,8 @@ func NewDaemon(config *Config, registryService *registry.Service) (daemon *Daemo

 	d.EventsService = eventsService

 	d.volumes = volStore

 	d.root = config.Root

+	d.uidMaps = uidMaps

+	d.gidMaps = gidMaps

 	if err := d.cleanupMounts(); err != nil {

 		return nil, err

@@ -974,7 +987,11 @@ func (daemon *Daemon) diff(container *Container) (archive.Archive, error) {

 func (daemon *Daemon) createRootfs(container *Container) error {

 	// Step 1: create the container directory.

 	// This doubles as a barrier to avoid race conditions.

-	if err := os.Mkdir(container.root, 0700); err != nil {

+	rootUID, rootGID, err := idtools.GetRootUIDGID(daemon.uidMaps, daemon.gidMaps)

+	if err != nil {

+		return err

+	}

+	if err := idtools.MkdirAs(container.root, 0700, rootUID, rootGID); err != nil {

 		return err

 	}

 	initID := fmt.Sprintf("%s-init", container.ID)

@@ -986,7 +1003,7 @@ func (daemon *Daemon) createRootfs(container *Container) error {

 		return err

 	}

-	if err := setupInitLayer(initPath); err != nil {

+	if err := setupInitLayer(initPath, rootUID, rootGID); err != nil {

 		daemon.driver.Put(initID)

 		return err

 	}

@@ -1105,6 +1122,21 @@ func (daemon *Daemon) containerGraph() *graphdb.Database {

 	return daemon.containerGraphDB

 }

+// GetUIDGIDMaps returns the current daemon's user namespace settings

+// for the full uid and gid maps which will be applied to containers

+// started in this instance.

+func (daemon *Daemon) GetUIDGIDMaps() ([]idtools.IDMap, []idtools.IDMap) {

+	return daemon.uidMaps, daemon.gidMaps

+}

+

+// GetRemappedUIDGID returns the current daemon's uid and gid values

+// if user namespaces are in use for this daemon instance.  If not

+// this function will return "real" root values of 0, 0.

+func (daemon *Daemon) GetRemappedUIDGID() (int, int) {

+	uid, gid, _ := idtools.GetRootUIDGID(daemon.uidMaps, daemon.gidMaps)

+	return uid, gid

+}

+

 // ImageGetCached returns the earliest created image that is a child

 // of the image with imgID, that had the same config when it was

 // created. nil is returned if a child cannot be found. An error is

@@ -1139,12 +1171,12 @@ func (daemon *Daemon) ImageGetCached(imgID string, config *runconfig.Config) (*i

 }

 // tempDir returns the default directory to use for temporary files.

-func tempDir(rootDir string) (string, error) {

+func tempDir(rootDir string, rootUID, rootGID int) (string, error) {

 	var tmpDir string

 	if tmpDir = os.Getenv("DOCKER_TMPDIR"); tmpDir == "" {

 		tmpDir = filepath.Join(rootDir, "tmp")

 	}

-	return tmpDir, system.MkdirAll(tmpDir, 0700)

+	return tmpDir, idtools.MkdirAllAs(tmpDir, 0700, rootUID, rootGID)

 }

 func (daemon *Daemon) setHostConfig(container *Container, hostConfig *runconfig.HostConfig) error {

@@ -1228,8 +1260,8 @@ func (daemon *Daemon) verifyContainerSettings(hostConfig *runconfig.HostConfig,

 	return verifyPlatformContainerSettings(daemon, hostConfig, config)

 }

-func configureVolumes(config *Config) (*store.VolumeStore, error) {

-	volumesDriver, err := local.New(config.Root)

+func configureVolumes(config *Config, rootUID, rootGID int) (*store.VolumeStore, error) {

+	volumesDriver, err := local.New(config.Root, rootUID, rootGID)

 	if err != nil {

 		return nil, err

 	}

new file mode 100644

@@ -0,0 +1,110 @@

+// +build experimental

+

+package daemon

+

+import (

+	"fmt"

+	"os"

+	"path/filepath"

+	"runtime"

+

+	"github.com/Sirupsen/logrus"

+	"github.com/docker/docker/pkg/directory"

+	"github.com/docker/docker/pkg/idtools"

+	"github.com/docker/docker/runconfig"

+)

+

+func setupRemappedRoot(config *Config) ([]idtools.IDMap, []idtools.IDMap, error) {

+	if config.ExecDriver != "native" && config.RemappedRoot != "" {

+		return nil, nil, fmt.Errorf("User namespace remapping is only supported with the native execdriver")

+	}

+	if runtime.GOOS == "windows" && config.RemappedRoot != "" {

+		return nil, nil, fmt.Errorf("User namespaces are not supported on Windows")

+	}

+

+	// if the daemon was started with remapped root option, parse

+	// the config option to the int uid,gid values

+	var (

+		uidMaps, gidMaps []idtools.IDMap

+	)

+	if config.RemappedRoot != "" {

+		username, groupname, err := parseRemappedRoot(config.RemappedRoot)

+		if err != nil {

+			return nil, nil, err

+		}

+		if username == "root" {

+			// Cannot setup user namespaces with a 1-to-1 mapping; "--root=0:0" is a no-op

+			// effectively

+			logrus.Warnf("User namespaces: root cannot be remapped with itself; user namespaces are OFF")

+			return uidMaps, gidMaps, nil

+		}

+		logrus.Infof("User namespaces: ID ranges will be mapped to subuid/subgid ranges of: %s:%s", username, groupname)

+		// update remapped root setting now that we have resolved them to actual names

+		config.RemappedRoot = fmt.Sprintf("%s:%s", username, groupname)

+

+		uidMaps, gidMaps, err = idtools.CreateIDMappings(username, groupname)

+		if err != nil {

+			return nil, nil, fmt.Errorf("Can't create ID mappings: %v", err)

+		}

+	}

+	return uidMaps, gidMaps, nil

+}

+

+func setupDaemonRoot(config *Config, rootDir string, rootUID, rootGID int) error {

+	// the main docker root needs to be accessible by all users, as user namespace support

+	// will create subdirectories owned by either a) the real system root (when no remapping

+	// is setup) or b) the remapped root host ID (when --root=uid:gid is used)

+	// for "first time" users of user namespaces, we need to migrate the current directory

+	// contents to the "0.0" (root == root "namespace" daemon root)

+	nsRoot := "0.0"

+	if _, err := os.Stat(rootDir); err == nil {

+		// root current exists; we need to check for a prior migration

+		if _, err := os.Stat(filepath.Join(rootDir, nsRoot)); err != nil && os.IsNotExist(err) {

+			// need to migrate current root to "0.0" subroot

+			// 1. create non-usernamespaced root as "0.0"

+			if err := os.Mkdir(filepath.Join(rootDir, nsRoot), 0700); err != nil {

+				return fmt.Errorf("Cannot create daemon root %q: %v", filepath.Join(rootDir, nsRoot), err)

+			}

+			// 2. move current root content to "0.0" new subroot

+			if err := directory.MoveToSubdir(rootDir, nsRoot); err != nil {

+				return fmt.Errorf("Cannot migrate current daemon root %q for user namespaces: %v", rootDir, err)

+			}

+			// 3. chmod outer root to 755

+			if chmodErr := os.Chmod(rootDir, 0755); chmodErr != nil {

+				return chmodErr

+			}

+		}

+	} else if os.IsNotExist(err) {

+		// no root exists yet, create it 0755 with root:root ownership

+		if err := os.MkdirAll(rootDir, 0755); err != nil {

+			return err

+		}

+		// create the "0.0" subroot (so no future "migration" happens of the root)

+		if err := os.Mkdir(filepath.Join(rootDir, nsRoot), 0700); err != nil {

+			return err

+		}

+	}

+

+	// for user namespaces we will create a subtree underneath the specified root

+	// with any/all specified remapped root uid/gid options on the daemon creating

+	// a new subdirectory with ownership set to the remapped uid/gid (so as to allow

+	// `chdir()` to work for containers namespaced to that uid/gid)

+	if config.RemappedRoot != "" {

+		nsRoot = fmt.Sprintf("%d.%d", rootUID, rootGID)

+	}

+	config.Root = filepath.Join(rootDir, nsRoot)

+	logrus.Debugf("Creating actual daemon root: %s", config.Root)

+

+	// Create the root directory if it doesn't exists

+	if err := idtools.MkdirAllAs(config.Root, 0700, rootUID, rootGID); err != nil {

+		return fmt.Errorf("Cannot create daemon root: %s: %v", config.Root, err)

+	}

+	return nil

+}

+

+func (daemon *Daemon) verifyExperimentalContainerSettings(hostConfig *runconfig.HostConfig, config *runconfig.Config) ([]string, error) {

+	if hostConfig.Privileged && daemon.config().RemappedRoot != "" {

+		return nil, fmt.Errorf("Privileged mode is incompatible with user namespace mappings")

+	}

+	return nil, nil

+}

new file mode 100644

@@ -0,0 +1,28 @@

+// +build !experimental

+

+package daemon

+

+import (

+	"os"

+

+	"github.com/docker/docker/pkg/idtools"

+	"github.com/docker/docker/pkg/system"

+	"github.com/docker/docker/runconfig"

+)

+

+func setupRemappedRoot(config *Config) ([]idtools.IDMap, []idtools.IDMap, error) {

+	return nil, nil, nil

+}

+

+func setupDaemonRoot(config *Config, rootDir string, rootUID, rootGID int) error {

+	config.Root = rootDir

+	// Create the root directory if it doesn't exists

+	if err := system.MkdirAll(config.Root, 0700); err != nil && !os.IsExist(err) {

+		return err

+	}

+	return nil

+}

+

+func (daemon *Daemon) verifyExperimentalContainerSettings(hostConfig *runconfig.HostConfig, config *runconfig.Config) ([]string, error) {

+	return nil, nil

+}

@@ -509,7 +509,7 @@ func initDaemonForVolumesTest(tmp string) (*Daemon, error) {

 		volumes:    store.New(),

 	}

-	volumesDriver, err := local.New(tmp)

+	volumesDriver, err := local.New(tmp, 0, 0)

 	if err != nil {

 		return nil, err

 	}

@@ -15,10 +15,10 @@ import (

 	"github.com/docker/docker/daemon/graphdriver"

 	derr "github.com/docker/docker/errors"

 	"github.com/docker/docker/pkg/fileutils"

+	"github.com/docker/docker/pkg/idtools"

 	"github.com/docker/docker/pkg/parsers"

 	"github.com/docker/docker/pkg/parsers/kernel"

 	"github.com/docker/docker/pkg/sysinfo"

-	"github.com/docker/docker/pkg/system"

 	"github.com/docker/docker/runconfig"

 	"github.com/docker/docker/utils"

 	"github.com/docker/libnetwork"

@@ -121,6 +121,11 @@ func verifyPlatformContainerSettings(daemon *Daemon, hostConfig *runconfig.HostC

 	warnings := []string{}

 	sysInfo := sysinfo.New(true)

+	warnings, err := daemon.verifyExperimentalContainerSettings(hostConfig, config)

+	if err != nil {

+		return warnings, err

+	}

+

 	if hostConfig.LxcConf.Len() > 0 && !strings.Contains(daemon.ExecutionDriver().Name(), "lxc") {

 		return warnings, fmt.Errorf("Cannot use --lxc-conf with execdriver: %s", daemon.ExecutionDriver().Name())

 	}

@@ -275,7 +280,7 @@ func migrateIfDownlevel(driver graphdriver.Driver, root string) error {

 	return migrateIfAufs(driver, root)

 }

-func configureSysInit(config *Config) (string, error) {

+func configureSysInit(config *Config, rootUID, rootGID int) (string, error) {

 	localCopy := filepath.Join(config.Root, "init", fmt.Sprintf("dockerinit-%s", dockerversion.VERSION))

 	sysInitPath := utils.DockerInitPath(localCopy)

 	if sysInitPath == "" {

@@ -284,7 +289,7 @@ func configureSysInit(config *Config) (string, error) {

 	if sysInitPath != localCopy {

 		// When we find a suitable dockerinit binary (even if it's our local binary), we copy it into config.Root at localCopy for future use (so that the original can go away without that being a problem, for example during a package upgrade).

-		if err := os.Mkdir(filepath.Dir(localCopy), 0700); err != nil && !os.IsExist(err) {

+		if err := idtools.MkdirAs(filepath.Dir(localCopy), 0700, rootUID, rootGID); err != nil && !os.IsExist(err) {

 			return "", err

 		}

 		if _, err := fileutils.CopyFile(sysInitPath, localCopy); err != nil {

@@ -455,7 +460,7 @@ func initBridgeDriver(controller libnetwork.NetworkController, config *Config) e

 //

 // This extra layer is used by all containers as the top-most ro layer. It protects

 // the container from unwanted side-effects on the rw layer.

-func setupInitLayer(initLayer string) error {

+func setupInitLayer(initLayer string, rootUID, rootGID int) error {

 	for pth, typ := range map[string]string{

 		"/dev/pts":         "dir",

 		"/dev/shm":         "dir",

@@ -478,12 +483,12 @@ func setupInitLayer(initLayer string) error {

 		if _, err := os.Stat(filepath.Join(initLayer, pth)); err != nil {

 			if os.IsNotExist(err) {

-				if err := system.MkdirAll(filepath.Join(initLayer, filepath.Dir(pth)), 0755); err != nil {

+				if err := idtools.MkdirAllAs(filepath.Join(initLayer, filepath.Dir(pth)), 0755, rootUID, rootGID); err != nil {

 					return err

 				}

 				switch typ {

 				case "dir":

-					if err := system.MkdirAll(filepath.Join(initLayer, pth), 0755); err != nil {

+					if err := idtools.MkdirAllAs(filepath.Join(initLayer, pth), 0755, rootUID, rootGID); err != nil {

 						return err

 					}

 				case "file":

@@ -492,6 +497,7 @@ func setupInitLayer(initLayer string) error {

 						return err

 					}

 					f.Close()

+					f.Chown(rootUID, rootGID)

 				default:

 					if err := os.Symlink(typ, filepath.Join(initLayer, pth)); err != nil {

 						return err

@@ -25,7 +25,7 @@ func parseSecurityOpt(container *Container, config *runconfig.HostConfig) error

 	return nil

 }

-func setupInitLayer(initLayer string) error {

+func setupInitLayer(initLayer string, rootUID, rootGID int) error {

 	return nil

 }

@@ -89,7 +89,7 @@ func migrateIfDownlevel(driver graphdriver.Driver, root string) error {

 	return nil

 }

-func configureSysInit(config *Config) (string, error) {

+func configureSysInit(config *Config, rootUID, rootGID int) (string, error) {

 	// TODO Windows.

 	return os.Getenv("TEMP"), nil

 }

@@ -16,7 +16,6 @@ import (

 	"github.com/docker/docker/graph"

 	"github.com/docker/docker/image"

 	"github.com/docker/docker/pkg/archive"

-	"github.com/docker/docker/pkg/chrootarchive"

 	"github.com/docker/docker/pkg/httputils"

 	"github.com/docker/docker/pkg/ioutils"

 	"github.com/docker/docker/pkg/parsers"

@@ -32,6 +31,7 @@ type Docker struct {

 	Daemon      *daemon.Daemon

 	OutOld      io.Writer

 	AuthConfigs map[string]cliconfig.AuthConfig

+	Archiver    *archive.Archiver

 }

 // ensure Docker implements builder.Docker

@@ -121,6 +121,7 @@ func (d Docker) Release(sessionID string, activeImages []string) {

 func (d Docker) Copy(c *daemon.Container, destPath string, src builder.FileInfo, decompress bool) error {

 	srcPath := src.Path()

 	destExists := true

+	rootUID, rootGID := d.Daemon.GetRemappedUIDGID()

 	// Work in daemon-local OS specific file paths

 	destPath = filepath.FromSlash(destPath)

@@ -149,10 +150,10 @@ func (d Docker) Copy(c *daemon.Container, destPath string, src builder.FileInfo,

 	if src.IsDir() {

 		// copy as directory

-		if err := chrootarchive.CopyWithTar(srcPath, destPath); err != nil {

+		if err := d.Archiver.CopyWithTar(srcPath, destPath); err != nil {

 			return err

 		}

-		return fixPermissions(srcPath, destPath, 0, 0, destExists)

+		return fixPermissions(srcPath, destPath, rootUID, rootGID, destExists)

 	}

 	if decompress {

 		// Only try to untar if it is a file and that we've been told to decompress (when ADD-ing a remote file)

@@ -167,7 +168,7 @@ func (d Docker) Copy(c *daemon.Container, destPath string, src builder.FileInfo,

 		}

 		// try to successfully untar the orig

-		if err := chrootarchive.UntarPath(srcPath, tarDest); err == nil {

+		if err := d.Archiver.UntarPath(srcPath, tarDest); err == nil {

 			return nil

 		} else if err != io.EOF {

 			logrus.Debugf("Couldn't untar to %s: %v", tarDest, err)

@@ -182,11 +183,11 @@ func (d Docker) Copy(c *daemon.Container, destPath string, src builder.FileInfo,

 	if err := system.MkdirAll(filepath.Dir(destPath), 0755); err != nil {

 		return err

 	}

-	if err := chrootarchive.CopyFileWithTar(srcPath, destPath); err != nil {

+	if err := d.Archiver.CopyFileWithTar(srcPath, destPath); err != nil {

 		return err

 	}

-	return fixPermissions(srcPath, destPath, 0, 0, destExists)

+	return fixPermissions(srcPath, destPath, rootUID, rootGID, destExists)

 }

 // GetCachedImage returns a reference to a cached image whose parent equals `parent`

@@ -6,6 +6,7 @@ import (

 	"os/exec"

 	"time"

+	"github.com/docker/docker/pkg/idtools"

 	// TODO Windows: Factor out ulimit

 	"github.com/docker/docker/pkg/ulimit"

 	"github.com/opencontainers/runc/libcontainer"

@@ -173,6 +174,12 @@ type Mount struct {

 	Slave       bool   `json:"slave"`

 }

+// User contains the uid and gid representing a Unix user

+type User struct {

+	UID int `json:"root_uid"`

+	GID int `json:"root_gid"`

+}

+

 // ProcessConfig describes a process that will be run inside a container.

 type ProcessConfig struct {

 	exec.Cmd `json:"-"`

@@ -202,6 +209,9 @@ type Command struct {

 	Ipc                *Ipc              `json:"ipc"`

 	Pid                *Pid              `json:"pid"`

 	UTS                *UTS              `json:"uts"`

+	RemappedRoot       *User             `json:"remap_root"`

+	UIDMapping         []idtools.IDMap   `json:"uidmapping"`

+	GIDMapping         []idtools.IDMap   `json:"gidmapping"`

 	Resources          *Resources        `json:"resources"`

 	Mounts             []Mount           `json:"mounts"`

 	AllowedDevices     []*configs.Device `json:"allowed_devices"`

@@ -8,6 +8,7 @@ import (

 	"syscall"

 	"github.com/docker/docker/daemon/execdriver"

+

 	"github.com/opencontainers/runc/libcontainer/apparmor"

 	"github.com/opencontainers/runc/libcontainer/configs"

 	"github.com/opencontainers/runc/libcontainer/devices"

@@ -30,6 +31,10 @@ func (d *Driver) createContainer(c *execdriver.Command, hooks execdriver.Hooks)

 		return nil, err

 	}

+	if err := d.setupRemappedRoot(container, c); err != nil {

+		return nil, err

+	}

+

 	if err := d.createNetwork(container, c, hooks); err != nil {

 		return nil, err

 	}

@@ -193,6 +198,40 @@ func (d *Driver) createUTS(container *configs.Config, c *execdriver.Command) err

 	return nil

 }

+func (d *Driver) setupRemappedRoot(container *configs.Config, c *execdriver.Command) error {

+	if c.RemappedRoot.UID == 0 {

+		container.Namespaces.Remove(configs.NEWUSER)

+		return nil

+	}

+

+	// convert the Docker daemon id map to the libcontainer variant of the same struct

+	// this keeps us from having to import libcontainer code across Docker client + daemon packages

+	cuidMaps := []configs.IDMap{}

+	cgidMaps := []configs.IDMap{}

+	for _, idMap := range c.UIDMapping {

+		cuidMaps = append(cuidMaps, configs.IDMap(idMap))

+	}

+	for _, idMap := range c.GIDMapping {

+		cgidMaps = append(cgidMaps, configs.IDMap(idMap))

+	}

+	container.UidMappings = cuidMaps

+	container.GidMappings = cgidMaps

+

+	for _, node := range container.Devices {

+		node.Uid = uint32(c.RemappedRoot.UID)

+		node.Gid = uint32(c.RemappedRoot.GID)

+	}

+	// TODO: until a kernel/mount solution exists for handling remount in a user namespace,

+	// we must clear the readonly flag for the cgroups mount (@mrunalp concurs)

+	for i := range container.Mounts {

+		if container.Mounts[i].Device == "cgroup" {

+			container.Mounts[i].Flags &= ^syscall.MS_RDONLY

+		}

+	}

+

+	return nil

+}

+

 func (d *Driver) setPrivileged(container *configs.Config) (err error) {

 	container.Capabilities = execdriver.GetAllCapabilities()

 	container.Cgroups.AllowAllDevices = true

@@ -255,6 +294,7 @@ func (d *Driver) setupMounts(container *configs.Config, c *execdriver.Command) e

 		if m.Slave {