Docker has had the ability to run a root user in a container with expected administrative privileges while also mapping the same user to an unprivileged uid on host since 1.10.
This can be enabled in NixOS by simply adding a few lines to the configuration.nix file, nixos-rebuild, and reboot.
virtualisation.docker.extraOptions = "--userns-remap=default";
...
...
users.groups.dockremap.gid = 10000;
users.users = {
dockremap = {
isSystemUser = true;
uid = 10000;
group = "dockremap";
subUidRanges = [
{ startUid = 100000; count = 65536; }
];
subGidRanges = [
{ startGid = 100000; count = 65536; }
];
};
};The first line tells docker daemon to enable the user namespace support. The following lines are used to create /etc/subuid and /etc/subgid files. More information regarding user namespace feature as well as some known restriction can be found in the dockerd docs