I'm trying to run several docker containers on the same host, and most of these containers are running internally as some random user. E.g. Jetbrains Youtrack where the internal user is called "jetbrains" with 13001 UID, and MySQL where the internal user is called "mysql" with 999 UID. And 4-5 more other containers. I'd like to also use volumes, some local folders to be mounted for each container, separate folders for e.g. MySQL data and logs, Youtrack config, logs, etc.

I have done this before with more custom containers, where internally we used root, and not a non-root user, and I didn't really face any issues. But now with these standard 3rd party containers, the internal non-root user is giving me permission related headaches.

I'm running docker version 20.10.21.

I started looking into running the docker daemon as root as I did before, and using the userns-mapping to solve the permission issue. I followed this answer, I created a host user for youtrack and youtrack-user and the same group, just as it is shown here, chown-ed the appropriate volume folders, and the container is working perfectly. But then I wanted to repeat the same for MySQL, and I realized I can't seem to add multiple users into the "userns-remap" JSON key in the docker's daemon.json file. I started to look into Github issues and other posts, and it seems like this feature is not supported at all? The host is Fedora 41 with kernel version 6.13.5-200.fc41.x86_64.

For reference, here is my docker-compose.yml:

networks:
  public:
    name: public-network
  internal:
    name: internal
    driver: bridge

services:
  youtrack:
    image: jetbrains/youtrack:2025.1.64291
    hostname: youtrack
    container_name: youtrack
    restart: always
    networks:
      - public
    ports:
      - 8080:8080
    volumes:
      - "/etc/localtime:/etc/localtime:ro"
      - "/opt/docker/volumes/youtrack/data:/opt/youtrack/data:z"
      - "/opt/docker/volumes/youtrack/conf:/opt/youtrack/conf:z"
      - "/opt/docker/volumes/youtrack/backups:/opt/youtrack/backups:z"
      - "/opt/docker/volumes/logs/youtrack:/opt/youtrack/logs:z"

  mysql:
    image: mysql:9.2.0
    hostname: mysql
    container_name: mysql
    restart: always
    networks:
      - internal
    ports:
      - 3306:3306
    volumes:
      - "/opt/docker/volumes/mysql/data:/var/lib/mysql:z"
      - "/opt/docker/volumes/mysql/files:/var/lib/mysql-files:z"
      - "/opt/docker/volumes/mysql/conf:/etc/mysql:z"
      - "/opt/docker/volumes/logs/mysql:/var/log/mysql:z"
    environment:
      MYSQL_ROOT_PASSWORD: super-secure-password-here
      TZ: "Europe/Budapest"
    cap_add:
      - SYS_NICE

And my docker daemon JSON:

{
  "no-new-privileges": true,
  "log-driver": "json-file",
  "log-opts": {"max-size": "10m", "max-file": "3"},
  "userns-remap": "youtrack"
}

Youtrack is already running now, with these users (the reason for this is I know the youtrack internal UID and GID are both 13001):

[root@host docker]# id youtrack
uid=13001(youtrack) gid=13001(youtrack) groups=13001(youtrack)

[root@host docker]# id youtrack-user
uid=513001(youtrack-user) gid=513001(youtrack-user) groups=513001(youtrack-user)

[root@hostdocker]# grep "youtrack" /etc/subuid
youtrack:500000:65536

[root@hostdocker]# grep "youtrack" /etc/subgid
youtrack:500000:65536

What is the best practice for such a setup? If I understand correctly this could work with named volumes, but not bind mounts? I set the user-remap to "default" so that docker creates the "dockremap" user and config, and I changed the docker-compose file to use named volumes, and now I can start multiple containers correctly, but now the volume folders are all inside the /var/lib/docker folder structure, and I would have preferred them elsewhere (e.g. put the log folders to a dedicated partition under /var/log). Can this be achieved some way?