My dockerd (CentOS7: 17.12.0-ce, build c97c6d6) is running with user namespaces enabled for better isolation.
Now I build a image which is supposed to read for monitoring purposes also from /proc of the kernel. Thus I tried to mount /proc onto /host/proc in the container
host> docker run --network=host --userns=host --pid=host --privileged -v /proc:/host/proc:ro --name mycontainer my/container20180204
and bind-mount during container start-up over the containers proc namespace view
docker> mount -o bind /host/proc /proc
However, event with the user namespace of the host, the container's root process is apparently run within the dockerd's user namespace mapping, as the container's root cannot bind mount /proc
mount: only root can use "--options" option (effective UID is 100000)
Running as non-privileged user does not work, as it tries to mount it as real file system(?!?) from the layers
/var/lib/docker/100000.100000/btrfs/subvolumes/${SHA256}/proc\\\\\\\" cannot be mounted because it is located inside \\\\\\\"/proc\\\\\\\"\\\"\"": unknown.
So, I fear that the user namespace limitations are for good and not bypassable...? https://docs.docker.com/engine/security/userns-remap/#user-namespace-known-limitations