hostUsers: false with fuse-overlayfs driver mounts unwritable rootfs in container

### What happened?

When running a pod with CRI-O and fuse-overlayfs as storage driver, and enable user namespaces for a pod ( by setting `hostUsers: false`) the rootfs of the container will be mounted as owned by nobody:nobody and makes it completely unwritable.

### What did you expect to happen?

rootfs should be mounted as owned by the mapped inner root, making inner root able to write to the directory.

### How can we reproduce it (as minimally and precisely as possible)?

Start CRI-O with following `/etc/containers/storage.conf`: 
```toml
[storage]
driver = "overlay"
[storage.options.overlay]
mount_program = "/usr/bin/fuse-overlayfs"
```

And running a pod with:
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: test
  labels:
    app: test
spec:
  selector:
    matchLabels:
      app: test
  template:
    metadata:
      labels:
        app: test
    spec:
      hostUsers: false
      containers:
      - name: test
        image: docker.io/archlinux/archlinux
        imagePullPolicy: IfNotPresent
        securityContext:
          privileged: true
        command:
          - sleep
          - infinity
```

Then do
```console
$ kubectl exec -it deploy/test -- bash
# ls -lah /
total 48K
dr-xr-xr-x  16 nobody nobody 4.0K Apr  1 01:28 .
lrwxrwxrwx   1 root   root      7 Oct 12 16:21 bin -> usr/bin
drwxr-xr-x   2 root   root   4.0K Oct 12 16:21 boot
drwxr-xr-x  14 root   root   3.7K Apr  1 01:28 dev
drwxr-xr-x  39 root   root   4.0K Apr  1 01:28 etc
drwxr-xr-x   2 root   root   4.0K Oct 12 16:21 home
lrwxrwxrwx   1 root   root      7 Oct 12 16:21 lib -> usr/lib
lrwxrwxrwx   1 root   root      7 Oct 12 16:21 lib64 -> usr/lib
drwxr-xr-x   2 root   root   4.0K Oct 12 16:21 mnt
drwxr-xr-x   2 root   root   4.0K Oct 12 16:21 opt
dr-xr-xr-x 680 nobody nobody    0 Apr  1 01:28 proc
drwxr-x---   2 root   root   4.0K Oct 12 16:21 root
drwxr-xr-x   3 root   root   4.0K Apr  1 01:28 run
lrwxrwxrwx   1 root   root      7 Oct 12 16:21 sbin -> usr/bin
drwxr-xr-x   4 root   root   4.0K Mar 17 09:03 srv
dr-xr-xr-x  13 nobody nobody    0 Apr  1 00:33 sys
drwxrwxrwt   2 root   root   4.0K Oct 12 16:21 tmp
drwxr-xr-x   8 root   root   4.0K Mar 17 09:03 usr
drwxr-xr-x  12 root   root   4.0K Mar 17 09:03 var
```

Showing / is owned by nobody:nobody


### Anything else we need to know?

_No response_

### CRI-O and Kubernetes version

<details>

```console
$ crio --version
crio version 1.35.0
   GitCommit:      unknown
   GitCommitDate:  unknown
   GitTreeState:   clean
   BuildDate:      2025-12-28T11:36:21Z
   GoVersion:      go1.25.5 X:nodwarf5
   Compiler:       gc
   Platform:       linux/amd64
   Linkmode:       dynamic
   BuildTags:
     containers_image_ostree_stub
     apparmor
     seccomp
   LDFlags:           -X github.com/cri-o/cri-o/internal/version.buildDate=2025-12-28T11:36:21Z -compressdwarf=false -linkmode external
   SeccompEnabled:   true
   AppArmorEnabled:  false
```

```console
$ kubectl version --output=json
{
  "clientVersion": {
    "major": "1",
    "minor": "35",
    "gitVersion": "v1.35.2",
    "gitCommit": "fdc9d74cbf2da6754ebf81d56f80ae2948cd6425",
    "gitTreeState": "archive",
    "buildDate": "1980-01-01T00:00:00Z",
    "goVersion": "go1.25.7",
    "compiler": "gc",
    "platform": "linux/amd64"
  },
  "kustomizeVersion": "v5.7.1",
  "serverVersion": {
    "major": "1",
    "minor": "35",
    "emulationMajor": "1",
    "emulationMinor": "35",
    "minCompatibilityMajor": "1",
    "minCompatibilityMinor": "34",
    "gitVersion": "v1.35.1+k0s",
    "gitCommit": "8fea90b45245ef5c8ba54e7ae044d3e777c22500",
    "gitTreeState": "clean",
    "buildDate": "2026-02-18T10:30:25Z",
    "goVersion": "go1.25.7",
    "compiler": "gc",
    "platform": "linux/amd64"
  }
}

```

</details>


### OS version

<details>

```console
# On Linux:
$ cat /etc/os-release
NAME="Arch Linux"
PRETTY_NAME="Arch Linux"
ID=arch
BUILD_ID=rolling
VERSION_ID=20260220.0.492853
ANSI_COLOR="38;2;23;147;209"
HOME_URL="https://archlinux.org/"
DOCUMENTATION_URL="https://wiki.archlinux.org/"
SUPPORT_URL="https://bbs.archlinux.org/"
BUG_REPORT_URL="https://gitlab.archlinux.org/groups/archlinux/-/issues"
PRIVACY_POLICY_URL="https://terms.archlinux.org/docs/privacy-policy/"
LOGO=archlinux-logo
$ uname -a
Linux dai-dt-ctr 6.18.13-zen1 #1-NixOS ZEN SMP PREEMPT_DYNAMIC Tue Jan  1 00:00:00 UTC 1980 x86_64 GNU/Linux
```

</details>


### Additional environment details (AWS, VirtualBox, physical, etc.)

<details>
N/A
</details>


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

hostUsers: false with fuse-overlayfs driver mounts unwritable rootfs in container #9865

What happened?

What did you expect to happen?

How can we reproduce it (as minimally and precisely as possible)?

Anything else we need to know?

CRI-O and Kubernetes version

OS version

Additional environment details (AWS, VirtualBox, physical, etc.)

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

hostUsers: false with fuse-overlayfs driver mounts unwritable rootfs in container #9865

Description

What happened?

What did you expect to happen?

How can we reproduce it (as minimally and precisely as possible)?

Anything else we need to know?

CRI-O and Kubernetes version

OS version

Additional environment details (AWS, VirtualBox, physical, etc.)

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions