Installed a new debian server, installed docker, but then now i have a problem with permissions on passed directories.

On the previous server, the uid/gids inside the docker container match the uid/gid on the real server.

Root is 0, www-data is 33, and so on.

On this new server, instead, files owned by root (0) in the container are translated to 1000 on the server, www-data (33) is 100032, and so on (+1000 appended to the uid)

Is this normal or did I misconfigure something? On the previous server I was running everything as root (the interactive user was root), and i would like to avoid that

  • 𝘋𝘪𝘳𝘬
    link
    fedilink
    English
    101 year ago

    It’s actually a suggested configuration / best practice to NOT have container user IDs matching the host user IDs.

    Ditch the idea of root and user in a docker container. For your containerized application use 10000:10001. You’ll have only one application and one “user” in the container anyways when doing it right.

    To be even more on the secure side use a different random user ID and group ID for every container.

    • @[email protected]
      link
      fedilink
      English
      41 year ago

      This is really dependent on whether or not you want to interact with mounted volumes. In a production setting, containers are ephemeral and should essentially never be touched. Data is abstracted into stores like a database or object storage. If you’re interacting with mounted volumes, it’s usually through a different layer of abstraction like Kibana reading Elastic indices. In a self-hosted setting, you might be sidestepping dependency hell on a local system by containerizing. Data is often tightly coupled to the local filesystem. It is much easier to match the container user to the desired local user to avoid constant sudo calls.

      I had to check the community before responding. Since we’re talking self-hosted, your advice is largely overkill.

      • 𝘋𝘪𝘳𝘬
        link
        fedilink
        English
        11 year ago

        This is really dependent on […]

        … basically anything. Yes. You will always find yourself in problems where the best practice isn’t the best solution for.

        In your described use case an option would be having the application inside the container running with 10000:10001 but writing the data into another directory that is configured to use 1000:1001 (or whatever the user is you want to access the data with from your host) and just mount the volume there. This takes a bit more configuration effort than just running the application with 1000:1001 … but still :)

    • @[email protected]
      link
      fedilink
      English
      21 year ago

      Do I need to actually create the user in advance or can I just choose a string as I see fit?

      • 𝘋𝘪𝘳𝘬
        link
        fedilink
        English
        11 year ago

        You don’t need to create the user first. Here’s the simplest I can come up with:

        FROM alpine:latest
        COPY myscript.sh /app/myscript.sh
        USER 10000:10001
        CMD ["sh", "/app/myscript.sh"]
        

        This simply runs /app/myscript.sh with UID 10000 and GID 10001.

        • @[email protected]
          link
          fedilink
          English
          11 year ago

          Wasnt aware that you can just think of IDs from fresh air.
          Thought it was to create the user and ID manually amd then be able to use it.

          • 𝘋𝘪𝘳𝘬
            link
            fedilink
            English
            11 year ago

            Yep! The names are basically just a convenient way for referencing a user or group ID.

            Under normal circumstances you should let the system decide what IDs to use, but in the confined environment of a docker container you can do pretty much what you want.

            If you really, really, really want to create a user and group just set the IDs manually:

            FROM alpine:latest
            COPY myscript.sh /app/myscript.sh
            RUN addgroup -g 10001 mycoolgroup && adduser -D -u 10000 -G mycoolgroup mycooluser
            USER mycooluser:mycoolgroup
            CMD ["sh", "/app/myscript.sh"]
            

            Just make sure to stay at or above 10000 so you won’t accidentally re-use IDs that are already defined on the host.

    • Scott
      link
      fedilink
      English
      1
      edit-2
      1 year ago

      My go-to for user and group IDs is 1234:1234

  • @[email protected]OP
    link
    fedilink
    English
    71 year ago

    checked .bash_history, looks like i installed docker in the new rootless mode

    wget get.docker.com
    ls
    mv index.html docker.sh
    chmod +x docker.sh
    ./docker.sh
    dockerd-rootless-setuptool.sh install
    sudo dockerd-rootless-setuptool.sh install
    sudo apt install uidmap
    dockerd-rootless-setuptool.sh install
    

    now i need to see how to restore it to work in the traditional way or i will become crazy with the permissions…

  • @[email protected]
    link
    fedilink
    English
    2
    edit-2
    1 year ago

    I’m not very well versed on docker, but this sounds like a config issue. The behavior seems similar to “squash root” found in many other services.