this post was submitted on 02 Jan 2024
32 points (97.1% liked)

Selfhosted

40006 readers
624 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Installed a new debian server, installed docker, but then now i have a problem with permissions on passed directories.

On the previous server, the uid/gids inside the docker container match the uid/gid on the real server.

Root is 0, www-data is 33, and so on.

On this new server, instead, files owned by root (0) in the container are translated to 1000 on the server, www-data (33) is 100032, and so on (+1000 appended to the uid)

Is this normal or did I misconfigure something? On the previous server I was running everything as root (the interactive user was root), and i would like to avoid that

top 13 comments
sorted by: hot top controversial new old
[–] [email protected] 8 points 10 months ago (3 children)

It's actually a suggested configuration / best practice to NOT have container user IDs matching the host user IDs.

Ditch the idea of root and user in a docker container. For your containerized application use 10000:10001. You'll have only one application and one "user" in the container anyways when doing it right.

To be even more on the secure side use a different random user ID and group ID for every container.

[–] [email protected] 1 points 10 months ago* (last edited 10 months ago)

My go-to for user and group IDs is 1234:1234

[–] [email protected] 1 points 10 months ago

This is really dependent on whether or not you want to interact with mounted volumes. In a production setting, containers are ephemeral and should essentially never be touched. Data is abstracted into stores like a database or object storage. If you’re interacting with mounted volumes, it’s usually through a different layer of abstraction like Kibana reading Elastic indices. In a self-hosted setting, you might be sidestepping dependency hell on a local system by containerizing. Data is often tightly coupled to the local filesystem. It is much easier to match the container user to the desired local user to avoid constant sudo calls.

I had to check the community before responding. Since we’re talking self-hosted, your advice is largely overkill.

[–] [email protected] 1 points 10 months ago

Do I need to actually create the user in advance or can I just choose a string as I see fit?

[–] [email protected] 6 points 10 months ago (1 children)

checked .bash_history, looks like i installed docker in the new rootless mode

wget get.docker.com
ls
mv index.html docker.sh
chmod +x docker.sh
./docker.sh
dockerd-rootless-setuptool.sh install
sudo dockerd-rootless-setuptool.sh install
sudo apt install uidmap
dockerd-rootless-setuptool.sh install

now i need to see how to restore it to work in the traditional way or i will become crazy with the permissions...

[–] [email protected] 5 points 10 months ago (1 children)

I fixed it:

for future reference:

[–] [email protected] 6 points 10 months ago (1 children)

Why go through all of that complexity when you could just sudo apt install docker?

[–] [email protected] 1 points 10 months ago (2 children)

i don't want to type sudo before each single docker command

[–] [email protected] 10 points 10 months ago* (last edited 10 months ago) (1 children)

You can do that with regular docker. Just add your user to the docker group.

(don't forget to log out and log in again after adding new groups to your user)

[–] [email protected] 3 points 10 months ago

Niche use case, but you can also use newgrp to run commands with a recently-added group to your user, without having to logout/login yet.

[–] [email protected] 3 points 10 months ago

So add your user to the new docker group made on install of that package and you'll be able to docker without sudo. You may need to relogin or newgrp docker before it works tho

[–] [email protected] 4 points 10 months ago

Looks like you are running rootless.

[–] [email protected] 2 points 10 months ago* (last edited 10 months ago)

I'm not very well versed on docker, but this sounds like a config issue. The behavior seems similar to "squash root" found in many other services.