this post was submitted on 02 Jan 2024
40 points (93.5% liked)

Selfhosted

40359 readers
347 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Installed a new debian server, installed docker, but then now i have a problem with permissions on passed directories.

On the previous server, the uid/gids inside the docker container match the uid/gid on the real server.

Root is 0, www-data is 33, and so on.

On this new server, instead, files owned by root (0) in the container are translated to 1000 on the server, www-data (33) is 100032, and so on (+1000 appended to the uid)

Is this normal or did I misconfigure something? On the previous server I was running everything as root (the interactive user was root), and i would like to avoid that

you are viewing a single comment's thread
view the rest of the comments
[–] Dirk@lemmy.ml 10 points 10 months ago (7 children)

It's actually a suggested configuration / best practice to NOT have container user IDs matching the host user IDs.

Ditch the idea of root and user in a docker container. For your containerized application use 10000:10001. You'll have only one application and one "user" in the container anyways when doing it right.

To be even more on the secure side use a different random user ID and group ID for every container.

[–] Appoxo@lemmy.dbzer0.com 2 points 10 months ago (3 children)

Do I need to actually create the user in advance or can I just choose a string as I see fit?

[–] Dirk@lemmy.ml 1 points 10 months ago (1 children)

You don't need to create the user first. Here's the simplest I can come up with:

FROM alpine:latest
COPY myscript.sh /app/myscript.sh
USER 10000:10001
CMD ["sh", "/app/myscript.sh"]

This simply runs /app/myscript.sh with UID 10000 and GID 10001.

[–] Appoxo@lemmy.dbzer0.com 1 points 10 months ago (1 children)

Wasnt aware that you can just think of IDs from fresh air.
Thought it was to create the user and ID manually amd then be able to use it.

[–] Dirk@lemmy.ml 1 points 10 months ago

Yep! The names are basically just a convenient way for referencing a user or group ID.

Under normal circumstances you should let the system decide what IDs to use, but in the confined environment of a docker container you can do pretty much what you want.

If you really, really, really want to create a user and group just set the IDs manually:

FROM alpine:latest
COPY myscript.sh /app/myscript.sh
RUN addgroup -g 10001 mycoolgroup && adduser -D -u 10000 -G mycoolgroup mycooluser
USER mycooluser:mycoolgroup
CMD ["sh", "/app/myscript.sh"]

Just make sure to stay at or above 10000 so you won't accidentally re-use IDs that are already defined on the host.

load more comments (1 replies)
load more comments (4 replies)