OMV and Docker and users. (new guy)

On my OMV, just like any of my other Linux machines, I have created one new user named fred and assigned that user into the users group. This is the user and group I run all my dockers as via PUID and PGID (or the equivalent environment variables.)

The only valid user able to make use of the OMV GUI is the admin user. Creating new users does not change this.

A regular user, created as I suggested can use the shell for various purposes. This is a standard Linux thing. That user can also be used to run dockers as that user.

i am also confused by this docker user thing. the docker how-tos in the guide section (mostly written by macom ) mention that a separate docker user should be created and all containers should be mapped to this user via puid and pgid. in reality this causes a lot of issues, because the files and folders created by the docker user are not accessible for my general user i am using to access the files via samba.

furthermore, when setting up docker containers i am using root for ssh login, so i need to chown every created directory to the docker user so the containers can actually use them.

I have only two additional users (fred,sftp) on my system beyond those created by the system itself. The sftp user is only used to access the chrooted sftp server and has no other role so I won't mention it again.

The user fred is a member of the users and sudo groups and has a home directory /home/fred.

All of my activity in the shell starts when I am logged in as user fred.

If I need elevated privileges I use sudo.

Becoming the root user is very rarely done.

All my media files and directories (movies, music, tv) are owned by fred:users. The directories have 2755 permissions and the files within them have 0644 permissions.

All my dockers run with the PUID of fred and the PGID of users (1001:100).

When I run any docker commands in the shell I am logged in as user fred.

I never have permissions and ownerships problems with files and directories that I (user fred) or my dockers need to interact with.

Are you seeing a pattern here yet?

TLDR;

Who said this recommended separate docker user can't be the primary user on the system?

Zitat von gderf

All my media files and directories (movies, music, tv) are owned by fred:users. The directories have 2755 permissions and the files within them have 0644 permissions.

how are you preventing other members of the users group, like your wife, kids, brother, etc. from accessing your files?

Zitat von gderf

Who said this recommended separate docker user can't be the primary user on the system?

because that would not make any sense. first you set up OMV with a primary user, copy in your several terabytes of data, then set up docker with a separate user and move the ownership of the several terabytes of data to this user?

Zitat von molnart

how are you preventing other members of the users group, like your wife, kids, brother, etc. from accessing your files?

because that would not make any sense. first you set up OMV with a primary user, copy in your several terabytes of data, then set up docker with a separate user and move the ownership of the several terabytes of data to this user?

There are no other users on the system in the users group.

I didn't need to change the ownership of the data because it never had incorrect ownership. But even if I needed to do that, four lines of shell code in a script handles that:

#/bin/bash

find /srv/dev-disk-by-label-d1/sftp/outgoing/ -type d -exec chmod -R 2755 {} \;

find /srv/dev-disk-by-label-d1/sftp/outgoing/ -type d -exec chown -R fred:users {} \;

find /srv/dev-disk-by-label-d1/sftp/outgoing/ -type f -exec chown -R fred:users {} \;

find /srv/dev-disk-by-label-d1/sftp/outgoing/ -type f -exec chmod -R 644 {} \;

The media data is all located in three mergerfs pools and is currently ~62,400 files in ~24,300 directories occupying 29TB.

1 or 10 line of bash code, it just comes to me as utterly unnecessary to create an additional user for docker

Zitat von molnart

1 or 10 line of bash code, it just comes to me as utterly unnecessary to create an additional user for docker

And who is the one having all these problems?

i did not have the problems when i was ignoring the PUID and PGUID settings of the containers and fired them up as the where., also i think i wouldn't have any issues if I would have used my existing OMV user in docker. but apparently that's the wrong way of doing things and for some reason one needs to create a dedicated user for docker, with no access to anything else. i am just wondering why is that needed and how to solve to avoid file ownership conflicts.

I didn't create a new dedicated user specifically for docker. I used the only ordinary regular non-privileged user on the system for this. This user is not restricted to only dockers.

This user came first, docker came along later, much later. My OMV system is five years old, docker came along about three years ago. I have not added a new user to my system since the day it was created on OMV 2.x.

File ownership conflicts with dockers don't happen here for me.

I import about 1TB of data per month into my OMV server.

About half of that data is created on the system itself via dockers that do torrenting. These dockers run as the only non-privileged user on the system (all my dockers, all 14 of them run as this user). This causes the data to be created with the correct ownership and permissions that other applications like Plex (which runs in a docker running as this user) are expecting.

it seems some docker images don't support user mapping.

however when i start those containers with my regular non-root user as sudo the files created by the container are still owned by root. is that expected?

Zitat von molnart

it seems some docker images don't support user mapping.

however when i start those containers with my regular non-root user as sudo the files created by the container are still owned by root. is that expected?

I believe that is the expected behavior. If you run sudo touch filename, filename is owned by root:root.

Can you explain why you need to run (or create) containers with sudo?

that's a question i have asked myself as well, but without sudo i am getting the following error

ERROR: Couldn't connect to Docker daemon at http+docker://localhost - is it running?

If it's at a non-standard location, specify the URL with the DOCKER_HOST environment variable.

Common experience. I am going to guess that you have no docker group on your system, or if you do, your user is not a member of that group.

Create the group and add your user if needed. Logout and login again.