General security in an OMV/Portainer installation

I don't know where this belongs, because it's very general regarding security.

I think a lot of new OMV users expect that they can expose their servers to the Internet, to create their own cloud and to use apps to access their content over the Internet. I don't think many sane person would do all this work if it wasn't to avoid the pitfalls of big techs easy offerings, so, I think many OMV users see it from a perspective of replacing big tech with their own server and as such expect it to be exposed to the Internet.

I'm a new user of Open Media Vault and I'm not used with Linux or administrating privileges or have any deeper knowledge about security. Basically I'm a Windows slave that have only occasionally been checking out Linux, but never rally gone down that path.

After setting up Portainer and installing Airsonic and Jellyfin, I started wondering how in the world they could access my media drive without specifying anything but binds, UID and GID. I didn't specify the user password anywhere or give permissions to the users created for Airsonic or Jellyfin. What I gather is that to do all it's magic, Portainer runs the containers with elevated privileges and I find that very insecure, especially if I want to expose the server to the Internet?

When I started to dive into this question, it quickly started to become very esoteric to me and I think it would to the vast majority of people.

Somehow I would need to not run the containers in privileged mode and only use the specified users credentials, to be able to control their access from OMV. (Why do I have to specify UID and GID, when it's being overridden by privileged mode?)

As I see it I would also have to restrict Portainer and Docker, as they can create new containers that could run in privileged mode. So, if they are hacked, wouldn't it be more or less an open door to the system? Or maybe I could get away with maximizing the security when accessing Portainer and Docker, probably by not opening those ports to the Internet? Or at the very least use 2FA if I expose them to the Internet?

I should probably also set up SSL and my limited knowledge about it is that it isn't a walk in the park.

After that, my lack of experience and understanding with security would probably leave some wide open holes anyway?

So, that leads me the the greater question, is it safe at all for ordinary people to expose their OMV/Portainer installation to the Internet? Is there any easy way to handle decent security, that most people would be able to manage?

Thanks for your reply.

I definitely lack understanding of the security in Docker/Portainer, Linux and security in general.

I understand the mount point more as a direction and not a permission? So, I suppose that somehow it's still Docker/Portainer providing the access to the shared folder with the root from Open Media Vault? Or am I lost here?

Quote from ryecoaaron

Just to clear one thing up, portainer doesn't do anything of this. All portainer does is start and stop containers. It doesn't even restart the containers on boot (docker service does).

When you tell a container it can access a path (a sharedfolder is just a path), the container can access that path because docker is running as root meaning your container is running as root as well. rootless docker is a pain. If you wanted to run rootless, I would recommend podman. When you specify uid or gid, that is basically just the container emulating that user/group and the container can do that because it runs as root.

Yes, I'm still feeling like landing on Mars, a lot of new concepts.

Thanks for the suggestion about Podman. I guess it would add some security to run rootless, even though Portainer isn't directly exposed, if there for example is a security vulnerability in one of the containers. I guess I just configure a "dockeruser", that has access to the necessary resources and Podmad could help me with that.

Your answer also cleared it up bit about UID and GID.