Docker container configuration folders and agent users

I plan to have several Docker container apps on my OMV server. I am establishing a pattern which I would like to follow for all containers to follow. So I want to do the first one correctly.

I feel it is useful to provide a consistent naming convention to organize my folders. And I take the suggestions in the Docker plugin wiki seriously about keeping each container separated and using its own container root mapped to an agent user with reduced privileges. My questions are at the bottom.

So I deviate slightly from the Docker plugin wiki naming convention...

OMV>Storage>Shared Folders>

/srv/dev-disk-by-uuid-8d7f318f-4fa6-4621-b0e6-5203134f3b22/docker

/srv/dev-disk-by-uuid-8d7f318f-4fa6-4621-b0e6-5203134f3b22/docker_apps

/srv/dev-disk-by-uuid-8d7f318f-4fa6-4621-b0e6-5203134f3b22/docker_backup

OMV>Services>Compose>Settings>

Compose Files (Wiki "appdata")

docker_apps [on /dev/nvme0n1p1, docker_apps/]

root:root

Administrator - read/write, Users - No access, Others - No access

Backup (Wiki "compose_backup")

docker_backup [on /dev/nvme0n1p1, docker_backup/]

Docker storage (Wiki "docker")

docker [on //dev/nvme0n1p1, docker/]

My containers' future configuration therefore...

Fing Agent

docker_apps/fing/

docker_apps/fing/config/

Other

docker_apps/other/

docker_apps/other/config/

New users for the containers...

sudo useradd -U fingagent

sudo passwd fingagent

sudo id fingagent

uid=1007(fingagent) gid=1011(fingagent) groups=1011(fingagent)

sudo useradd -U otheragent

sudo passwd otheragent

sudo id otheragent

uid=1008(otheragent) gid=1012(otheragent) groups=1012(otheragent)

The questions:

1. Do I still need to create new users and groups in the OMV>Users tab? (I note that if I do then they are added to the group gid=100(users). But if I do not, they do not display in the OMV>Users or OMV>Groups tabs even though they exist in Linux...?

2. Do I need to make the subdirectories using the CLI like shown, or is there some "magic" in the Docker plugin that will create these subfolders for me?

cd /srv/dev-disk-by-uuid-8d7f318f-4fa6-4621-b0e6-5203134f3b22/docker_apps

mkdir fing

cd fing

mkdir config

3. Should and how it is recommended I set the permissions of the docker_apps container and container config subfolders? Is the owner root:fingagent or fingagent:fingagent? How is it that both root and the Docker agent users will have access to the container config subfolders?

chown -R root:fingagent /srv/dev-disk-by-uuid-8d7f318f-4fa6-4621-b0e6-5203134f3b22/docker_apps/fing

chmod -R 770 /srv/dev-disk-by-uuid-8d7f318f-4fa6-4621-b0e6-5203134f3b22/docker_apps/fing

chown -R root:otheragent /srv/dev-disk-by-uuid-8d7f318f-4fa6-4621-b0e6-5203134f3b22/docker_apps/other

chmod -R 770 /srv/dev-disk-by-uuid-8d7f318f-4fa6-4621-b0e6-5203134f3b22/docker_apps/other

Thank you very much in advance.

P.S. This <thread> touches on similar installation questions and was very helpful.

Quote from chente

Please note that the Docker documentation on OMV has evolved since then; we're currently on OMV version 8.

I don't know if you still have any questions or if that thread answered them.

Sorry, I missed the detail that @wkruspe is using OMV 7. I am indeed using OMV 8. (The discussion remains relevant to both versions; some of @wkruspe's question was due to a 3rd party referring to an "appdata" path, which happens to be the same name used in the OMV wiki guide.) I am trying to avoid that by using path names that consistently contain "docker".

So... indeed, my request for guidance remains. As a relative newbie to Linux I haven't yet mastered the foundation that OMV relies upon "behind the scenes".

Any help you can offer would be most appreciated (see above, my initial post).

Quote from chente

1. It depends on the purpose of those users. What exactly do you want to do with them?

2. Docker will automatically create up to two levels of subfolders if they don't already exist.

3. You don't need to modify the default permissions for everything to work. Only root will have access to the container's folder. The user who creates the config folder can access the config folder. Be careful when modifying folder permissions; you can break the proper functioning of a container if you modify something incorrectly.

Numbered items continue to refer back to my original post and your responses.

1. The "agent" users I will define will have limited "real world" access outside the container. In the wiki example these users are referred to as "superman". ("We can also map users. And this is important to understand. The container will work internally as root, but we can make that user be another user on the server, for example the user superman. From that moment on, everything the container does to the mapped files or ports will not be done by root, it will be done by superman. That allows us to restrict the permissions of that container, we only have to restrict the permissions of the superman user of our system.") Original question: Do I still need to create new users ["agent" / "superman"] and groups in the OMV>Users tab?

2. Excellent. With any luck this will become more obvious to me as I use OMV and Docker more.

3. Noted. I do not want to change permissions, especially outside of OMV's GUI. But I remain confused: If root is the owner and user granted permission to new folders, how does "superman" / "agent" gain useful access? Perhaps you can explain this?