Installed a new debian server, installed docker, but then now i have a problem with permissions on passed directories.

On the previous server, the uid/gids inside the docker container match the uid/gid on the real server.

Root is 0, www-data is 33, and so on.

On this new server, instead, files owned by root (0) in the container are translated to 1000 on the server, www-data (33) is 100032, and so on (+1000 appended to the uid)

Is this normal or did I misconfigure something? On the previous server I was running everything as root (the interactive user was root), and i would like to avoid that

  • thesmokingman
    link
    fedilink
    English
    arrow-up
    4
    ·
    11 months ago

    This is really dependent on whether or not you want to interact with mounted volumes. In a production setting, containers are ephemeral and should essentially never be touched. Data is abstracted into stores like a database or object storage. If you’re interacting with mounted volumes, it’s usually through a different layer of abstraction like Kibana reading Elastic indices. In a self-hosted setting, you might be sidestepping dependency hell on a local system by containerizing. Data is often tightly coupled to the local filesystem. It is much easier to match the container user to the desired local user to avoid constant sudo calls.

    I had to check the community before responding. Since we’re talking self-hosted, your advice is largely overkill.

    • 𝘋𝘪𝘳𝘬@lemmy.ml
      link
      fedilink
      English
      arrow-up
      1
      ·
      11 months ago

      This is really dependent on […]

      … basically anything. Yes. You will always find yourself in problems where the best practice isn’t the best solution for.

      In your described use case an option would be having the application inside the container running with 10000:10001 but writing the data into another directory that is configured to use 1000:1001 (or whatever the user is you want to access the data with from your host) and just mount the volume there. This takes a bit more configuration effort than just running the application with 1000:1001 … but still :)