Hi everyone!
I’m making a Docker version of my sharing server for ease of use and it works, but I would like to know if there are some “best practices” when it comes to shared folders.
The ‘problem’ is that the docker image is ran as root in its container, and the user runs as the local user, and they both need read/write access to this file.
So my setup is to create a folder where the file will live, created by the local user, and share it with a docker-compose.yml “volumes” command, and have user: “1000:1000” in there as well (with instructions to get the uid & gid).
This has to be done by the user before running the Docker image though, is there a simpler way?
I have seen groups, running docker in userspace and more, but it all seems so cumbersome. I just want a folder where both entities has read & write access.
There’s a common but persistent misconception that Docker is like running a virtual machine. This is understandable but incorrect.
A better way to think of it is as a security wrapper around an untrusted process.
If you look at your running processes whilst a container is running, you’ll see the processes inside the container running on your “host” machine - remember, it’s not a host - guest situation.
There is no relationship between the user inside the container, unless you start mapping the UID and GID.
The only exception to this is the root user which shares the UID/GID with the actual root user.
See: https://www.howtogeek.com/devops/why-processes-in-docker-containers-shouldnt-run-as-root/
Edit: I suspect, but don’t know for sure, that the root user inside the container is actually the same user as the one running the Docker process, which is typically the root user on the “host”.
More information 😅 thanks a bunch, this is marvelous!
More information 😅 thanks a bunch, this is marvelous!
Edit: on a purely user perspective (not the real nitty gritty security perspective) would it be correct to treat a running image like it’s running on a completely other computer, with some magic glue to call it, start it etc? I will do dig down but it takes time.
Edit2: so root is the same in the docker and on my system, but a docker defined user isn’t? How does that work, especially colussions of UIDs?
Edit3: Connect is saving off more and more posts as I edit lol.
It uses a security feature of Linux called cgroups or control groups to limit access to resources at a kernel level.
It’s used all over the place, including as the basis of Docker.
https://en.wikipedia.org/wiki/Cgroups
This is getting more and more complex, but also more interesting 🤔 Thanks for the info and the link!