Unable to read any file/dir created by dockers, but can delete them.

[Shinobu]

Hello, 

 

First, apologies if this is not in the correct location, first post on the forum. 

 

I'm having issues with permissions on files and directories that are created through docker containers. This applies to multiple containers. I have researched what I can about docker permissions, but as far as I can tell, everything is set up as it should be. 

 

So the containers are running with PUID 99 and PGID 100 with a umask of 000 (also tried 002). I have added paths to user shares with read/write permissions, which works fine in terms of the dockers being able to access and write to them. The shares it has access to are private, if that matters. Moving them to public or even secure is not an option due to access requirements. 

 

When the dockers write something to the mounted shares, I can see the file from a client accessing the share but get access denied if I try to read it in any way. However, I can delete them no issue. Looking at permissions, all files created have -rw-rw----+ permissions, while everything not created by them has -rw-rw-rw-+. Same applies to directories but with the same result for directory permissions. 

 

I've tried setting the access mode to read/write slave and shared with no apparent difference (not 100% on what the difference in modes is). I can get around this by manually changing permissions via CLI, but having to do that every time a file or folder is created is not a solution. 

 

Please give your suggestions, or point out where I'm going obviously wrong. I'm new to Linux and Docker as a whole, recently migrated to unRAID from Windows Server 2019.

 

EDIT: So I've actually tracked down this issue to it being a permissions issue leftover from when I had the server integrated into Active Directory. I removed it because it was causing too many problems. Running the new permissions (and docker safe new permissions) on all disks and shares does not fix the problem. However, if I create a new share it works as expected. I've found that leftover AD permissions appear to be breaking the way dockers assign permissions, however I cannot find an efficient way to remove all permissions other than the Linux 777 that are required, either through unRAID or Windows. 

 

Is there a way to create a new share, then move all pointers for data from another share across? As the data is not stored on the shares themselves, there shouldn't be any reason to have to copy across data, plus there's 15+ TB of data that would need to be moved, which would take a very long time. 

Edited January 17, 2022 by Shinobu

[Shinobu]

Right, so update on this. 

 

Found that this was caused by remnants of being on Active Directory, but rather than being a permissions issue, it was an extended ACL issue. Using the command "setfacl -Rb /mnt/user/" resets the ACL on all user shares, then re-ran docker safe permissions tool and voilà, dockers are able to assign permissions as expected.