L0rdRaiden Posted January 18, 2022 Share Posted January 18, 2022 I have many dockers with PUID, PGID and UMAS, I have never bothered and I always left the default values, it worker, but.... What is the impact If I use a PUID / PGID that doens't exist in Unraid? Should I assign to all my dockers the PUID and PGID of the user nobody in Unraid? Is the nobody user in unraid already hardened to use for docker containers? If a docker doesn't need special permissions what should be the best way to configure it? What should I do with UMASK? Thanks in advance Quote Link to comment
L0rdRaiden Posted January 20, 2022 Author Share Posted January 20, 2022 Some help please 🥲 Quote Link to comment
Squid Posted January 20, 2022 Share Posted January 20, 2022 With the templates, it should be best to leave them at the defaults as the maintainers would have already set the appropriate values accordingly. IE: set them to be nobody Unraid doesn't have "users" in the normal Linux way. The huge value in docker containers is that they don't have permissions to anything anywhere on your array unless you've explicitly granted them access to it (via the path mappings and whether or not its read-only or read/write). The PUID / PGID and UMASK basically set the permissions of the files that it writes to the array (if it does) to something that's compatible with Unraid's implementation of user shares. 1 Quote Link to comment
L0rdRaiden Posted January 21, 2022 Author Share Posted January 21, 2022 10 hours ago, Squid said: With the templates, it should be best to leave them at the defaults as the maintainers would have already set the appropriate values accordingly. IE: set them to be nobody Unraid doesn't have "users" in the normal Linux way. The huge value in docker containers is that they don't have permissions to anything anywhere on your array unless you've explicitly granted them access to it (via the path mappings and whether or not its read-only or read/write). The PUID / PGID and UMASK basically set the permissions of the files that it writes to the array (if it does) to something that's compatible with Unraid's implementation of user shares. But for example I mostly use linuxserver.io images https://docs.linuxserver.io/images/docker-mariadb I read somewhere that unraid uses "nobody" user for docker so if I do this Should I use that UID and GID as PUID and PGID? or as you said my asumption doesn't make any sense? Please consider that linuxserver.io doesn't specifically create the dockers for unraid. I am asking this because I get this error in mariadb log Quote Link to comment
L0rdRaiden Posted April 24, 2023 Author Share Posted April 24, 2023 (edited) can I get an answer to this please? Should I use PUID, PGID 99 and 100 for all the containers? I'm starting to use compose with official docker images and the users appears as unknown and I am using - PUID=1000 - PGID=100 but is not being applied. What this means in terms of permissions? why the correct permissions aren't being applied? What is the correct/safe way to do this? This is the docker compose ############################################################### # Nextcloud ############################################################### version: '3.8' # Networks #################################################### networks: br1: driver: macvlan external: true nextcloud_network: internal: true # Services #################################################### services: mariadb: image: mariadb:10.6 container_name: MariaDBNC restart: unless-stopped command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW healthcheck: test: ["CMD-SHELL", "mysql nextcloud -u$MYSQL_USER -p$MYSQL_PASSWORD -e 'SELECT 1;' || exit 1"] interval: 2s retries: 120 volumes: - /mnt/user/Docker/Nextcloud/mariadb:/var/lib/mysql environment: - TZ - PUID - PGID - MYSQL_ROOT_PASSWORD - MYSQL_PASSWORD - MYSQL_DATABASE - MYSQL_USER - MARIADB_AUTO_UPGRADE=1 - MARIADB_DISABLE_UPGRADE_BACKUP=1 networks: - nextcloud_network labels: - "com.centurylinklabs.watchtower.enable=true" redis: image: redis:alpine container_name: RedisNC restart: unless-stopped command: redis-server --requirepass $REDIS_HOST_PASSWORD volumes: - /mnt/user/Docker/Nextcloud/redis:/data environment: - TZ - PUID - PGID networks: - nextcloud_network labels: - "com.centurylinklabs.watchtower.enable=true" app: image: nextcloud:fpm-alpine container_name: Nextcloud restart: unless-stopped depends_on: mariadb: condition: service_healthy volumes: - /mnt/user/Docker/Nextcloud/nextcloud:/var/www/html - /mnt/user/Docker/Nextcloud/nextcloud/config:/var/www/html/config - /mnt/user/Media/Nextcloud:/var/www/html/data - type: tmpfs target: /tmp tmpfs: size: 1000000000 environment: - TZ - PUID - PGID - MYSQL_PASSWORD - MYSQL_DATABASE - MYSQL_USER - MYSQL_HOST=mariadb - REDIS_HOST=redis - REDIS_HOST_PASSWORD networks: - nextcloud_network labels: - "com.centurylinklabs.watchtower.enable=true" web: build: ./web container_name: Nginx-fpm restart: always networks: nextcloud_network: br1: ipv4_address: 10.10.40.160 ports: - 8080:80 volumes: - /mnt/user/Docker/Nextcloud/nextcloud:/var/www/html:ro environment: - TZ - PUID - PGID depends_on: - app cron: image: nextcloud:fpm-alpine container_name: CronNC restart: unless-stopped depends_on: - mariadb - redis volumes: - /mnt/user/Docker/Nextcloud/nextcloud:/var/www/html environment: - TZ - PUID - PGID networks: - nextcloud_network entrypoint: /cron.sh labels: - "com.centurylinklabs.watchtower.enable=true" Edited April 24, 2023 by L0rdRaiden Quote Link to comment
primeval_god Posted April 25, 2023 Share Posted April 25, 2023 9 hours ago, L0rdRaiden said: Should I use PUID, PGID 99 and 100 for all the containers? Yes. The unraid os does not make use of users and groups the way generic linux distros do. For docker purposes you should use the user nobody "PUID, PGID 99 and 100" Quote Link to comment
L0rdRaiden Posted April 25, 2023 Author Share Posted April 25, 2023 11 hours ago, primeval_god said: Yes. The unraid os does not make use of users and groups the way generic linux distros do. For docker purposes you should use the user nobody "PUID, PGID 99 and 100" and is there a way to force the docker compose above to do that? or it must be natively supported by the image? Quote Link to comment
primeval_god Posted April 25, 2023 Share Posted April 25, 2023 PGID and PUID have to be supported by the container. In the compose file above i see that the environment section for each container has empty PGID and PUID entries. Did you add those in or were they there already? If they were already there then you just need to assign the correct values to them. 1 Quote Link to comment
L0rdRaiden Posted April 26, 2023 Author Share Posted April 26, 2023 14 hours ago, primeval_god said: PGID and PUID have to be supported by the container. In the compose file above i see that the environment section for each container has empty PGID and PUID entries. Did you add those in or were they there already? If they were already there then you just need to assign the correct values to them. the values are in a env file, but the permissions aren't being applied probably because the containers don't support it. I'm using the official containers and although I have included PGID an PUID I don't see them as supported in the official documentation Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.