Unraid Docker & PUID/GUID

TDA

By TDA
in Docker Engine

Recommended Posts

TDA Explorer

TDA

Posted
Posted

Hello everyone,

I'm new to Docker and I wanted to ask a couple of things:

 

- It's possible to run docker containers with a specific user?

I wanted to accomplish following:
Use a created user (svc_xyz) to run a specific docker container.
I saw that alot of templates have the settings PUID&GUID.

As example:
I've tried to create a user SVC_MAKEMKV (uid=1012) and tried to set it inside the template of BINHEX-MAKEMKV, but when I check which user is runnning the container I get root, so I don't really get how the setting for PUID&GUID in the template should work.

docker exec -it <contianer> whoami

 

As every hardening guide tells to run each docker container with a non-root user I would have liked to try this out also in UNRAID.

 

Thanks in advice !

Link to comment
itimpi Grand Master

itimpi

Posted
Posted
2 hours ago, TDA said:

Hello everyone,

I'm new to Docker and I wanted to ask a couple of things:

 

- It's possible to run docker containers with a specific user?

I wanted to accomplish following:
Use a created user (svc_xyz) to run a specific docker container.
I saw that alot of templates have the settings PUID&GUID.

As example:
I've tried to create a user SVC_MAKEMKV (uid=1012) and tried to set it inside the template of BINHEX-MAKEMKV, but when I check which user is runnning the container I get root, so I don't really get how the setting for PUID&GUID in the template should work.

docker exec -it <contianer> whoami

 

As every hardening guide tells to run each docker container with a non-root user I would have liked to try this out also in UNRAID.

 

Thanks in advice !

That only works if the docker container has been built to take advantage of such a setting.  It is not something that will have any effect on containers not designed for this.

Link to comment
TDA Explorer

TDA

Posted
  • Author
Posted
1 hour ago, itimpi said:

That only works if the docker container has been built to take advantage of such a setting.  It is not something that will have any effect on containers not designed for this.

When the template has the GUID&PUID I can assume it's designed for it, isn't?

 

Link to comment
binhex Mentor

binhex

Posted
Posted
3 hours ago, TDA said:

It's possible to run docker containers with a specific user?

yes, by changing the PUID and PGID values for the user account you want to use.

1 hour ago, itimpi said:

I've tried to create a user SVC_MAKEMKV (uid=1012) and tried to set it inside the template of BINHEX-MAKEMKV, but when I check which user is runnning the container I get root,

thats because by default the account used for docker exec is user 'root'.

one thing to note here is that the account NAME that the process inside the container runs as does NOT change, it will always be user 'nobody' however the UID and GID are changed for that account to match whatever the user defined the values for PUID and PGID.

 

3 minutes ago, TDA said:

When the template has the GUID&PUID I can assume it's designed for it, isn't?

this is one of my docker images and i can confirm all the images i produce include PUID and PGID to allow you to change the account.

 

 

  • Like 1
Link to comment
TDA Explorer

TDA

Posted
  • Author
Posted (edited)
15 minutes ago, binhex said:

yes, by changing the PUID and PGID values for the user account you want to use.

thats because by default the account used for docker exec is user 'root'.

one thing to note here is that the account NAME that the process inside the container runs as does NOT change, it will always be user 'nobody' however the UID and GID are changed for that account to match whatever the user defined the values for PUID and PGID.

 

this is one of my docker images and i can confirm all the images i produce include PUID and PGID to allow you to change the account.

 

 

Hello Binhex,

first of all thank you for the awesome work you do with your containers!

I've tried to do following to start your container as a specific user (without luck).

 

-Created a user in unraid with name: svc_makemkv with UID=1012
- In the docker template I have then configured: PUID=1012; GUID=100
- started the container

- checked with: "docker exec -it binhex-makemkv whoami" and I get ROOT, and I should get "NOBODY"

image.png.50d9027430f02a62ed9bd1cf5de4c2a7.png

 

I had the suspect that the container wasn't started with the user SVC_MAKEMKV because I had access to the folders (but the user SVC_MAKEMKV had no rights)

 

Also how should I check if the container runs with the desired account? (which commandline?)

 

What I'm doing wrong here?

 

Edited by TDA
Link to comment
BRiT Mentor

BRiT

Posted
Posted
17 minutes ago, binhex said:

thats because by default the account used for docker exec is user 'root'.

one thing to note here is that the account NAME that the process inside the container runs as does NOT change, it will always be user 'nobody' however the UID and GID are changed for that account to match whatever the user defined the values for PUID and PGID.

 

 

4 minutes ago, TDA said:

I've tried to do following to start your container as a specific user (without luck).

 

 Read what was said above.

Link to comment
TDA Explorer

TDA

Posted
  • Author
Posted
Just now, BRiT said:

 

 Read what was said above.

Yes ad how should I check if the container is using the correct user? Cause the container has access to file that are visible only to the root user.

Or on unraid every user can see and write wherever he want?

Link to comment
binhex Mentor

binhex

Posted
Posted
1 minute ago, TDA said:

checked with: "docker exec -it binhex-makemkv whoami" and I get ROOT, and I should get "NOBODY"

no its:- 

docker exec -u nobody -it <name of container> whoami

 

3 minutes ago, TDA said:

I had the suspect that the container wasn't started with the user SVC_MAKEMKV because I had access to the folders (but the user SVC_MAKEMKV had no rights)

if you are changing the account after having created the config files then you will need to also delete the file /config/perms.txt and restart the container, this will then reset permissions for the new puid/pgid values.

  • Like 1
Link to comment
binhex Mentor

binhex

Posted
Posted
1 minute ago, TDA said:

Yes ad how should I check if the container is using the correct user?

once you have the above done then any files/folders created will be for that user, you can check this via a quick ssh to the host, go to the config folder and issue command ls -al to see permissions set, they should be for the user you defined.

  • Like 1
Link to comment
TDA Explorer

TDA

Posted
  • Author
Posted
3 minutes ago, binhex said:

once you have the above done then any files/folders created will be for that user, you can check this via a quick ssh to the host, go to the config folder and issue command ls -al to see permissions set, they should be for the user you defined.

Aha, now it's all clear as water from the swiss mountains 🙂

I've checked and it seems that I've setup makemkv, and others container in the correct way.
I don't fully understand why the user svc_makemkv has access to /mnt/cache/Downloads - which is a share where svc_makemkv has not access.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing