Duplicati: Access errors associated with UID:GID 1000:1000

I have Duplicati (latest) running on Raspberry Pi OS (Bookworm, latest) with a docker container.

I want to use Duplicati to back up all my docker-related directories (compose files + volumes). All these folders/files are located within the home directory /home/username:

/username
  /docker
    /compose
      /app/compose.yaml
    /volumes
      /app/various created volume files

If I accept the standard - PUID=1000; - PGID=1000 as suggested in the compose file for Duplicati, I run into access errors for all volumes for installed apps simply because they are not owned by the user. Some folders/files are owned by root, others by some other user created by the app (e.g., PiHole). I get warning errors, of which the following is an example:

    2024-10-28 23:52:29 +00 - [Warning-Duplicati.Library.Main.Operation.Backup.FileEnumerationProcess-FileAccessError]: Error reported while accessing file: /source/home/username/docker/volumes/adguard/work/data/
    UnauthorizedAccessException: Access to the path '/source/home/username/docker/volumes/adguard/work/data' is denied.

If I ignore UID:GID settings, Duplicati runs as a default 911:911, which seems to be the docker group. However, this group does not have access privileges to the folders/files within the username directory so a backup task cannot be created because no source subfolders are visible.

If I specify UID:GID of 0:0 (i.e., root), there are no access issues and the entire filesystem is accessible. But this seems a bit extreme, perhaps with security implications. There are very few other posts on this topic; the duplicati image is different from linuxserver’s and does not use what seems to be a linuxserver specification of UID:GID 1000:1000.

I cannot change the ownership of folders/files within the app-created volumes without running into other problems. So is it root acess after all?

I’d appreciate some advice.
Thanks,
Ric

this is not a suggestion, it’s a placeholder, you are supposed to input a proper uid and gid, based on how you need/want your permissions setup. This is explained in the container readme.

if it is the docker group on your system, this is purely coincidence, the use of 911:911 is to inform us, via your logs, that you didn’t follow instructions.

it is expected that if your selected uid/gid cannot access files, you will encounter errors. if you cannot or will not ensure files are owned properly, root (unsupported by us, and definitely extreme) is the simplest method to use.

it runs the container and the application as root. we consider this to be a potential security concern and while we have the container run as root, the application runs as the puid/pgid you assign and thus, has access only to the files you’ve given that uid/gid access to.

HTH