I understand that by setting PUID
and PGID
then:
- The container can access files/folders owned by
PUID
and/or PGID
- The files the container creates will be owned by
PUID
and/or PGID
But, what happens if I only set PGID
and do not set/pass PUID
?
- The container can access files/folders owned by
PGID
– which is all that matters
- The files the container creates will have group owner as
PGID
– but what will be the file owner?
And, are there any security implications to any of the combinations?
- Will the container ever be able to access files outside of the volumes passed down? For example, if
PUID
is 1000
and /home/blah/file
is passed to the container, will the container have access to /home/blah/...
?
- If I don’t pass
PUID
, will the container be able to go outside of the volume passed down to access files owned by root?
If you don’t set the PUID
(or the PGID
) it will be set to 911
by default.
Containers are by default sandboxed and only have access to whatever you define.
If you map /foo/bar
on host, it will have access to /foo/bar
inside the container at the mapped internal path, but not /foo/blah
on host
Permissions are a different topic
Got it. Is there any pro/con to doing this?
I’m debating if I actually need to create a new user account or if I can just use the docker
group. I don’t want to use my main ID.
Doing what exactly?
I feel like we’re hitting the https://xyproblem.info/
Why don’t you tell us what the underlying issue is, rather than ask about what you think may be possible solutions?
What problem do you think using your linux user’s uid would have?
I want there to be a distinction between my user’s files, vs the files my containers create. I want them to have a different UID.
I could create a new data
user and group, but it doesn’t sound like I need a user, just the group. So I could just create a data
group, add my user to the data
group, and pass data
’s GID to containers.