Brief post about Docker permissions

So I run Docker inside of a pair of VM’s based on Debian 11. I mount an SMB share that is stored on the ZFS pool that is managed by the ProxMox host which is where all of the Docker configs live.

The reason why this is important is that on one VM, permissions are not an issue and files can just write and they work without issue. On the other VM, since I run things like the Unifi controller, permissions can get fiddly. Just having everything set to 0777 doesn’t work, so I had to make sure that the Unifi Controller specifically launched with the UID (user ID) of the domain user that is given permission to handle docker things.

Spent probably an hour chasing it down. I ended up also setting the fstab to mount with that user’s UID and GID on top of it all, just to be consistent across the board. From a security point of view this is the best way to handle everything because now only root and the domain user can modify files from inside the VM. I don’t have the VM doing anything else, so it’s a non-issue operationally, if I never get hacked. Due to the nature of the VM, the odds of it getting hacked is pretty small, especially since most of what it is running doesn’t contact the outside world. But it is technically still possible, so limiting the risk is a good idea.

Leave a Reply

Your email address will not be published. Required fields are marked *