Run Docker container as non-root user #476
Comments
|
I've updated by post with additional information. It would be great to hear thoughts on this. |
|
Thanks for converting this into an FR and the detailed discussion of what you're trying to get done -- I think it makes sense for Backrest to try to adopt the UID= and GID= env vars convention established by linuxservers.io , we can definitely do something like this in a future release. This issue might be an easy starter PR if anyone has interest in adding an entrypoint wrapper. |
|
I found the Restic docs for running full backups without root. They're hidden away in the examples section; https://github.com/restic/restic/blob/master/doc/080_examples.rst#full-backup-without-root It suggests adding the extended attribute |
|
has this been implemented yet by chance? |
|
It hasn't -- most of the work here is in testing the docker build and validating that permissions work correctly in a variety of contexts. |
|
Just to add some context to this, I believe this is the reason I'm not able to restore any snapshots running the Docker container on Unraid. I get the error The mounted /backup folder is owned (on the host) by |
Is your feature request related to a problem? Please describe.
I'm running Backrest in Docker. When it writes new files in bind mounts
/data,/config,/cache,/repos, all files are owned by root. When restoring files, Backrest creates a folder with the original file inside. The original file retains its correct owner/permissions but the folder Backrest places the backup in is owned by root.Describe the solution you'd like
PUIDandPGIDso bind mounts (/data,/config,/cache,/repos) have the same owner as my host./userdataregardless ofUSER:GROUPand permissions. This would need to run as root or by giving the mapped user elevated permissions (--privileged,--cap-add, etc ??).USER:GROUPand permissions. This is currently the case but it would be good if the folder Backrest makes to write the restored file to is owned by the mapped user.docker <container-name> stop) without getting permission denied. Either run as root or add the mapped user to the Docker group inside the container or by giving the mapped user elevated privileges.It's common for a container to have an entrypoint.sh script that includes something like;
Additional context
Ultimately, most containers don't need to run as root but something like a backup tool is different. There will very often be situations where you're backing up files not owned by a specific user or with restrictive permissions. However, maybe there are lots of things the container can just run as non-root? It feels safe to assume that
/data,/config,/cache,/reposshould be owned by the host user (PUID:PGID) and not root. Also, any services that don't need to run as root, shouldn't. On the other hand, access to/userdatawould require root access or privileged access unless you could guarantee all files are owned by a specific user (often not the case and would probably lead to user confusion with lots of permission issues).I lack the knowledge to understand how I can both run the Backrest container as a specific non-root user whilst also letting the container read/write data owned by different users (including root) that may also have restrictive permissions (
600). I also don't understand the impact of this on running commands likedocker <container-name> stopetc.Hopefully this is simple without requiring granting any extended capabilities or privileges but I'm afraid that's beyond my understanding.
The text was updated successfully, but these errors were encountered: