I'm currently setting up a Docker environment with bind-mounted directories for my downloaded files, but I'm running into issues with the container creating files with random user and group ownership. I know that I can set the USER in the container to match a host user, but I'm confused about which host user to use. It seems like setting the same user for all containers would be convenient, but if a container gets compromised, it could potentially access all the other containers' data. On the other hand, creating a separate user on the host for each container might be tedious, but it offers better isolation. Is there a preferred option here? Are there other methods I should consider? I've found that I can address some ownership mismatches with user ID mapping while binding directories, but I'd still like advice on the broader setup!
3 Answers
Going rootless can be tricky but effective. Alternatively, you might want to check out user namespace remapping as a less painful solution for managing user permissions across containers.
Just remember that users are identified by their user IDs (UIDs) under the hood. If you have a user with the same ID on your host system, it will act as that same user. I recommend using UIDs instead of usernames for accuracy. If you're looking for a more structured approach, you might want to consider exploring Kubernetes and its permissions system for a larger setup.
I get the technical details for setting the container USER but am really confused about the strategy: should I go for dedicated users for each container or stick to a shared host user?
In an ideal scenario, you would go rootless and assign a distinct user ID for each Docker container without giving it permissions on the host. This approach minimizes risks; if one container gets compromised, it wouldn't be able to access the data of another container. However, in reality, many people use a single user ID for convenience, especially when security is not a top concern. Just remember to limit its privileges on the host OS!
So, for a high UID:GID like `docker run --user 3000:3000`, that won't conflict with any host users, that's the way to go, right?

That's a good point! But still, which UID:GID should be used inside the containers? Is it really better to have one host user for everything or create separate users for each container?