Permissions for Persistent Storage Volumes

Some of the Docker containers read/write data to persistent storage volumes. They read/write using the UID/GID of the entrypoint process in the container.

Expected behavior

To allow for better access and administration of the files in these volumes, containers should ideally:

  1. Create files/directories with the owning group set to servlets
  2. Use a umask of 007: grants read/write permission to the owner and the servlets group.
  3. Set the setgid bit on directories (i.e. 2770 chmod(8) value)

Implementation

The UID and GID of the container actually does not matter as long as the umask(2) of the container's process can be set. LinuxServer.io containers allow setting the umask using the UMASK environment variable.

To ensure files are created with the servlets GID, the root directory of each volume should have the SetGID bit set. This will ensure that files and directories created within the volume inherit the GID of their parent directory.

Services can have their own users on the host, or they can run as root. The UID/GID of the container does not matter as long as the umask is set. If it is not possible to specify a umask, run the container using the servlets GID. If using a custom UID, add the user to the servlets group.


Revision #1
Created 20 August 2022 20:30:29 by Kian Kasad
Updated 23 August 2022 17:35:27 by Kian Kasad