Portainer creates dirs and files as root

Hi !

I have Openmediavault installed on a custom NAS.
On this host, I created a user “dockeruser” with uid 1001 and gid 100 (users).
As a good security practice, I want to use this user to run all my containers, to be sure that files & dirs created by the container on the host are owned by this user and not root user.

First I deployed Portainer container using Docker Compose service in Openmediavault.
Here is the docker-compose file :

            - wolvenet
            - '8000:8000'
            - '9000:9000'
        container_name: portainer
          - PUID=1001
          - PGID=100
          - TZ=Europe/Paris
        restart: always
            - '/var/run/docker.sock:/var/run/docker.sock'
            - '/srv/dev-disk-by-uuid-a8170b8f-7d4d-4d2a-8c35-3fb1a4aa33f8/docker-share/appdata/portainer/portainer_data:/data'
        image: 'portainer/portainer-ee:latest'
        external: true

And then, I deploy my container with docker-compose Stack in Portainer.

My problem is, when I deploy or update a Stack in Portainer, docker-compose.yml file and directories created in /portainer_data/compose are owned by root :thinking:

As I used “- PUID=1001” and “- PGID=100” to deploy Portainer, why Portainer is using root user to create docker compose files and dirs ?

If you use paid “Enterprise Edition”, then you might just ask the company :wink:

Have you tried using user: instead of environment?

Thanks for the reply.
I’m on Free Business Edition (wich doesn’t include support), but here is what Portainer AI agent says :

Why portainer is using root user to create docker-compose files on my host ?

Portainer interacts with Docker through the Docker API, which is exposed via the Docker socket (/var/run/docker.sock). By default, this socket is owned by the root user, and therefore any operation that Portainer performs through this socket (such as creating Docker Compose files) is performed as the root user.

Ok, so I can’t prevent Portainer using root user to create docker-compose files.
But those files/dirs are still owned by the 100 (users) group so I have some hope that my dockeruser (1001) wich is part of this group, can access thos files/dirs.
But new problem : here are permissions on those files/dirs :

drwx--S--- 3 root       users 4096 25 juin  17:09 15

So no permissions for group owner :sob:

With that, is there any solution for my userdocker to be able to access files/dirs created by Portainer ?

You should be able to run Portainer as non root by placing a docker-socket-proxy in between, which handles the connection to the socket on host.

With a docker-socket-proxy you of course introduce another component, need to trust the author, make sure it is maintained, potentially increase attack surface.