Portainer creates dirs and files as root

sebastien4444 · June 27, 2024, 9:41am

Hi !

I have Openmediavault installed on a custom NAS.
On this host, I created a user “dockeruser” with uid 1001 and gid 100 (users).
As a good security practice, I want to use this user to run all my containers, to be sure that files & dirs created by the container on the host are owned by this user and not root user.

First I deployed Portainer container using Docker Compose service in Openmediavault.
Here is the docker-compose file :

services:
    portainer-ee:
        networks:
            - wolvenet
        ports:
            - '8000:8000'
            - '9000:9000'
        container_name: portainer
        environment:
          - PUID=1001
          - PGID=100
          - TZ=Europe/Paris
        restart: always
        volumes:
            - '/var/run/docker.sock:/var/run/docker.sock'
            - '/srv/dev-disk-by-uuid-a8170b8f-7d4d-4d2a-8c35-3fb1a4aa33f8/docker-share/appdata/portainer/portainer_data:/data'
        image: 'portainer/portainer-ee:latest'
networks:
    wolvenet:
        external: true

And then, I deploy my container with docker-compose Stack in Portainer.

My problem is, when I deploy or update a Stack in Portainer, docker-compose.yml file and directories created in /portainer_data/compose are owned by root

As I used “- PUID=1001” and “- PGID=100” to deploy Portainer, why Portainer is using root user to create docker compose files and dirs ?

bluepuma77 · June 27, 2024, 9:53am

If you use paid “Enterprise Edition”, then you might just ask the company

Have you tried using user: instead of environment?

sebastien4444 · June 27, 2024, 10:52am

Thanks for the reply.
I’m on Free Business Edition (wich doesn’t include support), but here is what Portainer AI agent says :

Why portainer is using root user to create docker-compose files on my host ?

Portainer interacts with Docker through the Docker API, which is exposed via the Docker socket (/var/run/docker.sock). By default, this socket is owned by the root user, and therefore any operation that Portainer performs through this socket (such as creating Docker Compose files) is performed as the root user.

Ok, so I can’t prevent Portainer using root user to create docker-compose files.
But those files/dirs are still owned by the 100 (users) group so I have some hope that my dockeruser (1001) wich is part of this group, can access thos files/dirs.
But new problem : here are permissions on those files/dirs :

drwx--S--- 3 root       users 4096 25 juin  17:09 15

So no permissions for group owner

With that, is there any solution for my userdocker to be able to access files/dirs created by Portainer ?

bluepuma77 · June 27, 2024, 2:09pm

You should be able to run Portainer as non root by placing a docker-socket-proxy in between, which handles the connection to the socket on host.

With a docker-socket-proxy you of course introduce another component, need to trust the author, make sure it is maintained, potentially increase attack surface.

Topic		Replies	Views
Docker volume file ownership issues under rootless General	8	3123	July 22, 2024
How to get network access to Docker config files General docker	4	2001	April 2, 2022
Permission conflicts with coding in docker, linux General	2	875	June 8, 2021
Creating Images that Support User Owned Volume Mounts with Docker Desktop and Docker Engine Docker Desktop linux	1	646	June 12, 2023
Docker container creating directories owned by root, I need them owned by 1000:1000 Docker Engine	1	20528	May 14, 2018

Portainer creates dirs and files as root

Related topics