User Access to Multiple Groups Within Containers

Super new to Docker here. I have done quite a bit of searching on this and seem to come up empty handed. I have been setting up a containerized media server using Docker Compose in Linux. I have managed to migrate PLEX and Deluge without any major headaches. I also have Jackett, Sonarr, Radarr, and Ombi up and running. The issue I am running into is my Deluge directories belong to deluge:deluge and my PLEX directories belong to plex:plex. I would like to keep it this way, however I can only seem to give each container access to one or the other using PUID and PGID tags in the .yml file.

How can I set up a container using compose to have access to multiple groups.

Thanks so much for any help.

1 Like

Docker’s build in docker run --user allows to set Username or UID (format: <name|uid>[:<group|gid>]) → does not support what you want.

User mapping based on environment variables (PUID, PGID …) are features provided by the image maintainer of the image you use. You can try to ask the maintainer of the images to support a list of “other groups” and handle them in their entrypoint script.

… and you can always create you own images based on the original images and extend them with the behavior your need yoruself.

update:
Docker’s build in docker run --group-add 123 --group-add 124 does support adding the default user to the group, see: Docker run reference | Docker Docs

But, images that use user mapping based on PUID/PGID environment variables will not benefit from --group-add, as containers based on the image usualy start as root user and only execute the main process with the provided PUID/PGID.

1 Like

Thanks for the response.

I’m a little surprised that this isn’t something easer to accomplish. Managing user and group properties is one of the things that helps increase the security of Linux. It seems that without creating a new image I have very little control over this, and am forced to give all the media server related containers identical user and group access. Currently Deluge does not need access to PLEX files and PLEX does not need access to Deluge files, but Sonarr and Radarr need access to both.

is there a way to import /etc/passwd and /etc/group from the host into the container, or would this also require creating a new image?

I suppose I should ask if creating a new image is that difficult?

Also I would like to continue using compose. If I understand correctly this is necessary if I need the containers to communicate with each other. Please correct me if I am wrong.

Thanks again

Docker provides the featurse you are looking for, the image is just not designed to leverage that feature.

It is a courtesy from the image maintainer to bypass Dockers build-in behavior and implement their own. For your use-case their implementation provides a gap. Talk to them.

Give it a try: add a bind-volume /etc/passwd:/etc/passwd:ro, the same with /etc/group. Make sure to add the :ro at the end, otherwise the entrypoint script of your images will mess up the files, as they manipulate those files during container start. Though, you also might render the container nonfunctional with this. It realy depens on how the image works.

Running docker with compose files is highly recommended. Every docker run argument has an equivalent compose file attribute - you might want to make it a habit to lookup things in the compose file reference. Anyway, this still won’t be the solution in your situation, as you use images that choose to not rely on dockers build-in mechanism to override uid:gid and --group-add.

Would work without compose as well, but compose makes it way easier :slight_smile:

Thanks again for the help. I was able to bind the passwd and group files in the container. I bashed in and the users and groups all seemed to be good, but I could not connect to the containers anymore. I checked the permissions for the config and media directories and everything looked good. Oh well… for now they are all under one user and it all seems to be working. You have given me more to look into. I may go the rout of contacting the maintainer, or just finding a different image.

Thanks again