Do I need to replicate all 'users' within a jail? #52
-
|
Hi! I currently run a whole bunch of docker containers on SCALE. Each container (service) has it's own dedicated user, with appropriate permissions for accessing the relevant bind-mount datasets. i.e. reverseproxy (UID 1115), homeassistant (UID 1116), jellyfin (UID 1117), etc - with each container having the relevant user/groups specified such that the containers do not run as root. Does this mean that if I migrate over to jailmaker when I upgrade to Cobia, I will need to replicate all of those users (with the same UID/GID) within jailmaker to ensure that access to mounted files will be preserved? Essentially, a 'clone' of the base SCALE users I have set up? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 5 replies
-
|
I don't think you need to create those users in the jailmaker 'jail'. If you use Docker inside the jail to run your containers with specific UIDs (e.g. 1115 for your reverse proxy) the container should be able to access the corresponding files provided you make them available by bind mounting. I'd say try it out in a VM before you attempt the migration. Or you could already experiment with jailmaker on your current SCALE version. Jailmaker should be able to run alongside what you already have running. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks mate. So to confirm, I can still use |
Beta Was this translation helpful? Give feedback.
-
|
Yes I think so. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you 😄 |
Beta Was this translation helpful? Give feedback.
-
|
As a rule of thumb create the users where they will be primarily used and managed. If you plan to exclusively use that user inside the jail then create it within the jail, if you want to manage the user and access the files through the TrueNAS UI then create the user in TrueNAS. |
Beta Was this translation helpful? Give feedback.
-
|
Side note. In order to run a process with a specific UID you don't need to have created a corresponding user (in the /etc/passwd file). Additionally it may be possible to bind mount (read only) the /etc/passwd inside the jail to make all host users available but I'm not sure if that's a good idea. |
Beta Was this translation helpful? Give feedback.
-
|
yeah definitely not a good idea. The whole point of jails is segregation of critical files for security. Reintroducing them for convenience defeats that purpose. |
Beta Was this translation helpful? Give feedback.
I don't think you need to create those users in the jailmaker 'jail'. If you use Docker inside the jail to run your containers with specific UIDs (e.g. 1115 for your reverse proxy) the container should be able to access the corresponding files provided you make them available by bind mounting. I'd say try it out in a VM before you attempt the migration. Or you could already experiment with jailmaker on your current SCALE version. Jailmaker should be able to run alongside what you already have running.