Differences

This shows you the differences between two versions of the page.

--- omv7:docker_in_omv [2024/11/10 10:34] – [User and permission management in docker and OMV. More security.] chente
+++ omv7:docker_in_omv [2025/12/08 15:15] (current) – chente
@@ Line 152: / Line 152: @@
 Done. We now have a user //jellyfin// with a primary group //jellyfin// that we can assign to the jellyfin container and we can guarantee that it will only have access to the folders we give it permission to. The //jellyfin// user will not be able to access any other folder on the system since it does not belong to the //users// group. Additionally, the persistent data in the jellyfin container will belong to the //jellyfin// user and the //jellyfin// group, so no other container will be able to access those files either. If we want another user to have access to that persistent data we just have to include it in the //jellyfin// group. Now we have that container perfectly isolated.
-**In this document we will use a single user called //appuser// and created in the GUI, this is enough for 99% of users. Consider your use case and whether or not you need to go further, if you do act accordingly throughout the process.**
+**In this document we will use a single user called //appuser// and created in the GUI, this is more than enough for 99% of users. Consider your use case and whether or not you need to go further. If you do, act accordingly throughout the entire process.**
 ----
@@ Line 286: / Line 286: @@
 Where <b>/srv/dev-disk-by-uuid-9d43cda9-20e5-474f-b38b-6b2b6c03211a/appdata</b> is the absolute path to the <i>appdata</i> folder. You can copy it from the OMV GUI in the STORAGE > SHARED FOLDERS tab in the ABSOLUTE PATH column. When you start the container, Docker will create the <i>jellyfin</i> and <i>config</i> subfolders if they do not exist.<br>
 Later you can see this with examples.
+</tr></table></body></html>
+    *...<html><body><table width="100%" border="0"><tr><td colspan="2" style="background-color:#FFB663;height:30px;"><strong><span style="color:#FFFFFF;font-size:110%;">&#160;
+Warning
+</span></strong></td></tr><tr><td style="background-color:#FFE4A6;height:25px;width:380px;">
+Make sure to create subfolders within each appdata folder for each container folder.<br>
+Don't do this: <b>- /srv/dev-disk-by-uuid-9d43cda9-20e5-474f-b38b-6b2b6c03211a/appdata/jellyfin:/config</b><br>
+If you do this, the persistent data in the config folder will be mixed with the plugin's Docker files, and permissions could change without warning.<br>
+Do this: <b>- /srv/dev-disk-by-uuid-9d43cda9-20e5-474f-b38b-6b2b6c03211a/appdata/jellyfin/config:/config</b><br>
+This way, the permissions will remain as created by the container.
 </tr></table></body></html>
     *...<html><body><table width="100%" border="0"><tr><td colspan="2" style="background-color:#2C6700;height:30px;"><strong><span style="color:#FFFFFF;font-size:110%;">&#160; Advanced configuration.
@@ Line 306: / Line 315: @@
 </span></strong></td></tr><tr><td style="background-color:#E6FEFF;height:25px;width:380px;">
 If you don't have a fast drive for Docker, you can configure the <i>data</i> and <i>appdata</i> folders in the same shared folder. This will make the CHANGE_TO_COMPOSE_DATA_PATH variable serve to define the path of both. This is how the plugin example files are preconfigured.
+</tr></table></body></html>
+    * ...<html><body><table width="100%" border="0"><tr><td colspan="2" style="background-color:#69A5FF;height:30px;"><strong><span style="color:#FFFFFF;font-size:110%;">&#160; Beginners Info
+</span></strong></td></tr><tr><td style="background-color:#E6FEFF;height:25px;width:380px;">
+The internal structure described in the "data" folder is unimportant. In this document, a "standard" structure has simply been described for illustrative purposes, so that the reader has a general idea about what the content of that folder may be. You can distribute within that folder any directory tree that you feel comfortable with.
 </tr></table></body></html>
   * CONFIGURE THE DATA FOLDER:
@@ Line 356: / Line 369: @@
 ----
-=== 3. Create appuser ===
+==== 3. Create appuser ====
 If you have read the introduction of this document you already know if the //appuser// user is enough for you or you need something else. If you are happy with this user for some or all of the containers go ahead, otherwise customize it as above.
@@ Line 369: / Line 382: @@
 Don't add <i>appuser</i> to the <i>docker</i> group. This is a security hole.
 </tr></table></body></html>
-  * Edit //appuser// permissions and grant the appropriate permissions on each shared folder. At a minimum //appuser// must have write permissions to the //appdata// folder. Choose the permissions for the rest and make sure to deny anything that the containers do not need to function.
+  * Edit //appuser//'s permissions and grant the appropriate permissions to each shared folder that the containers should be able to access. Persistent configuration data will generally be stored in //appdata//, so we'll give appuser write permissions to the //appdata// folder. It must also have access to the shared folders defined as volumes in the containers. For example, for Jellyfin, this could be the /media folder where movies are stored. Make sure this user only has access to the necessary folders.
   * ...<html><body><table width="100%" border="0"><tr><td colspan="2" style="background-color:#69A5FF;height:30px;"><strong><span style="color:#FFFFFF;font-size:110%;">&#160; Beginners Info
 </span></strong></td></tr><tr><td style="background-color:#E6FEFF;height:25px;width:380px;">
@@ Line 397: / Line 410: @@
 ----
-=== 4. Global environmental variables ===
+==== 4. Global environmental variables ====
 Global environment variables will be used in the procedure that follows this document.