Run AOI containers under non-root user

Mark_Kazemier · June 27, 2024, 3:54pm

I am installing the NextCloud All In One (AIO) appliance on my Raspberry pi. I used the following command to install:

sudo docker run --init --sig-proxy=false --name nextcloud-aio-mastercontainer --restart always --publish 8080:8080 --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config --volume /var/run/docker.sock:/var/run/docker.sock:ro --env NEXTCLOUD_DATADIR=/srv/dev-disk/data --env SKIP_DOMAIN_VALIDATION=true --env APACHE_PORT=11000 --env APACHE_IP_BINDING=0.0.0.0 --env PUID=1001 --env PGID=1001 nextcloud/all-in-one:latest

Somehow the container still gets started under the root user in Linux. And also all the AIO containers are run under root.
The problem with that is security, if an attacker gets access to AIO containers, they can also get root to the full box.
In addition, now all files get written to disk under O=www-data and G=root. Which means non of the other users on the device can access the files.

Is there a way to force the containers to run under a less privileged user? And is there a possibility to make sure the files get written under a specified user?

szaimen · June 27, 2024, 3:56pm

Hi, see all-in-one/docker-rootless.md at main · nextcloud/all-in-one · GitHub

Mark_Kazemier · June 27, 2024, 4:00pm

I don’t want to install Docker itself rootless.
I just want the containers to run under a different user.
Normally you can do that with specifying the PUID and PGID in your docker file.
AIO seems to ignore that.

szaimen · June 27, 2024, 4:01pm

Yes, indeed AIO does not support PUID and also not PGID due to technical reasons.

Mark_Kazemier · June 28, 2024, 7:51am

Thanks, so if I want to run the containers with a non-root user. I should setup my own dockerfile I assume?

Thanks for the very quick help! Really appreciated