Docker rootless: how to set it up, to have proper file permissions for remote editing?

How to configure the docker container, that the user, who runs docker, can edit the files of the mounted volumes?
Main goal: edit configurations files of openHAB from remote machines (mainly VS Code using remote-fs).

The openhab container does create an additional user and group inside the container (name: ‘openhab’), which runs OH and owns the configuration files. On every start of the container, the ownership of all files and directories is set to openhab:openhab. That user ‘openhab’ (more specific: the userid) is not known on the host and the config files are chmod 644.

I did start using docker some time ago. It really streamlined my homelab setup and its maintenance.

OpenHAB still runs on a raspberrypi (openhabian, and it is still 2.5…). I want to migrate to a OH3 and docker.

Bc I’ve always heard docker has its security issues as it runs as root, I did start using rootless docker right from the beginning.

Review the environment variables that you can set when running the container. One of them lets you specify the UID and GID used by the openhab user inside the container.

1 Like

I briefly looked at these settings. It interferes with the user, which runs the docker container (uid 1000) on the host. When I do set the uid via env also to 1000, it throws an error. Both users (root, openHAB) cannot be mapped to the same ID. :confused:

Do I do something wrong?

I don’t know because I don’t know your user environment. If it won’t work to map it to 1000 try creating a new user on your host and map that UID/GID to the container.

But be ware that I think the openHAB image expects that it’s initially started as root because it does some root level operations inside the container prior to starting openHAB as the lower level user (including creating that lower level openhab user inside the container in the first place). Perhaps that’s causing problems.

You are veering pretty far off of the standard openHAB docker deployment so will likely be largely on your own. You might have to build your own custom image with a different approach in

But just to be clear, you’ve set the environment variable (-e option) not the docker user (--user option).

1 Like

Yes. I’ll double check this.

When using a second user on the host, I’ll need to use that user do edit files bc of 644. While writing this, I start accepting this as a neat workaround. Thx! :relaxed:

@chris400 I have recently migrated to OH3 on a OracleLinux 8 with selinux enforcing. Like you I am running the container rootless.

Everything seemed to be working fine until I updated to chrony on the host.

At which point the /etc/localtime file (sym link to actual zonetime) stopped allowing lsetxattr (for selinux) when starting the container. I assume you are running on a host that does not have selinux enforcing or apparmor.

regrettably, my only fix is to change ownership of /etc/localtime from root to openhab. This is not ideal.

I assume one of the reasons you are doing rootless container is for security purposes. If so I as wondering if you are using other security features like selinux/apparmor, and/or systemctl --user to manage. And if you have encountered something similar to the issue I am describing above…