ACL Issues with SMB and Docker

TrueNAS General
,
1

Hi everyone,

I’m experiencing a puzzling ACL issue and could use some guidance. I have a dataset that is shared over SMB that I want to serve as the primary location for my Docker bind mounts, e.g. config directories, downloads, and so on. I like the convenience of being able to manage my config files or downloads directly on my Windows system, so this setup would be ideal, but it’s turning into an ACL nightmare! I keep getting seemingly arbitrary “permission denied” errors for certain containers - arbitrary in the sense that I’ll have two containers with seemingly similar functionality and directory structure, but one will throw a permission denied error writing to the config directory, while the other will happily chug along doing so. Here are some of the details:

  • I am a homelabber, so this is a single-user/administrator system with minimal security needs beyond the essentials.
  • The dataset is owned by a non-root user with full admin privileges, as per the TrueNAS documentation guidance on SMB ACL tuning.
  • I manage all my containers through docker compose files. I’d like to bind-mount the dataset directly, e.g. - /mnt/tank/dataset/app/config:/config. I have had some success with adding an authenticated CIFS volume, but that approach feels clunky and requires passing the SMB user/password as variables to every container, which I don’t like.
  • I generally run the containers without specifying a user, but occasionally the problem has been solved by specifying user: '0:0' (which is confusing because I thought docker runs as root by default, so why does that make a difference?).
  • I’ve already tried the obvious thing here, which is to set the user to the one that owns the dataset, but then I just run into other permission issues for things that apparently want to run as root.
  • Analyzing the ACL properties of certain objects on the dataset has shown some strange things - some are owned by root, some are owned by the dataset owner, and if I create a directory while working with the dataset in Windows, it is in group 911 which…does not exist on my system! However, that group does not seem to be causing problems, oddly enough.

I’m looking for a general solution here, not an ad-hoc per container solution. I’d like to have a simple, uniform approach to this that will not require working out permissions for every single container I make, because it really is a headache! As you can probably tell, my understanding of ACL is weak, and I’ve really tried to read the documentation on it, but have been unsuccessful. Any advice would be greatly appreciated, thank you!