Hi,
I’ve just migrated my data from a Synology DS918+ that abruptly died and am trying to grapple with the much more complex permissions model.
I’m attempting to run containers with Podman in a jailmaker. I thought the best practice was having a user per container so that each container has access to only what it needs to. Hence, I have the following data set structure:
podman
data
traefik
Plex
...
stacks
So each container gets its own data set. They use the NFSV4 ACL.
I created a podman
user that maps to a non-root user in the jail that I use to run my containers, similar to this comment from Jailmaker discussions. It owns the podman
data set, everything works as expected there.
I created a traefik
user and granted access to it via ACL to the traefik
dataset only. My intention was to use the mapped uid of that user as the user for the container. However when I try accessing the data as that user via SSH in the jail, it has no access despite the ACLs being set.
Do ACLs that grant other users access outside the standard Posix permissions not get respected on the command line? If not, what is the usual practice for having separate users for containers?
I’m generally extremely confused by how the different types of permissions interact, and the documentation doesn’t explain this.