I’m using a volume that is shared between my SFTP VM and a Caddy VM.
In the SFTP VM, I have a user named ‘site1’ with a group ‘site1’.
However, when I run ls -lasht, I end up with a different user name and group into Caddy VM.
Luckily, Caddy is able to read the files and I can display them on my web page.
But it’s not ideal. It would be cool to have the ‘caddy’ user/group from the Caddy VM
and the ‘site1’ user/group in the SFTP VM.
How do you handle chown when sharing a volume between multiple containers and VMs?
In my case, I have an SFTP server where I upload static files for my website (index.html, page1.html, main.css, etc…) and a server to display them, Caddy.
The access control is based on user and group IDs. The username that appears in ls is (not intended) what is found in /etc/passwd. Therefore you can tinker with those files to get matching usernames (and group names).
If the desired UID and GID is 1000, then run this on both containers to show names are assigned in each runtime.
If I understand correctly, it’s just a matter of mapping based on the ‘/etc/passwd’ and ‘/etc/group’ files. We need to match the IDs between the two containers…?
What I did, and it works.
Caddy has a system user ID below 1000 when installing the package.
The default ID is 995, and the group is also 995 for the caddy user.
In the SFTP container, I created a user with an arbitrary ID, the same as Caddy’s, which is 995.
The match occurs when reading the /etc/passwd file.
Caddy can read the web files, and the SFTP server user can upload files successfully.
Is this the correct approach?
Edit :
I’ve just realized that if I have multiple SFTP users, I’ll need to assign them all the same ID to match Caddy’s, which isn’t ideal from a design perspective… ?
The ls command has a parameter --numeric-uid-gid (or -n). This parameter shows the numeric UID and GID. When your system performs access control checks, it uses the numeric UID and GID. Therefore, if the output of ls -lashtn matches one container with another, then you are fine.
Indeed, if you have several user account (i.e. different UIDs), and want them to access the same share, but you want to have an idea which account is adding which file, then you use a common GID for all those accounts.
Therefore,
if you match the UIDs (or GIDs), then it works fine between the containers. It’s the UID/GID that matter in filesystem access controls.
if you have a share and you would like to have an idea which container created a file, then you can use a common GID and change the group ownership accordingly of the files/directories so that all accounts on the same group have access.
If in the future you reach the management limit of this approach (it becomes too cumbersome to manage), you may consider using a file-server.
