[syslog-ng] Directory/file create ownership

Szemere, László laszlo.szemere at balabit.com
Mon Mar 5 19:11:45 UTC 2018


Hello Marco,
 please find my answers inline

Br,
Laci


On Sun, Mar 4, 2018 at 4:56 PM, Marco Mignone <info at marcomignone.com> wrote:

> Hi Laci,
> Thanks for this.
> I will have a play at this and I probably need to study a bit more of
> Docker as my confusion probably derives from the fact of using
> docker-compose to start all services instead of 'docker run' when one can
> specify also the user you want the container to start with.
>
>From what I have found, while the command line interface do not support the
*user* parameter, the compose files do. Not so flexible, but fair enough.


>
> The one thing I don't understand is why you can't access the file on the
> host machine (unless of using sudo) if the user on the host and inside the
> container are the same?
>
That was just a small trick to demonstrate that access rights are in place.
I forgot to copy the whole command prompt, but on my personal computer I am
using the username *szemere*. So with the permission *0200* (seen by *ls
-hal*) even I was unable to access the files belonging to the user *marco* (id:
*1500*).


>
> That is basically what I am trying to achieve, the output folder and files
> to have the ownership of an existing user / group on the host machine so
> that they are accessible by that user without having to sudo. I wonder if
> that is what you meant at the end talking about the external user in the
> 'note:' section of your reply?
>
You are right. By external user I meant the user on the host machine.
However my note was about how to address them.
The problem: Since your "external" users do not exists (by default) inside
the container, you can not use their name to "address" them. (You most
probably got a "no such user" error.)

The most common solutions to this problem are:
A) Select users/groups by their ID. (See in the syslog-ng's configuration
in the example.)
B) First create the users/groups inside the container with a matching ID.
After that you can use the "names" in the syslog-ng's configuration.
C) Blind mount the /etc/passwd file. (Has some other implications, read
carefully, test with virtual machines before using it.)



> Thanks for your help and reply, that's already a good starting point for
> me to try again.
>
> Regards,
> Marco
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180305/dd7d031c/attachment.html>


More information about the syslog-ng mailing list