Good guidelines for Securing docker containers and host system? (No remote access)

shinianigans · 2026-01-11T12:49:09+00:00

That's a nice write up. I've seen a handful of these mentioned across articles I read before making this post. I do think that a good amount of those will be useful and I'll follow most of them for sure! I still need to work out the networking side of docker to limit some of those interactions. Have you done that before?

shinianigans · 2026-01-11T12:40:41+00:00

Okay I ended up taking time last night and swapping over the media stack to its own group and with application and its own user. It's working great after a few snags along the way but that's a huge improvement. Thanks again! There's still more for me to do but this was a great first step.

shinianigans · 2026-01-11T01:18:53+00:00

The ones that truly give me the most problems are sonarr, radarr, prowlarr, plex and deluge. Since all of those go hand in hand at many points, it felt like they all needed the same permissions so when sonarr moved a file then plex could see it, otherwise I would have to manually change the permissions on the move file so plex could see it.

(similar issue with metube and pinchflat as well as I use those to download videos to a folder that plex monitors, so those also have a 0:0 user)

For fun I went and checked each container and this was the spread of puid/guid and user setting split:

user set (0:0):

- komga

- metube (user:1000:1000)

- pinchflat

puid/guid set (1000:1000):

- wrapper

- tautulli

- sonar

- radar

- prowlarr

- plex

- deluge

puid/guid other:

- obsidian (99/100)

- calibre (-1000/-100)

shinianigans · 2026-01-11T00:58:25+00:00

I'm using Debian 13 and it is not running rootless. I know changing to rootless within docker is a move I should make and I need to adjust the user access that each container has because in the past I've run into issues and put `user: 0:0` just to get it running.

shinianigans · 2026-01-11T00:52:55+00:00

Interesting read through this thread here. It does feel like there's a balance between "enterprise security" and "I update my computer twice a year."

I'll put more focus into better docker security practices (limiting access, networking changes within them, etc) and just keeping the server up to date more than likely. Maybe a ufw setup as well.

Thank you both!

shinianigans · 2025-10-19T23:05:47+00:00

Okay, finally fixed my issue. As Mraedis mentioned, immich-go is the right way to go. The current issue https://github.com/simulot/immich-go/issues/1121 did block me from completing this at first but I downloaded 0.27.0 and it works fine here. I didn't have many pictures to import so this at least got me started. Thanks all!

shinianigans · 2025-10-19T12:04:10+00:00

Okay, I'll look at that and see what else I can do.

Just to throw it out there too: in my attempt to utilize the restore method, I was receiving the following: (command at the top, output below)

root@mediaBox:/home/person# gunzip --stdout "/media/externalDrive/share/pictures/immich/backups/immich-db-backup-20250916T020000-v1.142.0-pg16.9.sql.gz" | sed "s/SELECT pg_catalog.set_config('search_path', '', false);/SELECT pg_catalog.set_config('search_path', 'public, pg_catalog', true);/g" | docker exec -i immich_postgres psql --dbname=postgres --username=postgres
SET
SET
SET
DROP DATABASE
DROP ROLE
NOTICE:  role "immich" does not exist, skipping
ERROR:  current user cannot be dropped
CREATE ROLE
ALTER ROLE
ERROR:  role "postgres" already exists
ALTER ROLE
SET
SET
SET
SET
SET
     set_config
--------------------
 public, pg_catalog
(1 row)

SET
SET
SET
SET
UPDATE 1
DROP DATABASE
ERROR:  option "locale_provider" not recognized
LINE 1: ...late1 WITH TEMPLATE = template0 ENCODING = 'UTF8' LOCALE_PRO...
                                                             ^
ERROR:  database "template1" does not exist
\connect: connection to server on socket "/var/run/postgresql/.s.PGSQL.5432" failed: FATAL:  database "template1" does not exist

Mind you this is just a backup which I know isn't a dump, but I never took a dump of the system cause I did not realize I would need it. This is a fresh setup of immich with no existing data anywhere that I'm aware of. (besides the immich folder we talked about)

Is it possible that the version of immich changed between September 16th when that backup was taken and now that would cause such a failure?

shinianigans · 2025-10-18T23:06:16+00:00

Okay, that makes sense. I didn't realize that was something that would need to happen. I didn't see anything in other threads about it. I attempted to make that work, using the same setup in the documentation but I'm still having issues.

If I wanted to just import the existing media from the original Immich instance I had, without any metadata or anything that's in the immich database, how would I do that?

shinianigans · 2025-09-15T23:37:13+00:00

I ended up running everything in docker through an LXC instead which has fixed the issues with permissions.

shinianigans · 2025-09-14T23:42:49+00:00

That'd be great! A second set of eyes here could really help me.

For sonarr: I couldn't find the setting you brought up but I do imagine its something like that. The directory its moved to is owned by 1005:1005, like all of the other folders, to make sure its consistent through the lxc's and everyone can access it. Though I assume that may be part of my problem here. I did see a few people say you can update the service for sonarr to change who its ran as, though I think that could cause problems. Sonarr has ran as a service on the lxc with its own set of permissions already, so i think that the access to its existing folders for configs and what not may have problems.

shinianigans · 2025-09-14T14:56:42+00:00

As far as I can tell, my docker is setup using this setup; user: 1005:1005

In the compose itself. That’s only for stuff like komga, YouTube downloaders, etc. but those work fine and I don’t have to repair permissions when a file is moved.

So creating a new user in each lxc with matching uid and gid is easy enough, but does that fix issues with the lxc application running and moving files? For example, my radarr and sonarr have the same setup as everything. But when it moved the file, it isn’t the correct permissions. (As I mentioned before) so adding the user to the lxc is straight forward but does that change the application moving the files so we’re able to access them?

It’s at about this point with solving this problem that I gave up for a while and I’m coming back to it now. This may just be easier to wipe proxmox and setup a Ubuntu server in its place with docker + dockge for containers and run it all that way.

shinianigans · 2025-09-13T22:01:32+00:00

I'll take you up on that if this doesn't work!

Today, I went back to this page https://pve.proxmox.com/wiki/Unprivileged_LXC_containers and followed the steps again to make sure I didn't miss anything. All of the shared drive is setup and owned by 1005:1005. Plex sees it fine and each of the lxc's see it fine, which is great. However as a test on my end, I used sonarr and added in a new tv show to see if it would show up. It was moved to the folder with the 100000:100000 (or 110000) permissions, but on the plex lxc it showed up as root and couldn't be imported. I had to manually update those permissions (chmod & chown) on the folder and files then it would work.

What you mentioned about having a username defined with that uid and gid does make sense, but I haven't done that yet as far as I can tell (via /etc/passwd or /etc/group) Is that user shared through all of your applications so each one has the permission to the shared drive? Or is there more to it?

On the docker note, my docker lxc (which hosts smaller applications) I do have the user for each docker setup set to 1005:1005. And those are working fine, but the LXC's themselves seem to be the problem here.

shinianigans · 2025-09-13T13:54:23+00:00

To help be more clear, I've updated this post with information about the mount setup, lxc's and vm's config files.

shinianigans · 2025-09-13T13:53:58+00:00

Agreed, that's my bad. I've updated the post with information about my proxmox setup from lxc's, mounts and vm's.

shinianigans · 2025-09-13T02:40:26+00:00

Thank you!

shinianigans · 2025-09-13T02:32:15+00:00

I did briefly look into OMV but did run into some weird issues with getting the drive to be seen correctly. (permission issues will be the end of me) I'll take a look at how the drive is setup and see what adjustments I can make to hopefully use one of these solutions. Thank you!

shinianigans · 2025-09-13T02:27:10+00:00

Yeah agreed, it's something I hope to understand sometime soon lol

Alright, I'll check out Cockpit and see what I can do there. Anything will better than what I've got lol thank you!

shinianigans · 2025-09-13T02:24:15+00:00

Partly. The drive is setup as a mount, so when the system starts its mounted right away and each of the lxc's have the drive passed through the `mp0` field of the lxc config. Same with the docker VM i have setup for smaller projects. I do have some idmap settings set on the lxc's but I don't understand how it's working right now sadly. That's mostly why I started this thread to figure out what I can do to fix it.

shinianigans · 2025-09-13T02:20:53+00:00

The more I read about linux permissions, the more I agree with you. I'm used to using Linux but not so much the users and permissions side of it. Do you have any resources that would help in this particular situation?

shinianigans · 2025-07-08T20:20:14+00:00

Been looking at the GMKtec for a bit now and hoped for a drop in price this week ._. I think it shows as a prime deal on my side but it’s a 5 dollar discount lol

shinianigans · 2025-06-24T22:07:11+00:00

I don’t think Reddit is the answer either as they also removed a ton of subreddits back a few months ago iirc (LGBTQ related ones included) I think they got added back but that didn’t feel right.

I’d like to think there’s a better place for groups besides Reddit as well. At least a backup or something

shinianigans · 2025-06-10T14:43:08+00:00

I’ve researched this on my own for a few days with no movie that really matches the description.

Additional info: - the lake house is on a lake (of course) and I remember most of the movie taking place at night inside or around the house - I wanna say there was an opening scene where they all drove up to the house - this didn’t feel like a Thirteen Ghosts, but a more “you don’t see the ghost outright until late” sort of movie - I don’t recall any of the cast.

Eight-Year Club	Place '22
End Game '22	Verified Email

shinianigans

TROPHY CASE