Hi everyone! I’m having this really strange issue, on my Linux Fedora machine, where Syncthing is installed as a podman container, managed using quadlet systemd rootless (in the services file there is “UserNS=keep-id”, to ensure the same ID as the host):
When I copy the data inside the Syncthing container folder, using the terminal and I share that using the web-ui, It’s OK, but when I’m copy using any GUI like Gnome Files or Plasma Nautilus, the syncthing UI have problem to read the permissions of that specific folder. So I checked the octals/user/group on terminal and there are the identical as the one copied by console. I tried other utilities that check the permissions and they perfectly matches, the “GUI copy” with the “Terminal copy” have the same identical permissions. I’m really confused!
It’s not entirely clear what’s going on, but because there’s no mention of at least one other device, I’m assuming you’re describing a permissions issue with setting up folders in Syncthing.
In situations like this, it’s best to copy-and-paste the console/terminal output and/or include screenshots because others on this forum might quickly see issues that were missed. Also, be sure to share any error messages that occur.
Since the problem sounds like an issue with container permissions instead of a Syncthing issue, what’s the reason for running Syncthing in a container instead of natively on the Fedora host? (If you’re using Fedora 40, Syncthing in the repo is very close to the latest release.)
I read and think about what you said and probably you were right: is a container problem, not about Syncthing. I’m go to check on this, on the proper community.
I choose this way, for more portability and modularity of the system, podman is also a rootless container system and I think it could be a better protection against various issues that could happens.
Because Syncthing is self-contained – and most likely that Syncthing’s configuration, certificates and database are stored outside of the container – there’s not really any additional portability to be gained unless the goal is to run a recent version of Syncthing on an outdated OS (but unlike a virtual machine, containers are more dependent on the host OS, so a newer container might not run on all older host OSes).
Isolating an app in a container is great for better security, but since Syncthing requires access to user files to be useful, a container adds more complexity which then has the potential to worsen security. It’s similar to whole disk encryption – great for security if the device is stolen and the data is at rest, but doesn’t prevent data theft while the user is logged on and the encrypted disk is in use.
That being said, I use Podman for apps that have a lot of dependencies and/or moving parts, but rarely for single-binary apps.
It’s also bad from a network discovery perspective unless host networking is used. Otherwise, a container will not be able to list the host’s interfaces and the IPs assigned to them.
