Home > Mobile >  Files owner inside Docker is root, service user is not root. Trouble with permissions
Files owner inside Docker is root, service user is not root. Trouble with permissions

Time:07-23

Welp, I invested three days into this, I figured I'll ask.

I boiled my problem down to this:

The app I'm dockerizing is nothing special:

# docker-compose.yml

services:
  php:
    image: php:8.1.5-fpm-bullseye
    volumes:
      - ./:/var/www

# this is the end goal: files writable by this image:
  nginx:
    image: "nginx:1.23-alpine"
    ports:
      - "8090:80"
    volumes:
      - .:/var/www

On my host machine the current user has: uid=1000(raveren) gid=1000(raveren)

But the files that end up in the mounted volume belong to root (id=0):

> docker compose exec php ls -l /var/www
total 3900
-rwxrwxr-x  1 root root   21848 Jul 19 11:52 Makefile
-rwxrwxr-x  1 root root    1153 Jul 18 07:03 README.md
# etc etc

How am I supposed to make some of the directories (i.e. cache, log, and potentially much more) writable for the www-data user that nginx is running on?

If the files belonged to a non-root user I could do that by either changing the www-data id to match the owner - or do something along the lines of this nice guide.

However, the problem I can't get past is: the containerized files don't "admit" that their owner is actually id=1000 and not root id=0.


I tried:

  • All variations of user directive - in yaml and Dockerfile
  • userns_mode: "host" in the yaml.
  • When I do docker compose exec chown 1000 testfile the owner on the host machine gets reflected as 100999. That's why I suspected userns because cat /etc/subuid gives raveren:100000:65536

Please advise!

CodePudding user response:

I will answer my own question here, it turns out this was a bug of some software on my freshly installed test machine - most probably Docker. I spent too much time to care, it works everywhere but on this specific rig. <rant> so screw it and actually screw docker. After two years with it - just using for developer setups - I'm under the impression that each machine a dockerized app runs on - needs some special tweaking. </rant>

In several other machines everything works as expected: the user: directive in the yaml correctly assigns the user that the container runs as. The guide linked inside the question can help, or I did a slightly different approach which works as well:

# docker-compose.yml

services:
  php:
    build:
      context: ./docker/php
      args:
        DOCKER_UID: ${DOCKER_UID:-1000} # these values must be in ENV, eg .env file
    user:
      "${DOCKER_UID:-1000}:${DOCKER_GID:-1000}"
# Dockerfile
FROM php:8.1.5-fpm-bullseye

ARG DOCKER_UID

# lots of stuff here

# Create a user for provided UID from the host machine
RUN useradd -u ${DOCKER_UID} -m the-whale
RUN usermod -G www-data,the-whale,root,adm the-whale
  • Related