15

I've recently been learning to build images and containers with Docker. I was getting fairly confident with it when using a Mac, but recently switched to Ubuntu, I'm fairly new to this side of development.

I'm using a standard new Laravel project as my "code", and am currently just using a php container and nginx container.

I'm using a docker-compose.yml file to create my containers:

version: "3.1"

services:
    nginx:
        image: nginx:latest
        volumes:
            - ./code:/var/www
            - ./nginx_conf.conf:/etc/nginx/conf.d/default.conf
        ports:
            - "80:80"
    php:
        image: php:7.3-fpm
        ports:
            - 9000
        volumes:
            - ./code:/var/www

There may or may not be a mistake in the code above just because I've just typed it out rather than copy and pasting - but it works on my machine.

The problem is:

  • php-fpm is configured with --with-fpm-user=www-data and --with-fpm-group=www-data, and that's set in the php:7.3-fpm Dockerfile (see here).

  • The files on my host machine, are saved with my user name and group as owner / group.

  • When I go into the container, the files are owned by 1000 and group 1000 (I assume a mapping to my user account and group on the host machine?)

However, when I access the application through the browser, I get a permission denied error on start up (when Laravel tries to create an error log file in storage). I think this is because php-fpm is running as www-data, but the storage directory has permissions drwxr-xr-x for owner / group phil:phil - my host owner and group.

I've tried the following, after hours of googling and trials:

  • Recursively change the owner and group of the code directory on the host machine to www-data:www-data. This allows the Laravel application to work, but I now cant create or edit etc files on the host using PHPStorm, because the directory is read-only (I guess because phpstorm is running as my user, and directory is owned by a different user / group).

  • I've added my host user account to the www-data group, and granted write permissions to the group using sudo chmod -R g+w ./code, which now allows the application to run the application, and for phpstorm to write, execute etc files, but when i create or edit a file, the files ownership and group change back to my host phil:phil, and I guess this would break the application again.

  • I've tried to create a php image, and set the env (as described in the link above) to configure with --with-fpm-user=phil --with-fpm-group=phil, but after building, it doesn't change anything - it's still running with www-data (after reading a github issue I think this is because envs cant be changed until later, at which point php is already configured?) (see github issue here)

I'm running out of ideas to try. The only other thing I can think of, is to recursively set owner and group of the code directory on my host to www-data and try run phpstorm as www-data instead, but that feels weird (Update: I tried to open phpstorm as www-data user, using sudo -u www-data phpstorm.sh, but i get a java exception - something to do with graphics -so this approach is unfeasible as well)

Now the only thing I can think of to try is to create a new php image from alpine base image and bypass php's images completely - which seems like an awful lot of inconvenience just because the maintainers want to use ENV instead of ARG?

I'm not sure of best practice for this scenario. Should I be trying to change how php-fpm is run (user/group)? should I be updating the directory owner/group on my host? should I be running phpstorm as a different user?

Literally any advice will be greatly appreciated.

Phil Cross
  • 9,017
  • 12
  • 50
  • 84
  • Please note that usernames mean almost nothing in Docker, it uses the User ID to identify the user, so if www-data is UID/GID: `1000:1000`, the username you use to access the files doesn't matter, as long as it has the same UID. – Coded Monkey Apr 23 '22 at 09:34

4 Answers4

9

ran into the same problem a few weeks ago.

what actually happens is that your host and your container are sharing the same files via the volume, therefore, they also share the permissions.

in production, everything is fine - your server (the www-data user) should be the owner of the files, so no problem here. things get complicated in development - when you are trying to access those files from the host.

i know a few workarounds, the most hacky one seems to be to set www-data uid in the container to 1000, so it will match your uid in the host.

another simple one is to open 777 full permissions on the shared directory, since its only needed in the development build - (should never be done in production though, but as i mentioned before, in production you dont have any problem, so you must seperate the 2 processes and do it only in development mode)

to me, the most elegant solution seems to be to allow all group members to access the files (set 770 permissions), and add www-data to your group:

usermod www-data -a -G phill #// add it to your group

chown -r phill ./code #// make yourself the owner. might need sudo.

chmod 770 ./code #//grunt permissions to all group members
Efrat Levitan
  • 5,181
  • 2
  • 19
  • 40
  • Thank you for your reply! nice to see someone else with similar issues! I'll try your suggestions and get back to you. Thank you! – Phil Cross Apr 10 '19 at 20:58
  • I tried the first workaround first - changing the UID of www-data to my host's uid, and I believe that has worked! This is only for local development - nothing serious as still trying to learn docker, but this post has been invaluable and saved me countless hours! Thank you very much :) – Phil Cross Apr 10 '19 at 21:06
  • glad to be of help thanx – Efrat Levitan Apr 10 '19 at 21:08
  • @EfratLevitan @PhilCross : I've been banging my head against a brick wall on this one for days and just seen your posts and got to wondering : is there a way of manipulating the www-data UID from within `docker-composer.yml` ... or perhaps set up an `entrypoint:` and change it via a script? – bnoeafk Jul 30 '20 at 04:46
  • Hey @bnoeafk you can change www-data uid in the Dockerfile or an entrypoint script, the command goes something like `usermod -u UID www-data`, lmk if that worked and ill edit my answer – Efrat Levitan Jul 30 '20 at 09:57
9

@bnoeafk I'll just post this as a new answer although it has basically been said already. I don't think this is hacky, it works basically like ntfsusermap, certainly more elegant than changing all file permissions.

For the Dockerfile:

FROM php:7.4-apache

# do stuff...

ARG UNAME=www-data
ARG UGROUP=www-data
ARG UID=1000
ARG GID=1001
RUN usermod  --uid $UID $UNAME
RUN groupmod --gid $GID $UGROUP

Every user using this image can pass himself into it while building: docker-compose build --build-arg UID=$(id -u) --build-arg GID=$(id -g)

br4nnigan
  • 646
  • 6
  • 13
  • What if we need to pass user/group id when starting a container from image? – Anton Duzenko Mar 31 '23 at 06:36
  • @AntonDuzenko Check `--build-arg` and the `ARG` instruction in [docker documentation](https://docs.docker.com/engine/reference/builder/#arg), and also check [this great answer](https://stackoverflow.com/a/41919137/6891549) about ARG and ENV instructions – Rodrigo Apr 12 '23 at 21:09
  • @Rodrigo We don't have root permissions on production, and are limited to using Plesk, which only supports environment variables – Anton Duzenko Apr 14 '23 at 13:28
2

You have many options depending on your system to do this, but keep in mind you may have to restart your running process (php-fpm for example)

Some examples on how to achieve this: (you can run the commands outside the container with: docker container exec ...)

  • Example 1:

usermod -g 1007 www-data

It will update the uid of the user www-data to 1007

  • Example 2:

deluser www-data

adduser -u 1007 -D -S -G www-data www-data

It will delete the user www-data and recreate it with the uid 1007

  • Get pid and restart process

To restart a a running process, for example php-fpm, you can do it that way:

First get the pid, with one of the following command:

pidof php-fpm

ps -ef | grep -v grep | grep php-fpm | awk '{print $2}'

find /proc -mindepth 2 -maxdepth 2 -name exe -lname '*/php-fpm' -printf %h\\n 2>/dev/null | sed s+^/proc/++

Then restart the process with the pid(s) you got just before (if your process support USR2 signal):

kill -USR2 pid <-- replace pid by the number you got before

I found that the easiest way is to update the host or to build your container knowing the right pid (not always doable if you work with different environments)

Jean-Roch B.
  • 486
  • 4
  • 10
0

Let's assume that you want to set the user of your PHP container and the owner of your project files to www-data. This can be done inside Dockerfile:

FROM php
.
.
.
RUN chown -R www-data:www-data /var/www
USER www-data # next instruction might face permission error if this line is not at the end of the dockerfile

The important fact here is that the original permissions in the Docker host are corresponded to the permission inside the container. Thus, if you now add your current user to www-data group (which probably needs a logout/reboot to take effect), you will have sufficient permission to edit the files outside the container (for instance in your IDE):

sudo usermod -aG www-data your_user

This way, the PHP code is permitted to run executables or write new files while you can edit the files on the host environment.

Hamid Mohayeji
  • 3,977
  • 3
  • 43
  • 55