In Fedora 31 how do I set permissions for nginx running in a Podman container?

Question

I am trying to set up a local dev LEMP stack for a Slim-4 project using podman-compose. So far I have containers for PHP and Nginx. Nginx runs but gives a 500 error on trying to access the log directory - permission denied. This directory is outside of the public directory that is served by nginx.

I have selinux set to permissive to eliminate its issues. I have used podman unshare to set ownership to the container's Nginx UID:GID. I tried the setup with only a simple index file - the file is served with no issues. So, nginx/podman has access to the nginx configuration file on the host. The issue must be with write permissions.

Here is my docker-compose file:

version: '3.7'

# Services
services:

# Nginx Service
nginx:
  image: nginx:1.17
  ports:
    - 8090:80
  volumes:
    - .:/var/www/php:z
    - ./.docker/nginx/conf.d:/etc/nginx/conf.d:ro
  depends_on:
    - php

# PHP Service
php:
  image: php:7.4-fpm
  working_dir: /var/www/php
  volumes:
    - .:/var/www/php

What am I missing?

Answer 1

The issue was that I incorrectly assumed I needed to set permissions to allow Nginx to have access. Instead I needed to grant the group www-data access permissions.
How I did it:
log into the running Nginx container podman exec -it [container ID] bash
find the www-data GID (Group ID) - from the container command line, cat /etc/passwd | grep www-data
note the GID (in the result you will see something like ...x:33:33... 33:33 is the user:group)
exit the container cli with exit
in your development/host cli, at the root of your project, run podman unshare chown -R 0:[the www-data GID you found above] . (don't miss the '.')

Explanation:
podman unshare puts you in a modified userspace that matches the container
chown changes ownership
-R means recursive
the number to the left of the ':' is the UID (User ID), the number to the right is the GID
the '.' is the current directory.

I hope this helps someone. I spent hours learning the above.