I have a Django based web-app and nginx as part of a docker-compose.yaml. Now, to serve static content (in production), I am using shared volumes for $PROJECT_DIR/static and $PROJECT_DIR/media, but because collectstatic is run by root in my alpine-based app container, nginx (which runs with default user nginx), cannot actually serve the shared files, throwing up a 403 Forbidden. What’s the most maintainable way to set this sort of architecture up?

The easiest idea I could think of would be to start the collectstatic container with the userid that nginx uses in your other container…

Ask your nginx: docker exec YOUR_NGINX_CONTAINER_NAME_HERE grep nginx /etc/passwd

Result should be something like nginx:x:101:101:nginx:/var/cache/nginx:/sbin/nologin. The numbers in this line are the user and primary group id.

It should now work with simply adding user: 101:101 (docs) to your collectstatic compose-file (or -u "101:101" to your docker run). For sure you have to have all the owners and rights correctly…