I’m having an issue with running a WordPress container in rootless mode
I run php-fpm container under compose, using user: 1011:1011
I have a local directory mounted into /var/www/html
all files in this directory are chown 1011:1011
when I connect to the container and ps I see all processes running under the 1011 user.
When I list /var/www/html in the container all files are owned by root.

Gist of the issue: files owned by a regular user on host are owned by root inside a rootless docker container running under the regular user. This is causing some serious issues for me, as I can’t run operations that create files or modify files for me in the PHP app.

I have also changed to no “user” defined in the compose, and user: 0:0 . both gave same result.

Any help would be appreciated. Thanks.

Rootless container uses user namespaces so the id in the host is not the same as the id in the container

Hi @rimelek, thank you for the reply. At the bottom of your reply I see the following:

Or… You could simply install Docker CE instead of the desktop and you can be sure that UIDs inside the container will be the same as outside.

I am on docker-ce, not desktop, does this still apply to me?

Docker Desktop has to run as your user so it has very similar mechanisms, but different on each platform. I didn’t notice the topic was about Docker Desktop, but notice this part in my first sentence:

It looks like on Linux it is indeed works as rootless Docker

So yes, the answer was about Rootless Docker which is Docker CE running as a non-root user.

Thank you for your reply,

for anyone else looking at this thread: I looked at the actual UID for files that were created by the container which turned out to be 821906, so for now I chown’d all files to 821906:821906 and that seems to have fixed the issue temporarily. I deploy all things on my vps via Ansible, so obviously this method doesn’t work as it breaks the automation completely. Going forward I will have to look at alternatives.

You can always check the subuid and subgid files from an Ansible task and calculate the right IDs for the host.

Oh and you can use rootlesskit as well so you don’T have to calculate anything

I was aware of rootlesskit, but wasn’t aware what it actually did in detail. Thank you for reminding me, I’m now doing research on how it can be useful.

Now that I slept on it, using rootlesskit can help to create files with the right permissions, but wouldn’t help much in Ansible. On the other hand, you don’t even need to detect what is in the subuid and subgid fiiles, since you can generate new files from Ansible, so you will know exactly what IDs you need to work with. This is a topic I wanted to write a tutorial about, but this blogpost could be helpful too.

that’s a good reference point, I figured I would just read the subuid file and parse and keep the info as a fact in ansible, and use it to chown files. I haven’t implemented it so far, but will need to next weekend. I was hoping to use getent but it doesn’t have subuid etc as a database so will have to do it manually on run start,

as far as this article, I am happy enough to say most of my current flow is similar to their method, I am however, not manually setting up users. So I will need to decide if that’s something I wish to do.

Either way your pointers on using internal subuid UID for the files was what solved my problem in the short term, I just need to figure out how to fully automate the procedure next :), so thank you for spending the time and effort on all your help, I sincerely appreciate it!