Docker Community Forums

Share and learn in the Docker community.

File permission mount issues

I am having an understanding issues with volume mounts, and specific containers.
In this case, I am setting op a bitbucket container (https://hub.docker.com/r/atlassian/bitbucket-server/)

When I run this container (like so):
docker run --network mynet --name bitbucket -e JDBC_DRIVER=org.postgresql.Driver -e JDBC_USER=bitbucket -e JDBC_PASSWORD=bitbucket -e JDBC_URL=jdbc:postgresql://postgres:5432/bitbucket -p 7990:7990 -p 7999:7999 -v /data/bitbucket:/var/atlassian/application-data/bitbucket/shared:z -i -t --rm atlassian/bitbucket-server

I am presented with file permission errors because /data/bitbucket isn’t writable by the user in the container. After some digging, I found the user in the container is ID 2003.

I understand why this occurs, but when I read the dockerhub page, there is no reference to taking extra steps to secure the bitbucket local volume, which they totally recommend.

Is there something else going on that I don’t understand, or are some things taken for granted?

Seems more like you missed that detail.

In the Dockerfile a user is added in a RUN statement. So far so good.
The bad news is, that they didn’t switch to that user using a USER statetment. If they would have done that, modifying the UID:GID in the container would be as simple as adding -u uid:gid to docker run. Pitty that this is not an option. So either change the owner of the folder or build your own image with the UID:GID that you need.

I completely missed it. Thanks for point it out! That’s answers the questions concretely.

Since you’re bind-mounting the python container in docker-compose, the Dockerfile files and existing permissions are irrelevant. At runtime, it mounts pwd to /PROTON, so anything in the image at /PROTON is hidden and the container only sees the pwd on host.

The user in the container is a simple UID and GID number match to the host. For instance, use id command on host to get your UID and GID. For me, they are 1000 and 1000. You just need to ensure the user and group running in the container are that same UID/GID.

RUN groupadd --gid 1000 proton
&& useradd --uid 1000 --gid proton --create-home proton
Now that your host user and container user UID/GID are the same, you’ll notice that files created in pwd match the usernames of each user. Linux on host will look up the UID 1000 and see its your host user (for me it’s bret) and if you do a docker-compose exec proton ls -al /PROTON you should notice it’ll lookup user 1000 in the container and see proton. The usernames are just friendly names for the ID’s, so just ensure they match between host user and container use and you’ll be good.

Unrelated tips:

You can change the user that compose starts your container with, using user: username, but if it’s the one you put in Dockerfile with USER then no need in this case.
Your Dockerfile COPY command can use chown inline, to save you a step and space in image:
COPY --chown=1000:1000 . /PROTON , or
COPY --chown=proton:proton . /PROTON