Hello, folks.
I’ve build an image of flask app using this dockerfile
FROM python:3.13.1-slim-bookworm
USER root
RUN apt update
RUN apt install locales openssl -y
RUN sed -i "/en_US.UTF-8 UTF-8/ s/^# //" /etc/locale.gen
RUN sed -i "/ru_RU.UTF-8 UTF-8/ s/^# //" /etc/locale.gen
RUN locale-gen
RUN useradd -m -g users -u 1000 user -p "$(openssl passwd -1 user)"
COPY ./requirements.txt .
RUN pip install -r requirements.txt
USER user
WORKDIR /home/user/app
COPY . .
CMD ["gunicorn", "-w", "2", "-b", "0.0.0.0:52000", "app:application"]
On host Linux system I run docker compose command as user (1000:1000). In compose file I have directive
user: 1000:1000
However, all created by my app files in mounted directory owned by root. What should I do to make user owner of all files in mounted directory by default?
This already makes the gunicorn process start as user id 1000. Assuming it works as a server and serves app:applilcation, it should also write files as uid 1000, and be able to read everyfile that uid100 can read.
Though, If you bind a host folder into a container, the permission of the host folders will still be present inside the container. The inode of the host folder is directly bind mounted into the target container folder - it is not a copy, it is exactly the same part of the filesystem. So if you chown your host folder to 1000:1000, and your container creates files with anything other than uid 1000, then something in guicorn must be the reason.
Assuming it works as a server and serves app:applilcation , it should also write files as uid 1000, and be able to read everyfile that uid100 can read.
It does.
So if you chown your host folder to 1000:1000, and your container creates files with anything other than uid 1000, then something in guicorn must be the reason.
Yes, but how to do this by default? Any best practice automation? I don’t believe I have to create all directory tree and empty files with right ownership by hand before starting a docker container for the first time. It seems inconvenient and impractical. From my experience, there are some images that do this work automatically, but I don’t get how. Miniflux for example. I haven’t done anything when first I started container with it. Still, all files are owned by UID 999.
Some images start as root, do some sanity stuff and bend configuration files before starting the main process either as unprivileged user or root. If you want your image to do this, you will need to create an entrypoint script and script everything so that it takes care of all these things.