How to setup docker rootless compose with the apache php image and bind mount? (file owner)

i try to get this to work:

  • os is debian based
  • php:7.4-apache
  • php application code is copied to image on build
  • compose
    • bind mount a sub-folder in the application directories for manipulation on host

the docker setup is running in rootless mode and the user has also no root privileges (no sudo).

i first tried to setup the image so that i add a user that is identical to host (name and ids)
and change the APACHE_RUN_USER & GROUP to this user.

that did work on a normal root docker setup.
but not on the rootless setup.
as there the id-s are shifted.
i then tried to just set the APACHE_RUN_USER to root but apache barked on me that this is a very bad idea…

so i now have no idea how to approach this.

iam open for any tips & hints

sunny greetings

i cross-posted this also at

I can share my previous posts about it. Hope it helps

I think I had an even better explanation I couldn’t find now. But the point is that you need to find out what userid on the host is UID 1 in the container. The rest can be calculated. And your user on the host will be the root (UID 0) in the container.

1 Like

thans for your respons Ákos,

in the mean time i did already understand this behavior.

i also found a really interesting information regarding this:
you can use

rootlesskit -- chown -R www-data:www-data my-app-data

on the host to set the files to a user as owner that belongs to the container!

This translates the id mapping and setts them in the right way.
and you do not need superuser rights to do it!
so that is exactly the tool i need for my setup.

this leads to something like

$ ls -lah
total 72K
drwxrwxr-x  6 web1   web1   4,0K 15. Jun 13:26  ./
drwxr-xr-x 16 web1   root   4,0K 14. Jun 13:46  ../
-rw-rw-r--  1 web1   web1   2,5K 15. Jun 14:17  docker-compose.yml
-rw-rw-r--  1 web1   web1    230 28. Mai 03:14  .editorconfig
-rw-rw-r--  1 web1   web1     89 28. Mai 13:10  .env
-rw-rw-r--  1 web1   web1    976 15. Jun 13:36  .gitignore
drwxrwxr-x  8 493248 493248 4,0K 14. Jun 22:00  my-app-data/
-rw-rw-r--  1 web1   web1    200 10. Jun 22:08

see the cryptic ID 493248 -
if you wish you can add a user that has this id to have a nicer listing view:

sudo groupadd --system  --gid 493248 drl-www-data
sudo useradd --system --no-create-home --uid 493248 --gid 493248 --comment "docker-rootless www-data" drl-www-data

(drl for docker-rootless)

for this you need superuser rights. (at least as fare as i know there is no other way…)

to change the file user back to your host user you can do:

rootlesskit chown -R root:root my-app-data

for me this is a solution i can live with :slight_smile:

sunny greetings

1 Like

It can work with well-known, standard usernames, but each container can have different users mapped to the same userid or use a different ID for the same username. If you want to be sure you always set the right permission, you still need to find out what user id and group id you need and use that in your chown command. But using the rootlesskit command is actually a good idea I didn’t thought of :+1: so you don’t need to know the ID outside the container.

1 Like

thank you!!

one followup:
my server provider told me that maybe the uid mapping changes with a restart of the container -
i thought that the mapping is fixed as it is based on the actual current host-user id -
and this will not change by itself…

is there some random / predictable translation possible?
or is this fixed as long as no other things are changed
(it would change if the subuid settings on the host for this user gets changed - that is clear)

if it would change that would mean my permissions would be off…
i can not imagine that this could be a wanted behavior…

No, uid mapping can’t just change after restart. If it can, it must be something provider specific, but I can’t imagine why and how they could do that. Are you sure they were talking about the userids? As I stated before, the UIDs can be different in different containers, but it won’t change unless you or something changes the subuid setting as you correctly noted.

thanks for the clarification!

  • yeah i was sure with this too and wondered about this in the email i got…

i think he meant somenting different / i read it the wrong way…