bind mount a sub-folder in the application directories for manipulation on host
the docker setup is running in rootless mode and the user has also no root privileges (no sudo).
i first tried to setup the image so that i add a user that is identical to host (name and ids)
and change the APACHE_RUN_USER & GROUP to this user.
that did work on a normal root docker setup.
but not on the rootless setup.
as there the id-s are shifted.
i then tried to just set the APACHE_RUN_USER to root but apache barked on me that this is a very bad idea…
I think I had an even better explanation I couldn’t find now. But the point is that you need to find out what userid on the host is UID 1 in the container. The rest can be calculated. And your user on the host will be the root (UID 0) in the container.
on the host to set the files to a user as owner that belongs to the container!
This translates the id mapping and setts them in the right way.
and you do not need superuser rights to do it!
so that is exactly the tool i need for my setup.
this leads to something like
$ ls -lah
total 72K
drwxrwxr-x 6 web1 web1 4,0K 15. Jun 13:26 ./
drwxr-xr-x 16 web1 root 4,0K 14. Jun 13:46 ../
-rw-rw-r-- 1 web1 web1 2,5K 15. Jun 14:17 docker-compose.yml
-rw-rw-r-- 1 web1 web1 230 28. Mai 03:14 .editorconfig
-rw-rw-r-- 1 web1 web1 89 28. Mai 13:10 .env
-rw-rw-r-- 1 web1 web1 976 15. Jun 13:36 .gitignore
drwxrwxr-x 8 493248 493248 4,0K 14. Jun 22:00 my-app-data/
-rw-rw-r-- 1 web1 web1 200 10. Jun 22:08 README.md
see the cryptic ID 493248 -
if you wish you can add a user that has this id to have a nicer listing view:
It can work with well-known, standard usernames, but each container can have different users mapped to the same userid or use a different ID for the same username. If you want to be sure you always set the right permission, you still need to find out what user id and group id you need and use that in your chown command. But using the rootlesskit command is actually a good idea I didn’t thought of so you don’t need to know the ID outside the container.
one followup:
my server provider told me that maybe the uid mapping changes with a restart of the container -
i thought that the mapping is fixed as it is based on the actual current host-user id -
and this will not change by itself…
is there some random / predictable translation possible?
or is this fixed as long as no other things are changed
(it would change if the subuid settings on the host for this user gets changed - that is clear)
if it would change that would mean my permissions would be off…
i can not imagine that this could be a wanted behavior…
No, uid mapping can’t just change after restart. If it can, it must be something provider specific, but I can’t imagine why and how they could do that. Are you sure they were talking about the userids? As I stated before, the UIDs can be different in different containers, but it won’t change unless you or something changes the subuid setting as you correctly noted.
so you don’t need to know the ID outside the container.