Setting web root volume permissions

Dear all,

I am very new to Docker and a not-so-fast learner, so please be gentle with me.

I searched this forum and other places before posting this question but couldn’t find an answer; although I suspect that it is out there somewhere, since this is rather a fundamental issue.

I created two containers with docker file and docker compose, and one of them is the php7-apache container (the other one is postgresql). My yaml file contains a volume on the host machine, specifically /home/user/http directory that targets the /var/www/html directory in the container. Now the host machine runs Arch linux and the container is debian-based. I have a file that contains the postgresql database user and password information. I don’t like having this file in the web root directory but I am not sure where else to put it for my php scripts to be able to read it. One option I could think of was to limit its read permissions, and that is the root of my problem.

Since arch linux (host) doesn’t have a www-data user, I created this system user and converted ownership all files in the /home/user/http directory (web root) to this user, thinking that this was the user that runs apache in the container. However, this did not allow the web server be able to read these files, unless there is read permission set for other users. In other words, chmod 600 doesn’t work and only chmod 644 works, although the owner of the file is www-data. It makes me think that the web server in the container has a different user name, or it is somehow modified in the host machine and that is creating this discrepancy but I cannot put my finger on it. Who should be the appropriate owner of these files? Any pointers will be greatly appreciated to find a solution to this problem.

Thanks!

The UID:GID or the host folder need to match the UID:GID of the user that executes the process inside the container.

Some images use a restricted user that has a predifed UID:GID to run the whole container and the main process. Those containers can be started using the --user, which translates to user: in a docker-compose.yml. Other images may use a system daemon (like s6-overlay) and start as root, do some preparation work and start the main process as a specific UID:GID - those images usualy provide on ENV to replace this UID:GID. Other images might be running as root all along…

On the host stat /home/user/http should return the UID:GID of the folder. Perform ps auxfn inside the container to see which UID (first column USER) is used to execute the main process. make sure both UID’s match.

Since you are the owner of the Dockerfile. You are in control to add a user (you will want to provide a fixed UID:GID when creating it to have control of the default UID:GID inside image) and use the USER directive to make it the current user inside your Dockerfile. When you create the container, you can use --user/user: to let docker replace the UID:GID with the provided UID:GID.

1 Like

Worked like a charm, thank you! I just converted the ownership of the files on the host machine (arch linux) to http, which happens to be 33, which is the same number for the user web-app in debian, who runs the apache demon in the container.

1 Like