Im using docker compose and dockerfile to create multiple containers. Everything runs fine, but i decided i want to share a directory on the host with 2 containers. The share works and i can access the files, but one of the containers does not have write access. The working container that can write to the directory has uid 1000. The host account that owns the folder is also 1000.
The container that cant write starts up and runs dokerfile as uid 1000 but creates a new user that gets 1001, and this is the account that the container runs as. Im not sure how to change the uids but ive tried doing it in dockerfile with usermod -u 1000 accountname etc. But i cant seem to give uid 1000 out because thats what the setup accout uses.
How would you do the same without containers? Let’s say you have to softwares. Like php which has to write files as www-data but there would be a python software or your interactive user trying to edit or read the files as you?
It is all about setting proper ownerships, group memberships and permissions. In containers you would need to find out what groups the users have with what group id, and you could also modify the image to add a common group id to both users.
Depending on the specific applications, there may be a way to configure them to run as a specific user and set the files to be owned by the common user (user id, the name is actually irrelevant).
Another case could be that the applications are part just components of a larger software but not designed well and that’s why they want to both write the same folder instead of one component asking the other through an API call to write it.
Thanks for the detailed reply. If i manually set the account have have userid 1000 while logged in as root after the container is created it works.
Going back to the host os, i was under the impression the containers need to run with the id of the account that owns the folder on the host. I created a group that has accounts that have that user id of the container that needs write access and granted it write access on the host but that userid still did not have write access in the container. Is it possible to do this on the host without explicit folder owership ? Ie: accounts with userid 1000 and 1001 (which the container that doesnt have write access uses)?
To satisfy unix file permissions the UID:GID of the folder owner should match the UID:GID of the process started inside the container.
I tried to explain in this post how to identify the UID:GID. Though, often you find it documented in the docker hub description.
Some images provide environment variables to set the UID GID, those start as root, often chown files, but start the main process with the restricted UID:GID. Some start as restricted user right away, and can be configured with docker run -u uid:gid or in a compose file with user: uid:gid.