Setting docker user
Closed this issue · 3 comments
I'd like to run this container (specifically 7.2-apache) while mounting a local volume to /var/www/html. Besides php:7.2-apache being very complicated to install extensions, I was able to pass --user 1002:1002 to the docker run command without issues and have the apache user have correct write access to my local directory.
When I don't pass --user to this container, it runs, but whenever a script needs to write it doesn't have permission. On the other hand, when I do pass --user 1002:1002 to the container, it immediately exists with
[Wed Mar 06 15:40:30.704749 2019] [core:error] [pid 1] (13)Permission denied: AH00099: could not create /var/run/apache2/apache2.pid
[Wed Mar 06 15:40:30.704806 2019] [core:error] [pid 1] AH00100: apache2: could not log pid to file /var/run/apache2/apache2.pid
Hi @padarom ! First of all, thanks for your interest in this project. Sorry for the late answer…
Permissions in Docker are a fairly complicated topic, and I'm not sure I've fully understood your use case from what you wrote. In my personal experience, mounting local volumes almost always caused some headaches… if possible, I'd try to COPY files into the Docker Image at build time, or mount volumes from another Docker container using --volumes-from.
If your use case is a local development scenario, you may try to run the Docker container without --user and then docker exec <your-container> chown -R apache:apache /var/www/data. This may mess up permissions of your local filesystem too, so be sure that this is not an issue for you before you do this!
Regarding the extensions being hard to install: which extensions have you tried to install? Many extensions require additional build- or run-time dependencies that do not come installed in the base Docker image, so you'll likely find yourself to apt-get install things before you can actually build the PHP extension… 😕
Apache can't run without root privileges since it's log folders are creates using root. And if it can, then the next problem is that port 80 is only usable by root.
The solution you are looking for is probably setting the environment variable APACHE_RUN_USER and APACHE_RUN_GROUP (https://askubuntu.com/a/164787 ~ but you can set them using the -e option , by defining it in a Dockerfile or by defining them in docker-compose). Just be sure that those users actually exist within the docker container, otherwise it would be too easy ;)
Another solution is to create the www-data group on your host and add yourself to it. Than give all your files group write access. That solution is a bit more portable since you don't know which user id others might have. However you'll have to tell anyone you give your container too to do that and it isn't quite stable as you'll constantly have to change the group of new files if you create them on the host.
The next solution is better suited if you use docker-compose or some other orchestration tool. Use php-fpm. fpm can run as a normal user, even if that user does not exist. In my experience this has basically no downsides.
And for trivia: Docker for mac completely ignores users in bind-mounts so it just writes everything with the user who started the container. This is honestly the best solution from a usability and even from a security standpoint since on linux you can sudo within a docker container and then access root files on the host if you somehow manage to get to them using a bind-mount. This probably isn't a solution for you but you might be interested to know that as well ;)
That last bit is good to know. We intend to use a Docker container with some additional tooling for development on an in-house server, port 80 won't be used anyways.
The main reason I was asking is because the original php-apache image seemed to work fine as long as I passed in the user to the instance, but obviously it's lacking all extensions. As far as I could see these images use the original php images and just add extensions to them. That's why I was confused why something that worked with the original one (passing --user) didn't work with this one.
I'll give APACHE_RUN_USER and APACHE_RUN_GROUP a try however, thanks!