Changing the id of nginx user and group

Question

Changing the id of nginx user and group

juanluisbaptiste opened this issue 4 years ago · 11 comments

Hi David,

I have a mix of websites, some use tiredofit/wordpress and some use other images. The user and group id's of the web server user of the images is different, so they map to different host o.s. users. Then I have a o.s. user for the webmasters team that administer all of the sites that sftp access only, and sometimes they wipe out one of the sites and add them again, so the files get created with their user's group that sometimes does not match the uid/gid of the website running the container and I have to go and fix the permissions for them. With docker you can set the uid/gid of the user running the container but AFAICS this does not work on this case because that user is the one running s6 init, so this has to be done at run time when starting the container for the nginx user using usermod.

Could a couple variables like NGINX_USER=uid"" and NGINX_GROUP="gid" (or NGINX_USER="uid:gid" could work too) could be added to set the nginx user uid/gid values ?

Answer 1 · 2020-09-15T17:17:48.000Z

This is a part of the Alpine base image and should work well for your needs. From the README.

If you enable DEBUG_PERMISSIONS=TRUE all the users and groups have been modified in accordance with environment variables will be displayed in output. e.g. If you add USER_NGINX=1000 it will reset the containers nginx user id from 82 to 1000 - Hint, also change the Group ID to your local development users UID & GID and avoid Docker permission issues when developing.

| Parameter | Description |
|-- | -- |
USER_<USERNAME> | The user's UID in /etc/passwd will be modified with new UID
GROUP_<GROUPNAME> | The group's GID in /etc/group and /etc/passwd will be modified with new GID
GROUP_ADD_<USERNAME> | The username will be added in /etc/group after the group name defined

Answer 2 · 2020-09-15T17:20:46.000Z

You should already be able to already set NGINX_USER and NGINX_GROUP to a named username as well. The caveat with that approach is that the user must exist inside of /etc/passwd. I use a bit of both solutions that I entered above..

Answer 3 · 2020-09-15T18:44:54.000Z

This is a part of the Alpine base image and should work well for your needs. From the README.

If you enable DEBUG_PERMISSIONS=TRUE all the users and groups have been modified in accordance with environment variables will be displayed in output. e.g. If you add USER_NGINX=1000 it will reset the containers nginx user id from 82 to 1000 - Hint, also change the Group ID to your local development users UID & GID and avoid Docker permission issues when developing.

| Parameter | Description |
|-- | -- |
USER_<USERNAME> | The user's UID in /etc/passwd will be modified with new UID
GROUP_<GROUPNAME> | The group's GID in /etc/group and /etc/passwd will be modified with new GID
GROUP_ADD_<USERNAME> | The username will be added in /etc/group after the group name defined

Ahh I was not aware of that alpine functionality, I will try it then, thanks !!.

Answer 4 · 2020-09-15T18:48:38.000Z

Keep me posted, I wrote this in a couple years back and it may not work for all of the use cases people use, but certainly will rotate the UID/GIDs for ya! if you are using any of my images based on debian (there aren't that many) the same functionality exists.

Answer 5 · 2020-09-15T19:04:33.000Z

Of course, I will let you know as soon as I test it.

Answer 6 · 2020-10-19T17:09:06.000Z

Sorry for the delay, until today I had time to test this, but it seems it is not working. I have added to the service's .env file this:

DEBUG_PERMISSIONS=TRUE
USER_NGINX=1001
GROUP_NGINX=33

Then redeployed the container:

$ sudo docker stack rm wp-mysite
Removing service wp-mysite_wp-mysite
$ sudo docker stack deploy -c docker-compose.yml wp-mysite

Creating service wp-mysite_wp-mysite
$

but when I exec a shell into it the nginx user id and group have net changed:

bash-5.0# env|grep NGINX
USER_NGINX=1001
NGINX_CLIENT_BODY_TIMEOUT=600
NGINX_UPLOAD_MAX_SIZE=8G
NGINX_GROUP=www-data
NGINX_ENABLE_CREATE_SAMPLE_HTML=FALSE
NGINX_BROTLI_VERSION=e505dce68acc190cc5a1e780a3b0275e39f160ca
GROUP_NGINX=33
NGINX_USER=nginx
NGINX_WEBROOT=/www/wordpress
NGINX_AUTH_LDAP_VERSION=master
NGINX_VERSION=1.19.3
bash-5.0# id nginx
uid=100(nginx) gid=101(www-data) groups=101(www-data),101(www-data)
bash-5.0#

Maybe I'm doing something wrong ?

Answer 7 · 2020-10-19T17:50:32.000Z

You are doing everything right - Something has broken along the way. Will look into shortly.

Edit - Try "ENABLE_PERMISSIONS=TRUE" as well.

Answer 8 · 2020-10-19T21:10:08.000Z

Yes, it works with ENABLE_PERMISSIONS=TRUE, thanks !

Answer 9 · 2020-10-19T21:20:38.000Z

Nice! I'll update the documentation on that! For some reason I don't think I included that's what it was to switch it on.

Answer 10 · 2020-10-19T22:02:16.000Z

Excellent 👍

Answer 11 · 2021-02-14T23:49:30.000Z

I am opening again this issue because i have exactly the same problem.

My configuration is the following

version: '3.9'
services:
        nginx-php-fpm:
                image: tiredofit/nginx-php-fpm:5.6
                restart: unless-stopped
                container_name: example.com
                volumes:
                - ./html:/www/html
                - ./logs:/www/logs
                environment:
                - VIRTUAL_HOST=example.com
                - VIRTUAL_NETWORK=proxy_default
                - VIRTUAL_PORT=80
                - DEBUG_PERMISSIONS=TRUE
                - ENABLE_PERMISSIONS=TRUE
                - USER_NGINX=1000
                - GROUP_WWW-DATA=1000
networks:
        default:
                external:
                        name: proxy_default

I tried to comment # - DEBUG_PERMISSIONS=TRUE, i tried - GROUP_NGINX=1000, i even tried - GROUP_NGINX=33 as @juanluisbaptiste above but every time i get the same result. The gid remains 101.

/ # id nginx
uid=1000(nginx) gid=101(www-data) groups=101(www-data),101(www-data)