Geek Answers Handbook

How do you manage development permissions in a Docker container?

When developing in a Docker container on Linux, there is a problem with permissions: how to manage file permissions and permissions between the host and the container.

Imagine I have a Docker image that runs Ubuntu and an Apache server. Using the default settings for (latest versions) of Apache, the document root will be /var/www/html and Apache will be launched as the www-data user.

To do some development, I open the document root via Docker with -v /path/to/my/files:/var/www/html . And here the problem arises:

The files in /path/to/my/files belong to www-data containers. If Iโ€™m lucky and my host has the www-data user, it will be that user; otherwise, it will be a separate user local to the container. The permissions for these files will be (possibly) 0755 .

So, when I work as myself (a user named jsmith ), these files cannot be edited by me due to incorrect access rights and property rights.

  • I can change the ownership of the files on jsmith , but this will cause problems with Apache - it will be difficult for him to access the files in the root directory of the document.

  • I can change the permissions to 0777 , but any new files that I create during my work will belong to jsmith .

The end result is that you need to constantly adjust ownership and permissions on development files. Other people should have this problem, but every post I saw on the topic of using Docker in the development process simply ignores this problem.

I have a solution, but I'm not quite happy with this:

  • I set the folder to /src/myproject . This contains my development files and belongs to www-data:www-data .

  • Using BindFS , I mount /src/myproject in ~/myproject , mapping www-data:www-data to jsmith:jsmith . This allows me to edit files in ~/myproject without conflicts with permissions.

  • The Apache Docker container mounts the /src/myproject directory with -v /src/myproject:/var/www/html . Apache sees www-data file ownership and has no problems.

This works well, but seems too complicated. How do other people solve this problem?

+7
source share
2 answers

I can come up with two solutions:

Use a common group identifier among all developers and images. Uid may end up being numeric in the container, but gid will provide at least read access and, optionally, write access without giving it globally. Use the setgid bit for the contained directories to automatically create files with this gid. This is not the cleanest approach, and it can lead to sharing with other members of the group, but it can be much easier depending on your organizationโ€™s workflow.

The second option is called volumes, which, I think, were added after you asked this question. They allow you to have data with uid / gid, known containers. The disadvantage of this is moving data to the internal docker directories, where managing them outside the container is not so simple. However, there are microservice-based approaches that support synchronizing a volume with an external source (git pull, rsync, etc.) using a dedicated container that mounts the same volume. Essentially, you move all read and write operations to containers, including any backups, upgrade procedures, and test scripts.

Update: The third option, which I often use for development environments, is to run the entry point script as the root user, which compares the mounted uid / gid volume with the uid / gid of the user inside the container. If they do not match, the user uid / gid inside the container is updated to match the host. This allows developers to reuse the same image on multiple hosts, where the uid / gid of each developer may differ on their location computer. The code for this is included in my bin/fix-perms which is part of my base image . The last step of my Entrypoint script is to use gosu to drop the root back of the user, now with the changed UID / GID, and all files recorded will now match the user on the host.

If you are running MacOS, the recent osxfs function automatically fixes uid / gid mismatches with host volumes.

0
source

I understand that itโ€™s probably too late, but it can help someone.

In your Dockerfile you can do this:

 RUN usermod -u 1000 www-data RUN groupmod -g 1000 www-data

This may work in some settings.

0
source

More articles:


All Articles