CODEWITHSUNDEEP
dockerdocker-compose
simPod
simPod

Reputation: 13446

Docker-compose set user and group on mounted volume

I'm trying to mount a volume in docker-compose to apache image. The problem is, that apache in my docker is run under www-data:www-data but the mounted directory is created under root:root. How can I specify the user of the mounted directory?

I tried to run command setupApacheRights.sh. chown -R www-data:www-data /var/www but it says chown: changing ownership of '/var/www/somefile': Permission denied

services:
    httpd:
        image: apache-image
        ports:
            - "80:80"
        volumes:
            - "./:/var/www/app"
        links:
            - redis
        command: /setupApacheRights.sh

I would prefer to be able to specify the user under which it will be mounted. Is there a way?

Upvotes: 222

Views: 370494

Answers (7)

Samuel Thompson
Samuel Thompson

Reputation: 2576

I know this wont solve this answer specifically, but if you are connecting to a network drive uid/gid to the options part of the connection like this:

volumes:
  downloadVol:
    driver_opts:
      type: cifs
      o: username=******,password=*****,uid=1000,gid=1000
      device: //your.ip.goes.here/downloads/

This is especially helpful when working with windows and docker.

Upvotes: 1

Manuel Manhart
Manuel Manhart

Reputation: 5455

To achieve the desired behavior without changing owner / permissions on the host system, do the following steps.

  1. get the ID of the desired user and or group you want the permissions to match with executing the id command on your host system - this will show you the uid and gid of your current user and as well all IDs from all groups the user is in.

     $ id

  2. add the definition to your docker-compose.yml

     user: "${UID}:${GID}"

    so your file could look like this

     php: # this is my service name
     user: "${UID}:${GID}" # we added this line to get a specific user / group id
     image: php:7.3-fpm-alpine # this is my image
 # and so on

  3. set the values in your .env file

     UID=1000
 GID=1001

3a. Alternatively you can extend your ~/.bashrc file with:

    export UID GID

to define it globally rather than defining it in a .env file for each project. If this does not work for you (like on my current distro, the GID is not set by this), use the following two lines:

    export UID=$(id -u)
    export GID=$(id -g)

Thanks @SteenSchütt for the easy solution for defining the UID / GID globally.

Now your user in the container has the id 1000 and the group is 1001 and you can set that differently for every environment.

Note: Please replace the IDs I used with the user / group IDs you found on your host system. Since I cannot know which IDs your system is using I gave some example group and user IDs.

If you don't use docker-compose or want to know more different approaches to achieve this have a read through my source of information: https://dev.to/acro5piano/specifying-user-and-group-in-docker-i2e

If the volume mount folder does not exist on your machine, docker will create it (with root user), so please ensure that it already exists and is owned by the userid / groupid you want to use.

I add an example for a dokuwiki container to explain it better:

version: '3.5'
services:
  dokuwiki:
    user: "${UID}" # set a specific user id so the container can write in the data dir
    image: bitnami/dokuwiki:latest
    ports:
      - '8080:8080'
    volumes:
      - '/home/manuel/docker/dokuwiki/data:/bitnami/dokuwiki/'
    restart: unless-stopped
    expose:
      - "8080"

The dokuwiki container will only be able to initialize correctly if it has write access to the host directory /home/manuel/docker/dokuwiki/data.

If on startup this directory does not exist, docker will create it for us but it will have root:root as user & group. --> Therefore, the container startup will fail.

If we create the folder before starting the container

mkdir -P /home/manuel/docker/dokuwiki/data

and then check with

ls -nla /home/manuel/docker/dokuwiki/data| grep ' \.$'

which uid and gid the folder has - and check that they match the ones we put in our .env file in step 3. above.

Upvotes: 115

mahemoff
mahemoff

Reputation: 46369

The bad news is there's no owner/group/permission settings for volume 😢. The good news is the following trick will let you bake it into your config, so it's fully automated 🎉.

In your Dockerfile, create an empty directory in the right location and with desired settings.

This way, the directory will already be present when docker-compose mounts to the location. When the server mounts during boot (based on docker-compose), the mounting action happily leaves those permissions alone.

Dockerfile:

# setup folder before switching to user
RUN mkdir /volume_data
RUN chown postgres:postgres /volume_data
VOLUME /volume_data
USER postgres

docker-compose.yml

volumes:
   - /home/me/postgres_data:/volume_data

source

Upvotes: 70

viiren
viiren

Reputation: 19

If your volumes create ownership issue then you might need to find your volume mount path by

cmd: docker volume ls

After that identify your volume name then inspect your mount path

cmd: docker volume inspect <volume name>

check your mount point there and go on mount point on your docker host machine.

where check ownership of volume by

cmd: ls -l

if it's suggest root:root then change owneship here to your docker user.

cmd: chown docker_user_id:docker_group_id -R volume_path

Note: you can find your docker user id & user group id by entering into your docker bash & hit "id" cmd.

cmd: docker-compose run --rm <container_name> bash
cmd: id
output: uid=102(www-data) gid=102(www-data) groups=102(www-data)

Find similar thread here. https://www.hamaraweb.com/sms/407/docker-volume-ownership-issue-errno-13-permission-denied-bgb6ld/

Upvotes: 1

Arne L.
Arne L.

Reputation: 2320

First determine the uid of the www-data user:

$ docker exec DOCKER_CONTAINER_ID id
uid=100(www-data) gid=101(www-data) groups=101(www-data)

Then, on your docker host, change the owner of the mounted directory using the uid (100 in this example):

chown -R 100 ./

Dynamic Extension

If you are using docker-compose you may as well go for it like this:

$ docker-compose exec SERVICE_NAME id
uid=100(www-data) gid=101(www-data) groups=101(www-data)
$ chown -R 100 ./

You can put that in a one-liner:

$ chown -R $(docker-compose exec SERVICE_NAME id -u) ./

The -u flag will only print the uid to stdout.

Edit: fixed casing error of CLI flag. Thanks @jcalfee314!

Upvotes: 41

Yaakov Klein
Yaakov Klein

Reputation: 151

Set user www-data for this compose service

    user: "www-data:www-data"

Example:

 wordpress:
    depends_on:
      - db
    image: wordpress:5.5.3-fpm-alpine
    user: "www-data:www-data"
    container_name: wordpress
    restart: unless-stopped
    env_file: 
      - .env
    volumes:
      - ./wordpress/wp-content:/var/www/html/wp-content
      - ./wordpress/wp-config-local.php:/var/www/html/wp-config.php

Upvotes: 7

John
John

Reputation: 1808

Adding rw to the end of the volume mount worked for me:

services:
    httpd:
        image: apache-image
        ports:
            - "80:80"
        volumes:
            - "./:/var/www/app:rw"
        links:
            - redis
        command: /setupApacheRights.sh

Upvotes: 14

Related Questions