How can I add a secondary group to the user of the docker container with ddev?

Question

When starting a container through a ddev project, the user id and primary group id are replicated from the host into the container. How can I also replicate the group ids for the secondary groups in the container? I believe this is done with the --group-add parameter in docker, but I am not sure how to use that parameter from within ddev.

ddev version returns:

DDEV version v1.22.2

docker 24.0.5

docker-compose v2.21.0

docker-platform Ubuntu 22.04.3 LTS

I am running a drupal project on ddev under account userA in dir:

/home/userA/drupal

The contents of /home/userA/drupal/.ddev/docker-compose.mounts.yaml are:

services:
  web:
    volumes:
      - /media/userB/resources:/var/www/html/private:rw

The intention is to be able to write to /media/userB/resources from the drupal instance.

On the host id gives:

uid=1000(userA) gid=1003(userA) groups=1003(userA),1008(userB)

and the resources dir has group write permissions, so this works: touch /media/userB/resources/test

From within the container, I managed to create a group with the correct group id with: groupadd -r userB -g 1008. I then tried to add the container user to it with: usermod -a -G userB userA, but that does not seem to work.

In the container id gives:

uid=1000(userA) gid=1003(userA) groups=1003(userA)

so this does not work: touch /var/www/html/private/test.

The account for userB is a dummy account and all users have access to it, the setup is isolated from the web and I am running ddev as a mini production solution.

Just adding another observation: userA on host can touch files within the mounted dir and outside it. userA on container can touch files only outside the mounted dir. userA on container cannot delete a file in the mounted directory created by userA while on host.

Answer 1

Thanks to @rfay for the comment which led to this answer:

Add a new yaml file:

/home/userA/drupal/.ddev/docker-compose.groups.yaml

with contents:

services:
    web:
        group_add:
            - userB

then restart ddev and check permissions in the container:

uid=1000(userA) gid=1003(userA) groups=1003(userA),1008(userB)

and files can be touched in userB's directory.

Answer 2

I didn't find any complexity in this, although I was surprised to see docker mount with a different group name than I expected. I used Ubuntu 22.04 and DDEV v1.22.3, and Docker 24.0.6 although any Debian/Ubuntu and any DDEV version and any recent Docker would have had the same results.

• The directory you want to share needs to have group read and write permissions on the host. In my case I'm mounting the directory /media/junk which has a few files in it. The directory and all files are owned by junk and group junk:

rfay@ub-2204:~$ ls -lR /media/junk
/media/junk:
total 0
rfay@ub-2204:~$ ls -lR /media/junk
/media/junk:
total 0
-rw-rw-r-- 1 junk junk 0 Sep 21 20:17 four.txt
-rw-rw-r-- 1 junk junk 0 Sep 21 20:15 one.txt
-rw-rw-r-- 1 junk junk 0 Sep 21 20:17 three.txt
-rw-rw-r-- 1 junk junk 0 Sep 21 20:15 two.txt

• Now mount the files into your project. I used a variant of your docker-compose.mounts.yaml:

services:
  web:
    volumes:
      - /media/junk:/var/www/html/private:rw

• ddev restart

• Now when you ddev ssh and cd /var/www/html/private you will see this:

rfay@ub-2204:~/workspace/d9$ ddev ssh
rfay@d9-web:/var/www/html$ cd private/
rfay@d9-web:/var/www/html/private$ ls -l
total 0
-rw-rw-r-- 1 1002 rfay 0 Sep 22 02:17 four.txt
-rw-rw-r-- 1 1002 rfay 0 Sep 22 02:15 one.txt
-rw-rw-r-- 1 1002 rfay 0 Sep 22 02:17 three.txt
-rw-rw-r-- 1 1002 rfay 0 Sep 22 02:15 two.txt

rfay@d9-web:/var/www/html/private$ ls -ltd .
drwxrwxr-x 2 1002 rfay 4096 Sep 22 02:17 .
r

rfay@d9-web:/var/www/html/private$ touch something.txt
rfay@d9-web:/var/www/html/private$ ls -l
total 0
-rw-rw-r-- 1 1002 rfay 0 Sep 22 02:17 four.txt
-rw-rw-r-- 1 1002 rfay 0 Sep 22 02:15 one.txt
-rw-r--r-- 1 rfay rfay 0 Sep 22 02:33 something.txt
-rw-rw-r-- 1 1002 rfay 0 Sep 22 02:17 three.txt
-rw-rw-r-- 1 1002 rfay 0 Sep 22 02:15 two.txt

I am able to touch a file inside the container without trouble.

I didn't make any changes at all to users inside the container.

Again, I don't think this is probably a great idea, and you'd be a lot better off just copying what you need off of that mount and using it from your own user.