On Linux Containers Expect UID/GID of 1000 Otherwise Cause Permissions Trouble

[davidalger]

On most Linux systems (and inside Docker Desktop VM on macOS) the default UID/GID of 1000 is used for the first non-system account created. Due to this, the fpm containers Warden uses tie the www-data user to UID 1000 and GID 1000 so that permissions will work. This is inflexible and will not work, for example, where the user account on the Linux environment used by a developer uses a non-1000 UID.

@aepod passed along the following script as a possible reference point on how to achieve solving this inflexibility in the entrypoint scripts: https://github.com/sudo-bmitch/run-as-user/blob/master/entrypoint.sh

In order to make the containers used more flexible, the stuff in the Dockerfile setting up the www-data user will need to be updated and/or moved to the entrypoint: https://github.com/davidalger/warden/blob/develop/images/php-fpm/Dockerfile#L35-L45 and two places in existing entrypoint which will need to be made flexible: https://github.com/davidalger/warden/blob/develop/images/php-fpm/context/docker-entrypoint

[davidalger]

Stumbled across the following used by code-server images and it looks potentially very useful here: https://github.com/boxboat/fixuid

[kenbradleywhite]

Hey, I'm encountering exactly this issue as my host user is UID/GID 1002.

I'm working around this every time I spin up the containers by bashing into the PHP container and running:

sudo groupmod -g 1002 www-data
sudo usermod -u 1002 www-data

Once I exit and bash back in, the commands work with the right permissions

But because PHP-FPM itself is already running, that's still running as uid 1000 so I still need to fight with permissions.

Refreshing static content on Magento requires:

sudo rm -rf pub/static/frontend/* var/view_preprocessed/*; bin/magento cache:clean; bin/magento s:s:d en_GB -f; sudo chown -R www-data:www-data pub/static/; sudo chmod -R 777 pub/static/

I have two questions:

• Is there a plan to resolve this problem with Warden?
• Is there a workaround I can apply to make sure the container is started as user 1002, even if I have to hardcode this?

[davidalger]

Is there a plan to resolve this problem with Warden?

Eventually, yes. :) It's going to take some critical thinking through image changes, and possibly some other things to ensure it doesn't only solve the issue on Linux, but maintains existing functionality on Mac OS environments. There is no ETA however, as I haven't found the time to dedicate to resolving it yet. I may take a renewed look at it if more folks begin to run into this being the only big show stopper issue for them.

[stale]

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[davidhiendl]

This problem is even more severe if you don't have o+rX permissions on files as nginx seems to run with uid/gid 101.
This requires me to constantly update permissions on files to o+rX when triggering stylesheet compilation (gulp sass).

Would you accept a pull request with an update to the nginx container to run with the same pid/gid as php-nginx (1000)?

Edit: A simple workaround seems to be to create a new user with uid/gid 1000 and add nginx to this group:

docker exec -ti envname_nginx_1 bash
# ...
useradd app
usermod nginx -aG app
kill 1
# ... this will result in the container dying
warden env up

Edit 2: Perhaps a general (and quite simple) workaround is to add a variable to env allowing a user/group id to be specified which php and nginx container users are added to.

[bmelman]

Considered using warden on Ubuntu but apparently this is not working. Almost all of the docker environments that also work on linux have a configurable uid/gid in a .env file, and using these to set www-data to configured uid/gid.
nice examples here: https://jtreminio.com/blog/running-docker-containers-as-current-host-user/
I ended up with using this in Dockerfile for php/nginx/cli:

ARG USER_ID
ARG GROUP_ID

RUN if [ ${USER_ID:-0} -ne 0 ] && [ ${GROUP_ID:-0} -ne 0 ]; then \
    userdel -f www-data &&\
    if getent group www-data ; then groupdel www-data; fi &&\
    groupadd -g ${GROUP_ID} www-data &&\
    useradd -l -u ${USER_ID} -g www-data www-data \
;fi

[viral8421]

I also have the same issue when I make the environment down or up.

So what I'll do spin up the environment with warden env up command I'll firstly run the below command to make uid as the host system.

sudo usermod -u 1001 www-data
sudo groupmod -g 1001 www-data

After that i'll finally run the chown permission fix command to make same uid/gid for host and docker php-fpm user

and then I'll only use warden env stop and warden env start to reuse the same containers.

@davidalger is there any quick fix you might have that we can implement like with .warden/warden-env.yml also I've not configured the rootless method for docker can it help me?

[ortoDev]

It's still an issue on Ubuntu 22.04