[Question] Turn off "nobody" user

[fikusz01]

Hi!

First of all, thanks for the nice work! Good and straightforward configuration!

I'm trying to customize it, and I want to use this container as root while I'm developing the fully customized configuration. When I turn off the Dockerfile lines using "nobody" commands, the nginx and php-fpm stops communicating. Tried to replace "nobody" with "root" in the commands everywhere, but still not getting response from the web server.

How is it possible to configure the container as root?

Thanks in advance!

[imp1sh]

I'm having a similar problem where I want to update a a wordpress instance running within the container. As the webserver is running as nobody it also has no way to write to mounted folder. I would also need some method to circumvent the nobody situation.

[TrafeX]

Hi @fikusz01 & @imp1sh,

What are you trying to achieve that requires to run PHP-FPM as root? It's normal behavior that PHP-FPM is running under a non-root user, this is not something I'm configuring in this Docker container but already set up in the default configuration of PHP-FPM.

If you want PHP-FPM to write in a mounted folder (via docker-compose), you need to make sure that the UID of the owner of the mount is the same as the UID of the user that is running PHP-FPM. There are lots of good articles on this subject. But ideally, you should try to avoid having PHP-FPM write in a folder on a volume. Make sure that things like cache are stored outside the volume. That avoids permission issues and is faster.

[fikusz01]

Hi!

Thanks for the answer! My only goal is to have two instances: one is with nobody and an other one is with root access. During development phase it's more convinient for me to be root on containers. Easier debug, install, etc. My host machine is Windows, and I like to use mc on containers, but with nobody user it can't start no matter how I try, complaining about lack of permission creating some directory but it has the permission. Now I'm using the container with mounted volumes/files to get access to them.

[TrafeX]

Hi,

You should still be able to access the container as root, for example: docker -ti -u root sh

[fikusz01]

Thank you very much! Works perfectly!

[huankong233]

What I want to achieve is to map the path to the container. If the folder is empty, copy the project folder to the mapped path. However, the permissions of the mapped path belong to the host, so the permissions are for the root user. I cannot copy files. I I need to make the permissions of the container root, what should I do?

[TrafeX]

Hi @huankong233,

Can add an example of what you're executing to achieve this? I'm not sure yet what you're trying to do.

[ncovercash]

@TrafeX not strictly part of this question, but I've got a similar issue. I'm containerizing a PHP site which writes user uploads (images, etc) to a directory; preferably, this directory would be exposed as a docker volume. However, php-fpm runs as nobody, and I can't seem to grant nobody the necessary permissions on the directory.

Here's how I overcame this (I don't love this solution and would love feedback on how to do this better, but I thought I'd share for others with similar issues):

I didn't want to run everything as root, so I created a user www-data.

  # Create www-data user -- for some reason, the group already existed
  # We use UID 1000 to match the host user (so volume permissions automatically line up).
  #   I don't like this, it feels like it shouldn't be something hardcoded, but I haven't found a better option
  RUN adduser -D -u 1000 --ingroup www-data www-data

  # Make sure files/folders needed by the processes are accessable when they run under the nobody user
  # Same as original Dockerfile
  RUN chown -R www-data.www-data /var/www/html /run /var/lib/nginx /var/log/nginx

  # Run supervisor as www-data so nginx and such are spawned by www-data, too.
  USER www-data

  # Respecify command to run supervisor. Seems weird that I have to include this,
  # but otherwise it just runs as root
  CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]

[huankong233]

Hi @huankong233,

Can add an example of what you're executing to achieve this? I'm not sure yet what you're trying to do.

demo here

[TrafeX]

@ncovercash that solution is indeed what I was referring too in an earlier reply. You match the UID in the container to the UID on the host system that owns the volume. You can also change the UID of the nobody user to achieve this, but what you're doing is working as well :+1:

@huankong233 You could take a look at https://github.com/TrafeX/docker-php-nginx/issues/152#issuecomment-1829070473 that might solve it for you as well. If not, please open a new issue because I'll close this one.