Change www-data user/group id's?

[duzenko]

Hi, how do I change www-data id's to match my host user when creating new container from image?

This needs to happen automatically based on environment variable. I know I can docker exec sh manually and change id's from there. But my problem is that I need to support automatic deployments as well. E.g. I don't have root access on our production server and need to user Plesk to manage docker containers.

[duzenko]

I have spent some time investigating this on the Internet and it seems that I need to put this into an entry point script. If so, how should I implement this with my Dockerfile based on php:fpm-alpine?

FROM php:fpm-alpine

RUN \
    apk --update add $PHPIZE_DEPS icu-dev libpng-dev libzip-dev linux-headers shadow \
    && pecl install xdebug \
    && docker-php-ext-enable xdebug \
    && docker-php-ext-install bcmath exif gd intl mysqli pdo_mysql zip \
    && rm -rf /var/cache/apk/*

I understand that If I try to 'RUN usermod` in Dockerfile then it will happen on image build step and this has to happen on container run.

[tianon]

You shouldn't need to change www-data's UID/GID; you should be able to just set USER/--user/user: to the exact UID/GID you're looking for (--user 1000:1000, for example).

See also "Running as an arbitrary user" on https://hub.docker.com/_/php

[duzenko]

@tianon I think you misunderstood. What you suggested with the -u switch changes id's for the container's default user. But the php-fpm processes run under the www-data user, not root or the start script user. I do need to change the id's for the php-fpm process user.

Please reopen.

[duzenko]

Hmm, actually, after closer look the php processes actually run under the -u user I suppose that solves it

[duzenko]

@tianon The -u approach breaks emailing with this error: sendmail: Could not find password entry for UID 1000

For now I am resorting for changing the id's via docker exec:

docker run --name cashare_php8 ...

docker exec -e UID=$(id -u) -e GID=$(id -g) cashare_php8 sh -c 'usermod --uid $UID www-data && groupmod --gid $GID www-data'

docker restart cashare_php8

I think this is too much scripting for such a simple issue - please advise

[tianon]

There's nothing simple about sendmail :joy:

If you want your www-data user to have a different UID than the one we package, I would recommend using a custom Dockerfile and changing it, as you've described above (which contrary to what you've stated above, will change it for the container, not just the image).

Unfortunately, we do not have the bandwidth to provide in-depth integration/deployment/environment debugging or support here; these sorts of questions/requests would be more appropriately posted to a dedicated support forum, such as the Docker Community Slack, Server Fault, Unix & Linux, or Stack Overflow.

[duzenko]

@tianon

If you want your www-data user to have a different UID than the one we package, I would recommend using a custom Dockerfile and changing it, as you've described above (which contrary to what you've stated above, will change it for the container, not just the image).

You're missing the point that container user has to match the host user at the time of container start, not image build E.g. with Plesk I don't have the luxury of docker exec and no root permissions on the server The only way to pass this info on such server is via docker environment variables which won't work ATM since the user id is hardcoded to 82:

Unfortunately, we do not have the bandwidth to provide in-depth integration/deployment/environment debugging or support here; these sorts of questions/requests would be more appropriately posted to a dedicated support forum, such as the Docker Community Slack, Server Fault, Unix & Linux, or Stack Overflow.

Isn't this the right place to request features? AFAIK the best way to control such things are with environment variables in docker entry point. The only alternative is to override entrypoint in my dockerfile but, again, it would benefit not just me but a many people to be able to match container/host users - don't you think so?

[yosifkit]

Unfortunately, we do not want to add features like environment variables that repeat features that are already covered by the docker run interface, like the --user flag.

---

You might be able to add a --mount type=bind,source=/etc/passwd,target=/etc/passwd,readonly=true to fix the "Could not find password entry" error and then run the container with --user="$(id -u):$(id -g)", or even with the host user and group name since it would be using the host /etc/passwd to resolve the IDs.

[tianon]

Another option you could try would be a tool like https://cwrap.org/nss_wrapper.html to fake the values from the system call directly.

[duzenko]

Unfortunately, we do not want to add features like environment variables that repeat features that are already covered by the docker run interface, like the --user flag.

You might be able to add a --mount type=bind,source=/etc/passwd,target=/etc/passwd,readonly=true to fix the "Could not find password entry" error and then run the container with --user="$(id -u):$(id -g)", or even with the host user and group name since it would be using the host /etc/passwd to resolve the IDs.

I don't think Plesk allows running containers under custom users

Another option you could try would be a tool like https://cwrap.org/nss_wrapper.html to fake the values from the system call directly.

Same here