search

richarvey / nginx-php-fpm

Nginx and php-fpm for dockerhub builds
https://hub.docker.com/repository/docker/richarvey/nginx-php-fpm/general
GNU General Public License v3.0
1.66k stars 852 forks source link

Host directory owner changes #73

Closed nclavaud closed 7 years ago

nclavaud commented 8 years ago

When mapping a host directory to the container volume /var/www/html, the owner of the host directory changes. This is annoying, because any update to the code will require changing the owner back.

$ ls -n
drwxrwxr-x 2 1000 1000 4096 sept. 13 22:04 src

$ docker run -d -v $PWD/src:/var/www/html richarvey/nginx-php-fpm
3d7321f9fba01f7ff36970b7525b840e24f36af0ff66d07e21a1814e64b84d09

$ ls -n
drwxrwxr-x 2  100  101 4096 sept. 13 22:04 src

I guess this is because of https://github.com/ngineered/nginx-php-fpm/blob/8137d2d0c5e1b9afa36ba2781a027184dc46ad4b/scripts/start.sh#L92-L93

Is it expected behavior, or am I missing something?

richarvey commented 8 years ago

Yeah its expected behaviour as it allows the web server to write to the directory, if you're uploading files or plugins like wordpress etc.

I could add a flag to stop change of ownership if you think it would be useful.

Ric

virtuman commented 7 years ago

wouldn't it be better to use best-practices with GID and UID mapping? ie: create user and group with specified IDs, if IDs are defined in environment vars.

sample implementation: https://github.com/sameersbn/docker-gitlab#host-uid--gid-mapping https://github.com/sameersbn/docker-gitlab/search?utf8=%E2%9C%93&q=USERMAP_GID

virtuman commented 7 years ago

in the case of your image, the easiest would be something like: ENV USERMAP_UID=101 ENV USERMAP_GID=100

addgroup -gid USERMAP_GID nginx && \ useradd -g USERMAP_UID -u USERMAP_UID nginx && \

But the more complete example is here, nice way of handling it, although, handling it from Dockerfile seems more than sufficient: https://github.com/27Bslash6/docker/blob/master/nginx-pagespeed/bin/add_user.sh

virtuman commented 7 years ago

And it's still beneficial to have an ability to bypass ownership change, ie. wordpress would have only few folders writable by php-fpm user, and the rest should be read only

aamche commented 7 years ago

Docker also has the --user flag when creating containers. Is it possible to map to that? then no need to add extra variables, and could use docker functionality.

hsklia commented 7 years ago

Please fix this issue

richarvey commented 7 years ago

Has anyone got a working pull request for this. We'll need to change the running user of nginx and php-fpm also.

Ric

royrico commented 7 years ago

running into this issue too.

Here's a possible solution: create a completely new user based upon user&group ids passed into the container have NGINX run as that user

based upon example here: https://github.com/linuxserver/docker-baseimage-alpine/blob/master/root/etc/cont-init.d/10-adduser#L19

so from your docker.sh file you'd have

docker run -d -p 80:80 -e PGID=1000 PUID=1000 ...

if you think this solution is appropriate, I can take a stab at implementing this, then can submit a PR

richarvey commented 7 years ago

I'm going to check this out in the morning and get it merged

richarvey commented 7 years ago

commit 4cfc4cb998f4b981ff5b5b97d37111dc7a874dd4 fixes this enjoy!