tiredofit
commented
2 months ago Hi, buried in the documentation of the base image I support changing permissions for this exact use case. Have a peek here:
Open coolibre opened 2 months ago
tiredofit
commented
2 months ago Hi, buried in the documentation of the base image I support changing permissions for this exact use case. Have a peek here:
coolibre
commented
2 months ago Hi, thank you very much I didnt find that and it seems indeed very useful for me.
The uid of the nginx user is changing with USER_NGINX=50000. Unfortunately the gid update is not working in this exact case I need as the script seems to have problems with the "-" in the groupname "WWW-DATA". The GROUP_WWW-DATA=50000 or GROUP_www-data=50000 is never replaced nor shown in the logs. Wheras when i experiment with GROUP_POSTGRES=50000 it works perfectly.
negative examples (GROUP_WWW-DATA and GROUP_www-data):
,---.
,--------.,--. ,--. ,---. ,--. ,--------.| |
'--. .--'`--',--.--. ,---. ,-| | ,---. / .-' | | '--. .--'| .'
| | ,--.| .--'| .-. :' .-. | | .-. || `-, | | | | | |
| | | || | \ --.\ `-' | ' '-' '| .-' | |.--.| | `--'
`--' `--'`--' `----' `---' `---' `--' `--''--'`--' .--.
'--'
Image: tiredofit/freescout | Version 1.17.61 Type 'image_changelog' for details
Repository/Documentation: https://github.com/tiredofit/docker-freescout/
If this image provides you value - Consider sponsoring my work for continued
development, timely updates, and feature requests. Commercial support available.
More Info: https://www.tiredofit.ca
2024-08-22.09:17:46 [DEBUG] ** [permissions] Enabling permissions features
2024-08-22.09:17:46 [DEBUG] ** [permissions] Changing user 'nginx' to uid '50000' from '80'
2024-08-22.09:17:46 [NOTICE] ** [monitoring] Container configured for monitoring with 'zabbix modern'positive GROUP_POSTGRES
,---.
,--------.,--. ,--. ,---. ,--. ,--------.| |
'--. .--'`--',--.--. ,---. ,-| | ,---. / .-' | | '--. .--'| .'
| | ,--.| .--'| .-. :' .-. | | .-. || `-, | | | | | |
| | | || | \ --.\ `-' | ' '-' '| .-' | |.--.| | `--'
`--' `--'`--' `----' `---' `---' `--' `--''--'`--' .--.
'--'
Image: tiredofit/freescout | Version 1.17.61 Type 'image_changelog' for details
Repository/Documentation: https://github.com/tiredofit/docker-freescout/
If this image provides you value - Consider sponsoring my work for continued
development, timely updates, and feature requests. Commercial support available.
More Info: https://www.tiredofit.ca
2024-08-22.09:06:59 [DEBUG] ** [permissions] Enabling permissions features
2024-08-22.09:06:59 [DEBUG] ** [permissions] Changing user 'nginx' to uid '50000' from '80'
2024-08-22.09:06:59 [DEBUG] ** [permissions] Changing group 'postgres' to gid '50000' from '70'
2024-08-22.09:06:59 [NOTICE] ** [monitoring] Container configured for monitoring with 'zabbix modern'
...
Interesting.
docker run -it -e DEBUG_PERMISSIONS=TRUE -e CONTAINER_GROUP_WWW_DATA=80 tiredofit/nginx:alpine-3.20 gives the following extra output:
2024-08-22.14:23:12 [DEBUG] ** [permissions] Enabling permissions features
2024-08-22.14:23:12 [DEBUG] ** [permissions] Changing group 'www_data' to gid '80' from ''Changing CONTAINER_GROUP_WWW_DATA -> CONTAINER_GROUP_WWW-DATA creates zero ouput as does CONTAINER_GROUP_WWWDATA.
Definitely the hyphen is breaking the group gid change procedure. Surprised this is coming up after 6 years (!) after introducing, but I am not at the same time.
I have a new version of all the base images which actually drop www-data and switch to a unified uid / gid that I have been sitting on for a couple of years it seems now and slowly inching towards release which would resolve. I'll see if I have time in near future to look at existing routines and issue a patch to accomodate for names with hyphens/-/ in them.
tiredofit
commented
2 months ago Problem is fixed here: https://github.com/tiredofit/docker-alpine/commit/1bfa4149f12705a9e98958cb736860530759f9e2 - I'll go ahead and run a rebuild of :latest for this image although it won't be a new versioned release.
Description of the feature I need the possibility to dynamically specify the uid and gid of the nginx user e.g. NGINX_USER_UID=50000 and NGINX_GROUP_GID=500000.
Benftits of feature streamlined configuration option as NGINX_USER is already available
Additional context In a AWS EKS scenario I have the problem that freescout tries to modify the permissions of a volume which is based on CSI EFS dynamic provisioning.
When tiredofit/docker-freescout starts, one startup script tries to "chown -R /data nginx:www-data" which is reported with "operation not permitted" due to fixed uid gid in the AWS EKS CSI storage driver in combination with the PersistentVolumeClaim of the freescout container. So essentially the permission to chown the /data directory is only allowed for a user or group with id 50000 (specified during EFS provisioning).
As tracked here a workaround is to set the uid and gid of the user using the volume to the ones specified in the provisioning, nothing else works: https://github.com/kubernetes-sigs/aws-efs-csi-driver/issues/300#issuecomment-943683371
My workaround now is to change the uid and guid from a cont-init.d script, mounted into /etc/cont-init.d, running before the nginx setup. This seems promising and freescout starts without any error.
Log before:
Workaround log: