I want it to run apache in a docker container as the same user as the one I’m using on my host system. Thus I own the files on my host to edit them and apache (PHP) can create folders etc..
EDIT: I got the sed command to work with by changing it a little:
RUN sed -rie 's|export APACHE_RUN_USER=.*|export APACHE_RUN_USER=wipster|g' /etc/apache2/envvars
RUN sed -rie 's|export APACHE_RUN_GROUP=.*|export APACHE_RUN_GROUP=wipster|g' /etc/apache2/envvars
But when checking by using top, apache is still running as www-data.
My Dockerfile:
FROM php:7.2-apache
RUN adduser wipster --disabled-password --disabled-login --gecos ""
ENV APACHE_RUN_USER wipster
ENV APACHE_RUN_GROUP wipster
RUN sed -i "s#APACHE_RUN_USER:=.*#APACHE_RUN_USER:=wipster}#" /etc/apache2/envvars
&& sed -i "s#APACHE_RUN_GROUP:=.*#APACHE_RUN_GROUP:=wipster}#" /etc/apache2/envvars
RUN apt-get -qqy update
&& apt-get install -y libjpeg-dev libpng-dev re2c libmcrypt-dev zlib1g-dev libssl-dev libc-client2007e-dev libkrb5-dev libcurl4-gnutls-dev libxml2-dev libxslt-dev libldap2-dev libssl-dev vim strace unzip g++
RUN touch /var/www/html/php-error.log
RUN chown wipster:wipster /var/www/html/php-error.log
RUN docker-php-ext-install bcmath mbstring mysqli pdo_mysql zip curl pcntl
&& docker-php-ext-configure gd --with-jpeg-dir=/usr/lib
&& docker-php-ext-install gd
&& docker-php-ext-configure imap --with-imap-ssl --with-kerberos
&& docker-php-ext-install imap
&& docker-php-ext-configure ldap --with-libdir=lib/x86_64-linux-gnu/
&& docker-php-ext-install ldap
# Install xhprof from tideways.
RUN curl -L https://github.com/tideways/php-xhprof-extension/archive/v5.0-beta2.tar.gz | tar xz &&
cd php-xhprof-extension-5.0-beta2/ &&
phpize &&
./configure &&
make &&
make install
RUN yes | pecl install xdebug-2.7.2
&& pecl install redis
&& docker-php-ext-enable redis xdebug opcache tideways_xhprof
# /usr/local/etc/php
ADD config/crm.php.ini /usr/local/etc/php/conf.d/
ADD config/xdebug.ini /usr/local/etc/php/conf.d/
ADD config/opcache.ini /usr/local/etc/php/conf.d/
ADD config/opcache-blacklist /usr/local/etc/php/
ADD config/xhprof.ini /usr/local/etc/php/conf.d/
RUN a2enmod headers expires deflate rewrite
# xdebug cli debugging
RUN export XDEBUG_CONFIG="remote_enable=1 remote_mode=req remote_port=9000 remote_host=192.168.1.144 remote_connect_back=0"
RUN export PHP_IDE_CONFIG="serverName=wipster-dckr"
EXPOSE 80
VOLUME ["/var/www"]
The problem is when I connect to the container via ssh and check /etc/apache2/envvars it still has www-data as the run user. I used the same Dockerfile on an Alpine Linux with the php:7.1-apache and it worked just fine. When I execute the sed command manually it does also work. Now I’m on an elementary os Juno with a slightly different image and the docker version is 18.09.7.
My docker-compose.yml:
version: "3"
networks:
webnet:
services:
web:
image: wipster/relaunch:1
depends_on:
- db
deploy:
replicas: 1
resources:
limits:
cpus: '3.0'
memory: 2000M
reservations:
cpus: '1.0'
memory: 1000M
volumes:
- ../relaunch:/var/www/html:delegated
ports:
- 8000:80
networks:
- webnet
db:
image: mysql:5.7
deploy:
replicas: 1
resources:
limits:
cpus: '2.0'
memory: 1000M
reservations:
cpus: '1.0'
memory: 500M
volumes:
- db_data_wipster:/var/lib/mysql:delegated
environment:
MYSQL_ROOT_PASSWORD: root
MYSQL_DATABASE: wipster
MYSQL_USER: root
MYSQL_PASSWORD: root
ports:
- 3306:3306
networks:
- webnet
command: mysqld --sql_mode="NO_ENGINE_SUBSTITUTION" --innodb-buffer-pool-size=536870912 --innodb-flush-method=O_DIRECT --innodb-flush-log-at-trx-commit=0
volumes:
db_data_wipster:
Am I missing anything? Do I need to run the sed command later? That doesn’t work either.
3
Answers
You can verify the file is modified correctly by doing a grep:
And it indeed seems to make the change you intend:
You must ensure that the user in the image/container has the same uid as the user on your host system. Thus in the Dockerfile you must provide the
--uid
option to theadduser
command:Note, that for the above to work the uid must not be in use by the docker image you’re deriving your image from.
For more information see Understanding how uid and gid work in Docker containers
Just for a local development environment which will not be used elsewhere I just use a workaround.
I add my user, in this case “wipster”, to the group www-data and change the file rights of the group.
The problem might occur because the user and group is hard coded in this particular image.