When starting a container through a ddev project, the user id and primary group id are replicated from the host into the container. How can I also replicate the group ids for the secondary groups in the container? I believe this is done with the --group-add
parameter in docker, but I am not sure how to use that parameter from within ddev.
ddev version
returns:
DDEV version v1.22.2
docker 24.0.5
docker-compose v2.21.0
docker-platform Ubuntu 22.04.3 LTS
I am running a drupal project on ddev under account userA in dir:
/home/userA/drupal
The contents of /home/userA/drupal/.ddev/docker-compose.mounts.yaml
are:
services:
web:
volumes:
- /media/userB/resources:/var/www/html/private:rw
The intention is to be able to write to /media/userB/resources
from the drupal instance.
On the host id
gives:
uid=1000(userA) gid=1003(userA) groups=1003(userA),1008(userB)
and the resources
dir has group write permissions, so this works: touch /media/userB/resources/test
From within the container, I managed to create a group with the correct group id with: groupadd -r userB -g 1008
. I then tried to add the container user to it with: usermod -a -G userB userA
, but that does not seem to work.
In the container id
gives:
uid=1000(userA) gid=1003(userA) groups=1003(userA)
so this does not work: touch /var/www/html/private/test
.
The account for userB is a dummy account and all users have access to it, the setup is isolated from the web and I am running ddev as a mini production solution.
Just adding another observation: userA on host can touch files within the mounted dir and outside it. userA on container can touch files only outside the mounted dir. userA on container cannot delete a file in the mounted directory created by userA while on host.
2
Answers
Thanks to @rfay for the comment which led to this answer:
Add a new yaml file:
/home/userA/drupal/.ddev/docker-compose.groups.yaml
with contents:
then restart ddev and check permissions in the container:
uid=1000(userA) gid=1003(userA) groups=1003(userA),1008(userB)
and files can be touched in userB's directory.
I didn’t find any complexity in this, although I was surprised to see docker mount with a different group name than I expected. I used Ubuntu 22.04 and DDEV v1.22.3, and Docker 24.0.6 although any Debian/Ubuntu and any DDEV version and any recent Docker would have had the same results.
/media/junk
which has a few files in it. The directory and all files are owned byjunk
and groupjunk
:docker-compose.mounts.yaml
:ddev restart
Now when you
ddev ssh
andcd /var/www/html/private
you will see this:I am able to touch a file inside the container without trouble.
I didn’t make any changes at all to users inside the container.
Again, I don’t think this is probably a great idea, and you’d be a lot better off just copying what you need off of that mount and using it from your own user.