skip to Main Content

When starting a container through a ddev project, the user id and primary group id are replicated from the host into the container. How can I also replicate the group ids for the secondary groups in the container? I believe this is done with the --group-add parameter in docker, but I am not sure how to use that parameter from within ddev.

ddev version returns:

DDEV version v1.22.2

docker 24.0.5

docker-compose v2.21.0

docker-platform Ubuntu 22.04.3 LTS

I am running a drupal project on ddev under account userA in dir:

/home/userA/drupal

The contents of /home/userA/drupal/.ddev/docker-compose.mounts.yaml are:

services:
  web:
    volumes:
      - /media/userB/resources:/var/www/html/private:rw

The intention is to be able to write to /media/userB/resources from the drupal instance.

On the host id gives:

uid=1000(userA) gid=1003(userA) groups=1003(userA),1008(userB)

and the resources dir has group write permissions, so this works: touch /media/userB/resources/test

From within the container, I managed to create a group with the correct group id with: groupadd -r userB -g 1008. I then tried to add the container user to it with: usermod -a -G userB userA, but that does not seem to work.

In the container id gives:

uid=1000(userA) gid=1003(userA) groups=1003(userA)

so this does not work: touch /var/www/html/private/test.

The account for userB is a dummy account and all users have access to it, the setup is isolated from the web and I am running ddev as a mini production solution.

Just adding another observation: userA on host can touch files within the mounted dir and outside it. userA on container can touch files only outside the mounted dir. userA on container cannot delete a file in the mounted directory created by userA while on host.

2

Answers


  1. Chosen as BEST ANSWER

    Thanks to @rfay for the comment which led to this answer:

    Add a new yaml file:

    /home/userA/drupal/.ddev/docker-compose.groups.yaml

    with contents:

    services:
        web:
            group_add:
                - userB
    

    then restart ddev and check permissions in the container:

    uid=1000(userA) gid=1003(userA) groups=1003(userA),1008(userB)

    and files can be touched in userB's directory.


  2. I didn’t find any complexity in this, although I was surprised to see docker mount with a different group name than I expected. I used Ubuntu 22.04 and DDEV v1.22.3, and Docker 24.0.6 although any Debian/Ubuntu and any DDEV version and any recent Docker would have had the same results.

    • The directory you want to share needs to have group read and write permissions on the host. In my case I’m mounting the directory /media/junk which has a few files in it. The directory and all files are owned by junk and group junk:
    rfay@ub-2204:~$ ls -lR /media/junk
    /media/junk:
    total 0
    rfay@ub-2204:~$ ls -lR /media/junk
    /media/junk:
    total 0
    -rw-rw-r-- 1 junk junk 0 Sep 21 20:17 four.txt
    -rw-rw-r-- 1 junk junk 0 Sep 21 20:15 one.txt
    -rw-rw-r-- 1 junk junk 0 Sep 21 20:17 three.txt
    -rw-rw-r-- 1 junk junk 0 Sep 21 20:15 two.txt
    
    • Now mount the files into your project. I used a variant of your docker-compose.mounts.yaml:
    services:
      web:
        volumes:
          - /media/junk:/var/www/html/private:rw
    
    • ddev restart

    • Now when you ddev ssh and cd /var/www/html/private you will see this:

    rfay@ub-2204:~/workspace/d9$ ddev ssh
    rfay@d9-web:/var/www/html$ cd private/
    rfay@d9-web:/var/www/html/private$ ls -l
    total 0
    -rw-rw-r-- 1 1002 rfay 0 Sep 22 02:17 four.txt
    -rw-rw-r-- 1 1002 rfay 0 Sep 22 02:15 one.txt
    -rw-rw-r-- 1 1002 rfay 0 Sep 22 02:17 three.txt
    -rw-rw-r-- 1 1002 rfay 0 Sep 22 02:15 two.txt
    
    rfay@d9-web:/var/www/html/private$ ls -ltd .
    drwxrwxr-x 2 1002 rfay 4096 Sep 22 02:17 .
    r
    
    rfay@d9-web:/var/www/html/private$ touch something.txt
    rfay@d9-web:/var/www/html/private$ ls -l
    total 0
    -rw-rw-r-- 1 1002 rfay 0 Sep 22 02:17 four.txt
    -rw-rw-r-- 1 1002 rfay 0 Sep 22 02:15 one.txt
    -rw-r--r-- 1 rfay rfay 0 Sep 22 02:33 something.txt
    -rw-rw-r-- 1 1002 rfay 0 Sep 22 02:17 three.txt
    -rw-rw-r-- 1 1002 rfay 0 Sep 22 02:15 two.txt
    

    I am able to touch a file inside the container without trouble.

    I didn’t make any changes at all to users inside the container.

    Again, I don’t think this is probably a great idea, and you’d be a lot better off just copying what you need off of that mount and using it from your own user.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search