docker
docker copied to clipboard
Allow the UID/GID to be changed
I have a CIFS/SMB volume mounted on my docker host, accessed by many of my containers. For all the other containers, I can specify a UID/GID in the docker-compose file so that they have read/write access to this volume. How do you specify the UID/GID for NextCloud? As it stands, it can read the volume but doesn't have write access. Thanks
I see in the instructions that you can do the following:
docker exec --user www-data CONTAINER_ID php occ
But how do you specify the user in the docker-compose.yml file?
There is currently no way to change the UID and GID. I think this is supported by the parent image. But the entrypoint script does not properly support it.
Ping!
this should be possible. this works for me:
docker run --user 1234 -p 8080:80 --sysctl net.ipv4.ip_unprivileged_port_start=0 nextcloud
@tilosp Thanks for your comment. Unfortunately I don't seem able to reproduce this.
My host system has a user with the ID 1000
. When I run the following command, the files created in the /storage/docker/nextcloud/config
belong to www-data root
.
docker run \
-d \
--user 1000 \
--name=nextcloud \
--network=private-network \
-e NEXTCLOUD_DATA_DIR=/data \
-v /storage/docker/nextcloud/config:/var/www/html \
-v /storage/docker/nextcloud/data:/data \
nextcloud
Are you sure this worked on your end?
@caillou I'm using the suggestion by @tilosp via docker-compose. I can confirm that files uploaded to Nextcloud get the UID/GID as set in docker-compose.yaml
. However, I converted an existing installation to this and didn't try upgrading the container to a newer version yet, so I cannot say anything about what permissions Nextcloud's own files will receive then.
when I use user: "${uid}:${guid}"
field in a compose file with docker swarm (sudo docker stack deploy --compose-file...
) I get permissions errors:
Initializing nextcloud 15.0.6.1 ...
rsync: mkstemp "/var/www/html/config/.htaccess.oCsWlP" failed: Permission denied (13)
rsync: mkstemp "/var/www/html/config/.apache-pretty-urls.config.php.1OjgZw" failed: Permission denied (13)
rsync: mkstemp "/var/www/html/config/.apcu.config.php.qFhACe" failed: Permission denied (13)
rsync: mkstemp "/var/www/html/config/.apps.config.php.lijUfW" failed: Permission denied (13)
rsync: mkstemp "/var/www/html/config/.autoconfig.php.EgpeTD" failed: Permission denied (13)
rsync: mkstemp "/var/www/html/config/.config.sample.php.toAywl" failed: Permission denied (13)
rsync: mkstemp "/var/www/html/config/.redis.config.php.ahOV92" failed: Permission denied (13)
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1196) [sender=3.1.2]
running image: nextcloud:apache
container as well as a separate one with the .cron entry-point, volumes are just named volumes created on up.
@marianrh
I can confirm that files uploaded to Nextcloud get the UID/GID as set in
docker-compose.yaml
.
Can you tell me how you set the UID/GID in docker-compose?
@mabushey Sure, this is the docker-compose file I'm using:
version: "3.3"
services:
nextcloud:
image: nextcloud:15.0.6-apache
dns:
- <...>
- <...>
user: 5003:5003
sysctls:
- net.ipv4.ip_unprivileged_port_start=0 # Allow an unprivileged user to listen on any port (https://github.com/nextcloud/docker/issues/359)
ports:
- 8092:80
volumes:
- /applications/nextcloud:/var/www/html
networks:
default:
driver: bridge
ipam:
driver: default
config:
- subnet: <...>
Of course, the directory on the host system has to have the proper owner set.
Thanks @marianrh. I added this to the nextcloud config:
user: 1000:1000
sysctls:
- net.ipv4.ip_unprivileged_port_start=0
(BTW the comment on the sysctls entry just refers to this thread)
Removing the config directory and running docker-compose up -d
results in a config dir (mapped - "/home/michael/docker/nextcloud:/var/www/html") that's root:root
instead of www-data:root
. I'm looking for michael:michael
(1000:1000). I'm running MySQL outside of docker on the same box with the jwilder & lets encrypt companion Nginx proxy.
Does the dns / networks have some part in this?
I was able to set mapall=michael
to the ZFS share property on the FreeBSD NFS server and it seems to be working just fine with Nextcloud running as www-data.
Hi there!
For those who are using Swarm like me, sysctls
option is not supported... Keeping in mind that the only thing that crashes when starting up using another username is apache2 process, I've mapped the following volumes:
volumes:
- nextcloud_apache_ports:/etc/apache2/ports.conf
- nextcloud_apache_default:/etc/apache2/sites-enabled/000-default.conf
And, of course, local files have been changed to use port 20080 instead of port 80.
I'm installing this image on a Synology NAS and wanted to manage the UID/GID for NextCloud. Synology does not allow users to have ids below 1024 so the existing UID/GID of 33 was problematic to my use case.
This wasn't working at all:
user: 2000:2000
sysctls:
- net.ipv4.ip_unprivileged_port_start=0
So I started digging into changing the port that Apache is using in the NextCloud docker image and stumbled onto this thread.
I've mapped the following volumes
Thanks @alesnav for mentioning this. It's exactly what I was looking for. Changed the port used in both of those files to something over 1024 and now everything is working as desired.
Here is what I added to my docker-compose.yml:
user: 2000:2000
volumes:
- /volume1/docker/personal/NextCloud/apache/000-default.conf:/etc/apache2/sites-enabled/000-default.conf:ro
- /volume1/docker/personal/NextCloud/apache/ports.conf:/etc/apache2/ports.conf:ro
Ability to set UID/GID of the www-user (or create an dedicated user) would be very handy indeed.
This is how linuxserver solves it, https://github.com/linuxserver/docker-baseimage-alpine/blob/master/Dockerfile#L74-L75 https://github.com/linuxserver/docker-baseimage-alpine/blob/master/root/etc/cont-init.d/10-adduser
EDIT:
@tilosp how about https://github.com/jkaberg/docker/commit/283f784af2bf838faf23f10680f3ea09c6c6a9d4 - good enough? docker run ... -e PGID=1337 -e PUID=1337 ...
The if statement with following chown is obviously to fix ownership. We do not want to do this unless its needed on larger nextcloud instances (as it could take a very long time). Unsure if /var/www/html/data
is the best place to check this.
Would love this as well, as I have two reasons:
- Mixing base images (e.g. alpine based nginx and debian based fpm) that use the same files, the gids, uids are wildly different (just saw the fpm-alpine, not sure if this solves the fpm issue, will need to test)
- Host user/group might have access to files out of containers, that they should not have to as gid/uids do not match.
To prevent the above (especially 2.) I am now running a setup where I changed the users. However it collides with the fpm configuration and the entrypoint.sh of nextcloud. To solve it, I needed to:
- Mount the fpm config and set the user in there. Would be nice if that could be set via ENV out of docker-compose.
- Redo file permissions after image update and again after first start of update. The entrypoint.sh has hardcoded "www-data:root". Again, if this could be changed to a ENV it would be nice.
Both changes should be quite small, however I do not know if more places need to be adapted.
I also would need this, as my data-directory is a samba mount, and docker-swarm bind-mounts don't seem to play well with permissions...
I would also very much like a solution where I can specify the UID of the www-data user, it seems it gets a random UID every time the container is recreated which causes some major pain in my nomad setup...
Simply setting the user seems to work for me in docker-compose.
nextcloud:
image: nextcloud:17
container_name: nextcloud
restart: unless-stopped
user: "1000:1000"
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
volumes:
- nextcloud:/var/www/html
Here are my steps, but with failure, pls help:
- Stop nextcloud docker
- add
user:
${PUID}:${PGID} in an existing nextcloud docker-compose.yml. - chown/chgrp for existing directories.
- restart the nextcloud docker.
However, nextcloud can't start with error:
/entrypoint.sh: 56: /entrypoint.sh: cannot create /usr/local/etc/php/conf.d/redis-session.ini: Permission denied
Pls help.
user: "1000:1000"
is work, but if you meet any trouble you can do this manually:
If you are using apache, you can adding environment value
APACHE_RUN_USER=xxx
APACHE_RUN_GROUP=xxx
This will make apache fork as specific user to serve page and nextcloud will inherit it.
In docker you may not have the right user and the apache will complain bad user
if the user not exist. You can do tricky methods that is copy /etc/passwd
and /etc/group
inside docker out, edit the www-data
user uid and gid, then mount these two files as read only
to docker, this time the www-data
will be treated as what the user you defined.
like this
www-data:x:1000:1000:www-data:/var/www:/usr/sbin/nologin
www-data:x:1000:
Remember to change the html folder if you mount it to docker.
** DO NOT USE THE ROOT USER** Because, for me, my zfspool is under root:root so I'm using it I will face
Error:\tApache has not been designed to serve pages while\n\trunning as root. There are known race conditions that\n\twill allow any local user to read any file on the system.\n\tIf you still desire to serve pages as root then\n\tadd -DBIG_SECURITY_HOLE to the CFLAGS env variable\n\tand then rebuild the server.\n\tIt is strongly suggested that you instead modify the User\n\tdirective in your httpd.conf file to list a non-root\n\tuser.\n
So I have no choice but to change zfspool to another user...
user: "1000:1000"
is work, but if you meet any trouble you can do this manually:If you are using apache, you can adding environment value
APACHE_RUN_USER=xxx APACHE_RUN_GROUP=xxx
This will make apache fork as specific user to serve page and nextcloud will inherit it.
In docker you may not have the right user and the apache will complain
bad user
if the user not exist. You can do tricky methods that is copy/etc/passwd
and/etc/group
inside docker out, edit thewww-data
user uid and gid, then mount these two files asread only
to docker, this time thewww-data
will be treated as what the user you defined.like this
www-data:x:1000:1000:www-data:/var/www:/usr/sbin/nologin www-data:x:1000:
Remember to change the html folder if you mount it to docker.
@MXWXZ Thanks for sharing your ideas! Would still be interesting on how one could archieve this with nginx.
I think a web server should never be run as root and this has nothing to do with zfspool. As stated in the error message from apache running as root implies weaker security of your webserver.
@MXWXZ Thanks for sharing your ideas! Would still be interesting on how one could archieve this with nginx.
In nginx you can tell nginx in the conf file which user to use via:
user www-data;
Within the www.conf of fpm in the config/ subdirectory, you need to set it also:
user = www-data
group = www-data
However that only helps if your nginx, nextcloud-fpm and host system are based on the same distribution, e.g. debian. Then the UID/GID combinations will match. If you mix the distributions, e.g. with Alpine you will get chaos as mounted files will change owner, as matching is done on UID, not name. Also you might want to have your docker processes run on a selected user to have mounted files/folders matching to that user and not accidentality to some host system user.
To solve this properly across distributions you need to create your own Dockerfile (or Dockerfile owners need to get active), hand over the wanted UID/GID combination during build and create the users/groups before installing software. Then the different UID/GID will be used.
Here an example how I did that for the dovecot user on debian before installing dovecot in the image:
ARG UID
ARG GID
# Add user and group before install, for correct file permission
RUN addgroup --gid $GID dovecot \
&& adduser --system --disabled-login --disabled-password --no-create-home --uid $UID --gid $GID dovecot
With that I can have a specific user for docker within the containers and on the host that is not interfering with host users.
Hello, i have the same issue: the www-data (UID 33) user inside docker container does not exist outside of the container and its really wierd and problematic to set the right permissions. I don't know how nextcloud works regarding permissions but please enable us to set UID GID. Thank you.
I'm also struggling with this, did someone come up with a solution?
In my scenario, as long as the key folders (data, apps, themes, config) belong to the www-data
user everything runs smooth, even when these are bind mounts to folders on the host, I can for example backup them since the host's root
user can still copy the contents and so.
However, I'm trying to move the contents of data to a samba volume mounted from another host and that is when I'm struggling to get a permissions match, the volume is configured to be writable by a user on the host machine but I can only make NextCloud work with the container's www-data
user and I have not been able to connect these two pieces. Not even running the container with the user
parameter.
I had to build from the official image to be able to change the UID and GID. My normal user's id is 1000
, and this is what my Dockerfile looks like
FROM nextcloud:23.0.5-fpm-alpine
RUN apk --no-cache add shadow && \
groupmod --gid 1001 www-data && \
usermod --uid 1000 www-data
After that I call this file to build my image:
app:
build:
context: ./
dockerfile: Dockerfile
restart: always
I hope it helps someone :)