-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add env variables to change UID/GID of www-data #1278
Conversation
I think this is a rather clean solution to the issues at hand, nice work! :) |
Hello @tilosp, i have rebased this PR to the latest changes. Some tests are failing due to database tests, but it seems rather random to me. Could I request a review or is there something other I should do before? |
@tilosp can we get this merged please? |
Signed-off-by: Jan Dittrich <[email protected]>
I'd prefer to use the same approach as in docker-library/wordpress#249 (see also docker-library/wordpress#351 and docker-library/wordpress#371) |
@J0WI The problem with the Wordpress (and LinuxServer) design, is the fact is isn't compatible with the docker "user" setting. For those two it's acceptable, because the settings is relatively new but for new implementations, like this one, not being able to use docker best-practices is a no-go. |
@Ornias1993 do you refer to something else than |
An alternative solution (or dirty hack ? 😅 ) would be to use bindfs (on Linux) to mirror the directory on your host and set the permission accordingly, then just use this directory instead of the original one in your docker volume For example, if you have a MyFiles directory with the UID/GID 1000:1000 then you can create a mirror with the UID/GID changed to 33:33 (www-data by default). # bindfs -u 33 -g 33 MyFiles MyFilesMirrored |
Hoping to see this implemented ASAP |
any updates? |
Is this still on people's radar? |
I ended up with building my own, custom Docker image, with
And my
|
in case of you use ldap for connection wordpress approach doesn't work because tou UID is not in /etc/passwd |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey! There is something that bother me in this pr, it's the chown
and chgrp
.
This could lead to multiple issues and I don't think that is the job of a docker image.
The sysadmin should know and manually do those changes.
As a side note:
- Please fix tests
- Please only edit the root templates
docker-entrypoint.sh
. The changes are done automatically - Could you explain the requirements for the
shadow
dependency on alpine ? @jan-di
PUID/UID GID/PGID is quite globally used (and not a very good idea considering systems like kubernetes and docker already implement more secure user-setting, for example the docker However, the design here is actually troublesome: When Remember UID/GID env-vars are not a standard! Setting the So in the following case: Applications should be running with $user and group. |
fix: nextcloud#359, nextcloud#772, nextcloud#1081, nextcloud#1087, nextcloud#1278 Signed-off-by: J0WI <[email protected]>
fix: nextcloud#359, nextcloud#772, nextcloud#1081, nextcloud#1087, nextcloud#1278 Signed-off-by: J0WI <[email protected]>
fix: #359, #772, #1081, #1087, #1278 Signed-off-by: J0WI <[email protected]> Signed-off-by: J0WI <[email protected]>
closing due #1812 |
fix: nextcloud#359, nextcloud#772, nextcloud#1081, nextcloud#1087, nextcloud#1278 Signed-off-by: J0WI <[email protected]> Signed-off-by: J0WI <[email protected]>
This PR adds the support for two environment variables that can change the UID/PID of the www-data user dynamically at the entrypoint script. This allows to use a specific uid/gid that is also used on the host to prevent permission issues on bind mounted volumes.
To stay backwards-compatible, the environment variables have the current UID/GID as default value, so they are 3 possible use cases:
An additional advantage of changing the UID/GID of www-data instead of creating a new user is, that no config files have to be changed for this - every service can use www-data as before.
This should fix #359, #1081, #1087. See also #772 (comment) for more info.