Docker user permissions explanation

4 Views

I have a LEMP stack which is created by this docker-compose command: 

cadvisor:
  image: google/cadvisor:latest
  container_name: lemp_cadvisor
  ports:
    - "8082:8080"
  volumes:
    - "/:/rootfs:ro"
    - "/var/run:/var/run:rw"
    - "/sys:/sys:ro"
    - "/var/lib/docker/:/var/lib/docker:ro"
ssh:
  build: ./ssh
  container_name: lemp_ssh
  ports:
    - "2222:22"
  volumes:
    - /home/core/www/:/var/www/:rw
    - /home/core/.ssh/:/root/.ssh/:ro
phpmyadmin:
  build: ./phpmyadmin
  container_name: lemp_phpmyadmin
  links:
    - ssh
  volumes:
    - /var/www/phpmyadmin
    - ./phpmyadmin/var/www/phpmyadmin/config.inc.php:/var/www/phpmyadmin/config.inc.php:ro
mariadb:
  build: ./mariadb
  container_name: lemp_mariadb
  env_file: ./mariadb/mariadb.env
  links:
    - ssh
  volumes:
    - /var/run/mysqld
    - /home/core/mysql/:/var/lib/mysql/:rw
    - ./mariadb/etc/mysql/my.cnf:/etc/mysql/my.cnf:ro
php:
  build: ./php
  container_name: lemp_php
  links:
    - ssh
  volumes:
    - /var/run/php-fpm
    - ./php/usr/local/php7/etc/php-fpm.conf:/usr/local/php7/etc/php-fpm.conf:ro
    - ./php/usr/local/php7/etc/php.ini:/usr/local/php7/etc/php.ini:ro
    - ./php/usr/local/php7/etc/php-fpm.d/www.conf:/usr/local/php7/etc/php-fpm.d/www.conf:ro
  volumes_from:
    - ssh
    - mariadb
    - phpmyadmin
nginx:
  build: ./nginx
  container_name: lemp_nginx
  links:
    - ssh
  ports:
    - "8080:80"
    - "8081:443"
  volumes:
    - ./nginx/etc/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
    - ./nginx/etc/nginx/conf.d/default.conf:/etc/nginx/conf.d/default.conf:ro
    - ./nginx/etc/nginx/conf.d/php.conf:/etc/nginx/conf.d/php.conf:ro
    - ./nginx/etc/nginx/conf.d/cert/:/etc/nginx/conf.d/cert/:ro
  volumes_from:
    - php

I store my WordPress files on the host in the /home/core/www/my-wordpress-install-dir folder.

Read More

Viewing the files from the CoreOS host SSH session, the folders’s permissions are the following: 

core@core-01 ~/www/my-wordpress-install-dir $ ls -al
total 272
drwxrwxrwx  5 core core  4096 Dec 16 14:36 .
drwxr-xr-x  4 core core  4096 Dec 13 23:54 ..
-rw-r--r--  1 core core   418 Dec 13 23:09 index.php
-rw-r--r--  1 core core 19930 Dec 13 23:09 license.txt
-rw-r--r--  1 core core  7358 Dec 13 23:09 readme.html
-rw-r--r--  1 core core  5035 Dec 13 23:09 wp-activate.php
drwxr-xr-x  9 core core  4096 Dec 13 23:09 wp-admin
-rw-r--r--  1 core core   271 Dec 13 23:09 wp-blog-header.php
-rw-r--r--  1 core core  1369 Dec 13 23:09 wp-comments-post.php
-rw-r--r--  1 core core  2764 Dec 13 23:09 wp-config-sample.php
-rw-rw-rw-  1   33   33  3216 Dec 16 14:36 wp-config.php
drwxr-xr-x  4 core core  4096 Dec 13 23:09 wp-content
-rw-r--r--  1 core core  3286 Dec 13 23:09 wp-cron.php
drwxr-xr-x 16 core core  4096 Dec 13 23:09 wp-includes
-rw-r--r--  1 core core  2380 Dec 13 23:09 wp-links-opml.php
-rw-r--r--  1 core core  3316 Dec 13 23:09 wp-load.php
-rw-r--r--  1 core core 33710 Dec 13 23:09 wp-login.php
-rw-r--r--  1 core core  7887 Dec 13 23:09 wp-mail.php
-rw-r--r--  1 core core 13021 Dec 13 23:09 wp-settings.php
-rw-r--r--  1 core core 28594 Dec 13 23:09 wp-signup.php
-rw-r--r--  1 core core  4035 Dec 13 23:09 wp-trackback.php
-rw-r--r--  1 core core  3061 Dec 13 23:09 xmlrpc.php

However if I docker exec into the lemp_ssh container, the permissions are these: 

root@15a6b53835e4:/var/www/my-wordpress-install-dir# ls -al
total 272
drwxrwxrwx.  5      500      500  4096 Dec 16 14:36 .
drwxr-xr-x.  4      500      500  4096 Dec 13 23:54 ..
-rw-r--r--.  1      500      500   418 Dec 13 23:09 index.php
-rw-r--r--.  1      500      500 19930 Dec 13 23:09 license.txt
-rw-r--r--.  1      500      500  7358 Dec 13 23:09 readme.html
-rw-r--r--.  1      500      500  5035 Dec 13 23:09 wp-activate.php
drwxr-xr-x.  9      500      500  4096 Dec 13 23:09 wp-admin
-rw-r--r--.  1      500      500   271 Dec 13 23:09 wp-blog-header.php
-rw-r--r--.  1      500      500  1369 Dec 13 23:09 wp-comments-post.php
-rw-r--r--.  1      500      500  2764 Dec 13 23:09 wp-config-sample.php
-rw-rw-rw-.  1 www-data www-data  3216 Dec 16 14:36 wp-config.php
drwxr-xr-x.  4      500      500  4096 Dec 13 23:09 wp-content
-rw-r--r--.  1      500      500  3286 Dec 13 23:09 wp-cron.php
drwxr-xr-x. 16      500      500  4096 Dec 13 23:09 wp-includes
-rw-r--r--.  1      500      500  2380 Dec 13 23:09 wp-links-opml.php
-rw-r--r--.  1      500      500  3316 Dec 13 23:09 wp-load.php
-rw-r--r--.  1      500      500 33710 Dec 13 23:09 wp-login.php
-rw-r--r--.  1      500      500  7887 Dec 13 23:09 wp-mail.php
-rw-r--r--.  1      500      500 13021 Dec 13 23:09 wp-settings.php
-rw-r--r--.  1      500      500 28594 Dec 13 23:09 wp-signup.php
-rw-r--r--.  1      500      500  4035 Dec 13 23:09 wp-trackback.php
-rw-r--r--.  1      500      500  3061 Dec 13 23:09 xmlrpc.php

I copied back wp-config.php on the host after some change. My problem with this permissions that probably this is the causer why my SSH2 session not working to uploading files within WordPress admin.

I added this to my wp-config.php: 

define('FTP_PUBKEY','/root/.ssh/wp_rsa.pub');
define('FTP_PRIKEY','/root/.ssh/wp_rsa');
define('FTP_USER','www-data');
define('FTP_PASS','');
define('FTP_HOST','10.0.2.2:22');

Please give me an explanation why the file permissions are the following if I viewing them on the host and in the container. Thank You!

Post Views: 4

Related posts

2 comments

  1. I think I solved it. Thank You @dnephin the explanation!

    I had permission issues with such WordPress installs, when you share the entire WordPress from the host to the container with a volume.

    In my stack, I have a base image, which is a debian with my basic modifications and every other image will be built from this image.

    In the base image, I have this part:

    ### Start of Nginx WEBSERVER setup
RUN mkdir -p /var/www
# Modify www-data user and set UID, GID to 500
# https://muffinresearch.co.uk/linux-changing-uids-and-gids-for-user/
RUN groupmod -g 500 www-data 
    && usermod -u 500 www-data 
    #&& `find / -user 33 -exec chown -h 500 {} ;` 
    #&& `find / -group 33 -exec chgrp -h 500 {} ;` 
    && usermod -g 500 www-data 
    && chown -R www-data:www-data /var/www 
    && chmod g+s /var/www
### End of Nginx WEBSERVER setup

    www-data is not created by php or nginx installs. It is a default defined user/group in Debian and maybe other distros. Some PHP, Nginx installs suggest use this user in their config files.

    If your host user’s UID/GID is 500, than this script change the www-data user’s UID/GID to 500 from 33. This way if you share anything from the host, Docker thinks those files and folders owned by www-data user.

    In your PHP-FPM setting files set the user and group to www-data also.

    In your nginx Dockerfile, you also have to set this:

    # Allow Nginx to access /var/run/php-fpm/php-fpm.sock
RUN usermod -aG www-data nginx

    This way nginx user can access the files owned by www-data (you can define the nginx’s user name in the nginx config files).

    After this hack, my WordPress install not have ANY permission issues. All files resides on the host + updating WordPress works flawlessly.

    My LEMP stack: https://github.com/DJviolin/LEMP

  2. The permissions (the first column) look the same to me (except for the extra dot at the end, which is mostly likely just a difference in the ls binary between the host and the container).

    The difference is the owner and group of the files. Owner and group are stored as ids and the name is looked up in /etc/group and /etc/passwd. If the system can’t find a name for the id in those files, it uses the number.

    In your case the host has a name for UID/GID 500 (which is core), but it doesn’t have a name for UID/GID 33. In the container it has the opposite. This is because the files I mentioned are not shared between the host and the container.

Comments are closed.