Skip to content

Ownership of the data directory #19

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
gllmhyt opened this issue Aug 1, 2015 · 9 comments
Closed

Ownership of the data directory #19

gllmhyt opened this issue Aug 1, 2015 · 9 comments

Comments

@gllmhyt
Copy link

gllmhyt commented Aug 1, 2015

I don't understand how I could work with persistent date if I cannot create directories and so on (e.g. adding a theme or updating it).

Configuration:

  • Debian Jessie
  • Docker version 1.6.2, build 7c8fca2 (from backports)
  • User: postblue
  • Groups: postblue sudo docker

Steps:

  • Create a directory in $HOME
mkdir /home/postblue/some-ghost
  • Ownership of the
  • Run the docker command as user :
docker run --name some-ghost -d -p 80:2368 -e "VIRTUAL_HOST=some-ghost.example.tld" -v /home/postblue/some-ghost:/var/lib/ghost ghost
  • The docker image is up and running (as it seems), but my user have no possibility to change anything in the container.
  • It seems that the user:group is not what it was (postblue:postblue) anymore
ls -l ghost
total 20
drwxr-xr-x 2 myroot root 4096 aoû  1 12:53 apps
drwxr-xr-x 2 myroot root 4096 aoû  1 12:54 data
drwxr-xr-x 2 myroot root 4096 aoû  1 12:53 images
drwxr-xr-x 3 myroot root 4096 aoû  1 12:53 themes
-rw-r--r-- 1 myroot root 3794 aoû  1 12:49 config.js
  • Even the root folder is chowned to myroot:postblue.
  • So:
    • How can I add/edit/update themes with this official docker image?
    • Why does it change permissions of my directory to user 1000 (myroot on my server)?
    • Why does all the files inside the directory belong to group 0 (root on my server)?
@gllmhyt gllmhyt changed the title Ownership of the Ownership of the data directory Aug 1, 2015
@gllmhyt gllmhyt mentioned this issue Aug 1, 2015
Closed
@yosifkit
Copy link
Member

yosifkit commented Aug 3, 2015

Most people do not set proper permissions on mounted directories for a non-root user to be able to access or change the files, so we have to chown them on startup. I am not sure why group is set to 0 since we only run chown -R user "$GHOST_CONTENT".

Two options:

  • if you have already set up the directories and files to allow user 1000 (user in the container) to access all that it needs, feel free to customize the docker-entrypoint script to meet your needs.
  • just use sudo on the host system to update and modify the files

@gllmhyt
Copy link
Author

gllmhyt commented Aug 15, 2015

Maybe most people are bad at use permissions (proof?), but for people doing it well it's a totally unwanted behavior: if I put files in my $HOME, in my $USER directory with initaly a good chown of my $USER, it's bug that I can't edit these files without su(do) rights.

@yosifkit
Copy link
Member

Here is a sample of many users that have issues with permissions of mounted files:

We try to make the images simple to run and work for most cases; there were discussions to have something like GOSU_AS so that a user can choose what the resulting process runs as (docker-library/mongo#30 (comment), docker-library/tomcat#3 (comment)).

@adam-beck
Copy link

@yosifkit is the group set to 0 because of the call to set -- gosu user "$@" in docker-entrypoint.sh?

@tiangolo tiangolo mentioned this issue Jun 29, 2016
Closed
@eddiezane
Copy link

Got burnt by this pretty bad. Had no idea why docker was changing the owner of my folder to a totally uninvolved user. Just so happens it was the user with id 1000.

What can we do to make sure no one else loses time on this?

@aarongundel aarongundel mentioned this issue Sep 6, 2016
Closed
@jwdevantier
Copy link

This inability to have files reflect outside permissions is rather unfortunate - the entire point of docker (to my mind) is delegation of configuration and tweaking of software to a competent third party while allowing me to update when necessary (i.e. bump the image tag).

Forking the image is drastic and questions the existence of the image itself, it's little better than a good blog post by then.

@rigor789
Copy link

I am facing a similar issue. Whenever I run this container, the themes directory changes ownership to 1001 which is the user id of user inside the container.

Due to this I have to chown it back to my user whenever I want to edit the files, and whats worse is that git fails to change the files when switching branches, thus I have to chown and then discard changes to get back the clean state of the branch.

Is there any solution to avoid this, other than changing my user id, or using sudo for everything involving that folder?

@SISheogorath
Copy link

You can create a group which can be used to make the files writable for you. Then you can edit the files and don't run into any problem because group ownership is not touched by the image.

@tianon
Copy link
Member

tianon commented Sep 26, 2017

Additionally, as of #54 (which I've just now verified with Ghost 1.x as well), you're able to run Ghost itself as any arbitrary user, so using --user 1000:1000 will run Ghost as UID 1000, which is what I'd recommend doing so that Ghost in the container can run as the desired host user directly (and thus have the appropriate permissions already):

$ docker run -it --rm --user 1000:1000 ghost:alpine
[2017-09-26 22:20:34] INFO Creating table: posts 
[2017-09-26 22:20:34] INFO Creating table: users 
[2017-09-26 22:20:35] INFO Creating table: roles 
[2017-09-26 22:20:35] INFO Creating table: roles_users 
[2017-09-26 22:20:35] INFO Creating table: permissions 
[2017-09-26 22:20:35] INFO Creating table: permissions_users 
[2017-09-26 22:20:35] INFO Creating table: permissions_roles 
[2017-09-26 22:20:35] INFO Creating table: permissions_apps 
[2017-09-26 22:20:35] INFO Creating table: settings 
[2017-09-26 22:20:35] INFO Creating table: tags 
[2017-09-26 22:20:35] INFO Creating table: posts_tags 
[2017-09-26 22:20:35] INFO Creating table: apps 
[2017-09-26 22:20:35] INFO Creating table: app_settings 
[2017-09-26 22:20:35] INFO Creating table: app_fields 
[2017-09-26 22:20:35] INFO Creating table: clients 
[2017-09-26 22:20:35] INFO Creating table: client_trusted_domains 
[2017-09-26 22:20:35] INFO Creating table: accesstokens 
[2017-09-26 22:20:35] INFO Creating table: refreshtokens 
[2017-09-26 22:20:35] INFO Creating table: subscribers 
[2017-09-26 22:20:35] INFO Creating table: invites 
[2017-09-26 22:20:35] INFO Creating table: brute 
[2017-09-26 22:20:35] INFO Model: Post 
[2017-09-26 22:20:35] INFO Model: Tag 
[2017-09-26 22:20:35] INFO Model: Client 
[2017-09-26 22:20:35] INFO Model: Role 
[2017-09-26 22:20:35] INFO Model: Permission 
[2017-09-26 22:20:35] INFO Model: User 
[2017-09-26 22:20:36] INFO Relation: Role to Permission 
[2017-09-26 22:20:36] INFO Relation: Post to Tag 
[2017-09-26 22:20:36] INFO Relation: User to Role 
[2017-09-26 22:20:37] INFO Finished database migration! 
[2017-09-26 22:20:41] INFO Ghost is running in production... 
[2017-09-26 22:20:41] INFO Your blog is now available on http://localhost:2368/ 
[2017-09-26 22:20:41] INFO Ctrl+C to shut down 
[2017-09-26 22:20:41] INFO Ghost boot 4.139s

@tianon tianon closed this as completed Sep 26, 2017
@wglambert wglambert mentioned this issue Dec 23, 2019
Closed
@wglambert wglambert mentioned this issue Oct 26, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@tianon @gllmhyt @rigor789 @yosifkit @eddiezane @adam-beck @SISheogorath @jwdevantier