Dockerfile: Permission problem with application user set in docker-compose.yml (webdevops/php-nginx-dev)

Hi,

I’m using the image webdevops/php-nginx-dev:7.1 and I’ve set the user in my docker compose file to application. When building it for the first time, it’s OK, but when I stop the container, and start it again, it exits with the following error:

error: failed switching to "root": operation not permitted

Here is my config:

version: '2'
services:
  php:
    image: webdevops/php-nginx-dev:7.1
    user: "application"
    volumes:
      - .:/app
    working_dir: /app
    environment:
      - WEB_DOCUMENT_ROOT=/app/public
      - XDEBUG_REMOTE_AUTOSTART=On
      - XDEBUG_PROFILER_ENABLE=On
      - XDEBUG_REMOTE_HOST=192.168.0.145
      - XDEBUG_REMOTE_PORT=9001
      - PHP_DEBUGGER=xdebug
    ports:
      - "80:80"
      - "443:443"
      - "9000:9000"
# ...

The issue is similar to #219.

Do you have any suggestions? (Removing the user from the compose file, and supplying -u parameter to exec is not an option.)

Thank you.

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Reactions: 8
  • Comments: 16 (12 by maintainers)

Commits related to this issue

Most upvoted comments

One solution which worked for me was setting

    environment:
      CONTAINER_UID: 33

In my case 33 maps to www-data. This produces the following output:

array(5) { 
    ["getmyuid"]=> int(0)
    ["getmygid"]=> int(0)
    ["getmypid"]=> int(271)
    ["shell_exec('cat /etc/shadow')"]=> NULL
    ["shell_exec('gosu root cat /etc/shadow')"]=> NULL 
}

and also logging:

php-fpm_1   | [30-Apr-2019 09:31:25] WARNING: [pool www] child 271 said into stderr: "cat: /etc/shadow"
php-fpm_1   | [30-Apr-2019 09:31:25] WARNING: [pool www] child 271 said into stderr: ": Permission denied"
php-fpm_1   | [30-Apr-2019 09:31:25] WARNING: [pool www] child 271 said into stderr: "error: failed switching to "root": operation not permitted"

Furthermore it allows to restart the container without any issues.

+2
pgab on Apr 30, 2019

@MajPay:

i wouldn’t clone this repo for this purpose. just copy your version of entrypoint.sh to /opt/docker/bin

e.g.

COPY docker/bin/entrypoint.sh /opt/docker/bin/entrypoint.sh

i do it this way: https://github.com/kaluzki/docker-xampp/tree/master/src

+1
kaluzki on Nov 28, 2019

So… We can not use this image and configure another user than root? This is not very convenient in development because i mount my project root into the container and use composer and so on via docker. So every file, that is generated inside the container will be owned by root on my local machine. That makes a lot of tasks harder…

+1
MajPay on Nov 27, 2019

Removing suid bit from gosu was implemented in #155 and the comment https://github.com/webdevops/Dockerfile/pull/155#issuecomment-270907745 describes WHY.

With this solution it’s IMO not possible to use docker run --user flag, at least not for those containers, you want to restart later.

Setting docker run -e CONTAINER_UID=1000 looks like a workaround, which seems to be used only by php-fpm and hhvm images.

+1
kaluzki on Jul 29, 2018

Maybe it’s related to #213

+1
coding46 on Apr 25, 2018
Read more comments on GitHub
← Dockerfile: Apple Silicon M1 ARM problem
Dockerfile: [Severe bug] All nginx derived containers are breaking →