Docker: Allow the UID/GID to be changed

I see in the instructions that you can do the following:
docker exec --user www-data CONTAINER_ID php occ
But how do you specify the user in the docker-compose.yml file?

There is currently no way to change the UID and GID. I think this is supported by the parent image. But the entrypoint script does not properly support it.

Ping!

this should be possible. this works for me:
docker run --user 1234 -p 8080:80 --sysctl net.ipv4.ip_unprivileged_port_start=0 nextcloud

@tilosp Thanks for your comment. Unfortunately I don't seem able to reproduce this.

My host system has a user with the ID 1000. When I run the following command, the files created in the /storage/docker/nextcloud/config belong to www-data root.

docker run \
-d \
--user 1000 \
--name=nextcloud \
--network=private-network \
-e NEXTCLOUD_DATA_DIR=/data \
-v /storage/docker/nextcloud/config:/var/www/html \
-v /storage/docker/nextcloud/data:/data \
nextcloud

Are you sure this worked on your end?

@caillou I'm using the suggestion by @tilosp via docker-compose. I can confirm that files uploaded to Nextcloud get the UID/GID as set in docker-compose.yaml. However, I converted an existing installation to this and didn't try upgrading the container to a newer version yet, so I cannot say anything about what permissions Nextcloud's own files will receive then.

when I use user: "${uid}:${guid}" field in a compose file with docker swarm (sudo docker stack deploy --compose-file...) I get permissions errors:

Initializing nextcloud 15.0.6.1 ...
rsync: mkstemp "/var/www/html/config/.htaccess.oCsWlP" failed: Permission denied (13)
rsync: mkstemp "/var/www/html/config/.apache-pretty-urls.config.php.1OjgZw" failed: Permission denied (13)
rsync: mkstemp "/var/www/html/config/.apcu.config.php.qFhACe" failed: Permission denied (13)
rsync: mkstemp "/var/www/html/config/.apps.config.php.lijUfW" failed: Permission denied (13)
rsync: mkstemp "/var/www/html/config/.autoconfig.php.EgpeTD" failed: Permission denied (13)
rsync: mkstemp "/var/www/html/config/.config.sample.php.toAywl" failed: Permission denied (13)
rsync: mkstemp "/var/www/html/config/.redis.config.php.ahOV92" failed: Permission denied (13)
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1196) [sender=3.1.2]

running image: nextcloud:apache container as well as a separate one with the .cron entry-point, volumes are just named volumes created on up.

@marianrh

I can confirm that files uploaded to Nextcloud get the UID/GID as set in docker-compose.yaml.

Can you tell me how you set the UID/GID in docker-compose?

@mabushey Sure, this is the docker-compose file I'm using:

version: "3.3"
services:
  nextcloud:
    image: nextcloud:15.0.6-apache
    dns:
      - <...>
      - <...>
    user: 5003:5003
    sysctls:
      - net.ipv4.ip_unprivileged_port_start=0 # Allow an unprivileged user to listen on any port (https://github.com/nextcloud/docker/issues/359)
    ports:
      - 8092:80
    volumes:
      - /applications/nextcloud:/var/www/html

networks:
  default:
    driver: bridge
    ipam:
      driver: default
      config:
      - subnet: <...>

Of course, the directory on the host system has to have the proper owner set.

Thanks @marianrh. I added this to the nextcloud config:

    user: 1000:1000
    sysctls:
      - net.ipv4.ip_unprivileged_port_start=0

(BTW the comment on the sysctls entry just refers to this thread)
Removing the config directory and running docker-compose up -d results in a config dir (mapped - "/home/michael/docker/nextcloud:/var/www/html") that's root:root instead of www-data:root. I'm looking for michael:michael (1000:1000). I'm running MySQL outside of docker on the same box with the jwilder & lets encrypt companion Nginx proxy.

Does the dns / networks have some part in this?

I was able to set mapall=michael to the ZFS share property on the FreeBSD NFS server and it seems to be working just fine with Nextcloud running as www-data.

Hi there!

For those who are using Swarm like me, sysctls option is not supported... Keeping in mind that the only thing that crashes when starting up using another username is apache2 process, I've mapped the following volumes:

    volumes:
    - nextcloud_apache_ports:/etc/apache2/ports.conf
    - nextcloud_apache_default:/etc/apache2/sites-enabled/000-default.conf

And, of course, local files have been changed to use port 20080 instead of port 80.

I'm installing this image on a Synology NAS and wanted to manage the UID/GID for NextCloud. Synology does not allow users to have ids below 1024 so the existing UID/GID of 33 was problematic to my use case.

This wasn't working at all:

user: 2000:2000
  sysctls:
    - net.ipv4.ip_unprivileged_port_start=0

So I started digging into changing the port that Apache is using in the NextCloud docker image and stumbled onto this thread.

I've mapped the following volumes

Thanks @alesnav for mentioning this. It's exactly what I was looking for. Changed the port used in both of those files to something over 1024 and now everything is working as desired.

Here is what I added to my docker-compose.yml:

user: 2000:2000
volumes:
  - /volume1/docker/personal/NextCloud/apache/000-default.conf:/etc/apache2/sites-enabled/000-default.conf:ro
  - /volume1/docker/personal/NextCloud/apache/ports.conf:/etc/apache2/ports.conf:ro

Ability to set UID/GID of the www-user (or create an dedicated user) would be very handy indeed.

This is how linuxserver solves it,
https://github.com/linuxserver/docker-baseimage-alpine/blob/master/Dockerfile#L74-L75
https://github.com/linuxserver/docker-baseimage-alpine/blob/master/root/etc/cont-init.d/10-adduser

EDIT:
@tilosp how about https://github.com/jkaberg/docker/commit/283f784af2bf838faf23f10680f3ea09c6c6a9d4 - good enough? docker run ... -e PGID=1337 -e PUID=1337 ...

The if statement with following chown is obviously to fix ownership. We do not want to do this unless its needed on larger nextcloud instances (as it could take a very long time). Unsure if /var/www/html/data is the best place to check this.

Would love this as well, as I have two reasons:

1. Mixing base images (e.g. alpine based nginx and debian based fpm) that use the same files, the gids, uids are wildly different (just saw the fpm-alpine, not sure if this solves the fpm issue, will need to test)
2. Host user/group might have access to files out of containers, that they should not have to as gid/uids do not match.

To prevent the above (especially 2.) I am now running a setup where I changed the users. However it collides with the fpm configuration and the entrypoint.sh of nextcloud.
To solve it, I needed to:

• Mount the fpm config and set the user in there. Would be nice if that could be set via ENV out of docker-compose.
• Redo file permissions after image update and again after first start of update. The entrypoint.sh has hardcoded "www-data:root". Again, if this could be changed to a ENV it would be nice.

Both changes should be quite small, however I do not know if more places need to be adapted.

I also would need this, as my data-directory is a samba mount, and docker-swarm bind-mounts don't seem to play well with permissions...

I would also very much like a solution where I can specify the UID of the www-data user, it seems it gets a random UID every time the container is recreated which causes some major pain in my nomad setup...

Simply setting the user seems to work for me in docker-compose.

  nextcloud:
    image: nextcloud:17
    container_name: nextcloud
    restart: unless-stopped
    user: "1000:1000"
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    volumes:
      - nextcloud:/var/www/html

Here are my steps, but with failure, pls help:

1. Stop nextcloud docker
2. add
   user: ${PUID}:${PGID}
   in an existing nextcloud docker-compose.yml.
3. chown/chgrp for existing directories.
4. restart the nextcloud docker.

However, nextcloud can't start with error:

/entrypoint.sh: 56: /entrypoint.sh: cannot create /usr/local/etc/php/conf.d/redis-session.ini: Permission denied

Pls help.