Php: How to change the UID of the Apache process?

So, we need some way for the docker run -u SOME-UID to propagate into the config file (because it has User and Group hard-coded to www-data), which shouldn't be _too_ hard.

See https://github.com/docker/docker/issues/8460 for why this is currently sticky to accomplish in a really easy way.

How about just create an entrypoint-script that checks environment variables (like APACHE_RUN_UID and APACHE_RUN_GID) and creates dummy-user/dummy-group with given UID/GID? Of course, it also should change apache2.conf with sed or something like that.

I was just looking at this issue in the context of https://github.com/docker-library/wordpress/issues/52

It turns out that Apache will interpolate environment variables in the form ${ENVVAR}, so I changed the apache2.conf file used for the php:apache image to get its user and group from APACHE_RUN_USER and APACHE_RUN_GROUP respectively. After doing this, I was able to set the user that Apache runs as with -e APACHE_RUN_USER=myuser.

One caveat is that the User directive in Apache's config file only accepts usernames, not uids, so in some cases you may need to create a dummy user with the same uid as your mounted volume. The other caveat is that the Dockerfile is currently chowning /var/lock/apache2 and /var/run/apache2 to www-data:www-data. These would also need to be owned by the same dummy user instead of by www-data.

diff --git a/5.6/apache/Dockerfile b/5.6/apache/Dockerfile
index f584653..abad2c3 100644
--- a/5.6/apache/Dockerfile
+++ b/5.6/apache/Dockerfile
@@ -70,6 +70,8 @@ COPY docker-php-ext-* /usr/local/bin/
 COPY apache2-foreground /usr/local/bin/
 WORKDIR /var/www/html

+ENV APACHE_RUN_USER www-data
+ENV APACHE_RUN_GROUP www-data
 EXPOSE 80
 CMD ["apache2-foreground"]
 ##</autogenerated>##
diff --git a/5.6/apache/apache2.conf b/5.6/apache/apache2.conf
index 0a22836..0fb411e 100644
--- a/5.6/apache/apache2.conf
+++ b/5.6/apache/apache2.conf
@@ -6,8 +6,8 @@ Timeout 300
 KeepAlive On
 MaxKeepAliveRequests 100
 KeepAliveTimeout 5
-User www-data
-Group www-data
+User ${APACHE_RUN_USER}
+Group ${APACHE_RUN_GROUP}
 HostnameLookups Off
 ErrorLog /proc/self/fd/2
 LogLevel warn

@md5, that seems to be a valid solution. What are the problems involved?

I really wish we could just get a fix to https://github.com/docker/docker/issues/8460, since that'd fix this in the ideal way. :cry:

@yosifkit I think it would just be a matter of documentation.

For example, I think a Dockerfile like this could work for the boot2docker case of uid 1000:

FROM php:5.6-apache
ENV APACHE_RUN_USER myuser
RUN adduser --uid 1000 --gecos 'My Apache User' --disabled-password myuser \
             && chown -R "$APACHE_RUN_USER:$APACHE_RUN_GROUP" /var/lock/apache2 /var/run/apache2

This is assuming the changes I posted above, plus probably a change in the entrypoint to use $APACHE_RUN_USER in the chown.

Actually, I'm thinking of the wordpress repo with the chown. There is no ENTRYPOINT here.

Any news about this issue ?

Just came across this researching an unrelated issue, but could you use this, assuming the UID and GID are 1000 (assuming you have some mechanism to create a user with a predictable UID / GID)?

User #1000
Group #1000

Ref: http://httpd.apache.org/docs/current/mod/mod_unixd.html#user
and http://httpd.apache.org/docs/current/mod/mod_unixd.html#group

Re: @md5

One caveat is that the User directive in Apache's config file only accepts usernames, not uids, so in some cases you may need to create a dummy user with the same uid as your mounted volume.

Based on the current documentation and my experience running it with User and Group set to a UID and GID, it seems like this does indeed work. Not sure if you're using a custom-built Apache or something else that interferes with this mechanism, but give it a shot :)

@ip2k I looks like I was simply unaware of the #NNN notation for numeric ids.

What about using usermod to change numeric uid of www-data user :

usermod --non-unique --uid 999 www-data

This way we don't need to change apache configuration (no need to sed apache2.conf file).
We just need to :

• run usermod before starting apache process (with something like run-parts docker-entrypoint.d/ see http://www.camptocamp.com/en/actualite/flexible-docker-entrypoints-scripts/)
• change owner of some directory: /var/lock/apache2

Proposal with usermod : https://github.com/docker-library/php/pull/286