Setfacl in Dockerfile Has No Effect

setfacl in Dockerfile has no effect

Any idea why docker does not correctly apply the acl changes when running setfacl in the Dockerfile?

Don't take this as an authoritative answer, because I'm just guessing.

Docker images have to run on a variety of distributions, with different storage backends (possibly even more when you facter in image registries, like hub.docker.com). Even those that are filesystem based may be backed by different filesystems with different capabilities.

This means that in order for Docker images to run reliably and reproducibly in all situations, they have to minimize the number of extended filesystem features they preserve.

This is probably why the extended attributes necessary to implement filesystem ACLs are not preserved as part of the image.

It works in a container because at this point the files are stored on a specific local filesystem, so you can take advantage of any features supported by that filesystem.

Capifony setfacl permissions: Operation not permitted

Finally I managed this creating different PHP-FPM pools with the same permissions as the user. This way I can have different users separated from each other. And as a bonus deploy.rb is simplified.

Setfacl - not supported

ACL has to be explicit activated on ext-filesystems. Therefor you should have something like 

/dev/sdb1 /u01 ext4 defaults,acl 1 2

inside your /etc/fstab.

symfony docker permission problems for cache files

I'd think changing www-datas userid to your host-user's id is a good solution, as permissions for the host user are fairly easy to setup.

#change www-data`s UID inside a Dockerfile
RUN usermod -u [USERID] www-data

user id 1000 is the default for most linux systems afaik... 501 on mac

you can run id -u on the host system to find out.

You could then log into the container to run symfony commands as www-data

docker exec -it -u www-data [CONTAINER] bash

I was wondering how you could set the userid dynamically on container build.
I guess passing it via --build-arg to docker-compose would be the way

docker-compose build --build-arg USERID=$(id -u)

...but haven't managed to access that var in the Dockerfile yet.

How to fix docker: Got permission denied issue

If you want to run docker as non-root user then you need to add it to the docker group.

  1. Create the docker group if it does not exist
$ sudo groupadd docker

  1. Add your user to the docker group.
$ sudo usermod -aG docker $USER

  1. Log in to the new docker group (to avoid having to log out / log in again; but if not enough, try to reboot):
$ newgrp docker


  1. Check if docker can be run without root
$ docker run hello-world

Reboot if still got error

$ reboot

Warning

The docker group grants privileges equivalent to the root user. For details on how this impacts security in your system, see Docker Daemon Attack Surface..

Taken from the docker official documentation:
manage-docker-as-a-non-root-user


Related Topics

Arm-Linux-Gnueabi Compiler Options

Automated Installation of R-Studio Using Shell Script

How to Compile a Node C++ Addon So That I Can Use Distribute It on Amazon Aws

How to Enable Hocr Font Info in Tesseract 4

How to Add More Algorithm in Cryptoapi in Linux

Sqlite Data File on Linux and Os X Incompatible

Cmakelist File to Generate Llvm Bitcode File from C Source File

Logging Memory Access Footprint

Stty: Standard Input: Inappropriate Ioctl for Device

How to Identify Padding Scheme Used in Rsa Signature of a Certificate, Using Openssl

How to Attach Domain Name to My Server

I Need a Binary Comparison Tool for Win/Linux

How to Delete The Line That Matches a Pattern and The Line After It with Sed

Shell Script to Get List of Defined Users on Linux

How to Use Nix's Ioctl

Difference Between .So.0 and .So.0.0.0 Files

The Only Overhead Incurred by Fork Is Page Table Duplication and Process Id Creation

Setting The Umask of The Jenkins Process


Leave a reply



Submit