HiveBrain v1.2.0
Get Started
← Back to all entries
patterndockerMinor

Can't write to Docker volume

Submitted by: @import:stackexchange-devops··
0
Viewed 0 times
dockercanvolumewrite

Problem

My set-up

  • I have a Docker image based on php:7.4-apache.



  • I have two Docker volumes for saving files that need to be persisted.



  • On container start, I run Certbot to install HTTPs certificates.



Issue

I discovered that my application can't write to Docker volumes.

Debugging

Using ls -l I found out that the mountpoints of my volumes are owned by user 1451:

drwxr-xr-x 4     1451 users     176128 Mar 12 13:25 volume_mountpoint


My web server is running under user www-data.

Attempted solution

I've tried setting the user under which my container runs to www-data. This caused the volume mountpoints to be owned by www-data, which fixed the permissions issue. The problem with this solution is that Certbot requires root permissions and fails to acquire HTTPs certificate without it.

Question

What is the proper way to fix this issue? I need Certbot to run under root, but let mountpoints to be owned by www-data.

Solution

Solution that worked for me in the past: create a new image out of the existing one and let entrypoint script of that new image to modify permissions of your volume_mountpoint.

So in the case of your image (php:7.4-apache) you create entrypoint.sh file, something like

chown www-data:www-data -R /path/to/volume_mountpoint
apache2-foreground


And then your Dockerfile should be something like

FROM php:7.4-apache
COPY entrypoint.sh /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]


This way it should correct the permissions when container starts. Note, that I haven't tested the above, might require some tweaks - but hopefully it shows the idea.

P.s. Maybe somebody has a better way of doing this - I would be very interested myself.

Code Snippets

chown www-data:www-data -R /path/to/volume_mountpoint
apache2-foreground
FROM php:7.4-apache
COPY entrypoint.sh /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]

Context

StackExchange DevOps Q#11065, answer score: 1

Revisions (0)

No revisions yet.