05/01/2019 - DOCKER
By default PHP-FPM and Nginx use specific user/group. PHP-FPM user and group are set to www-data
whereas Nginx user is set to nginx
in their configurations. In this example we will change it to inanzzz
.
# www.conf
...
[www]
user=www-data
group=www-data
listen.owner=www-data
listen.group=www-data
...
# nginx.conf
...
user nginx;
...
# www.conf
...
[www]
user=inanzzz
group=inanzzz
listen.owner=inanzzz
listen.group=inanzzz
...
# Dockerfile
FROM php:7.2.13-fpm
....
# Create group "inanzzz"
# set group id "1000"
RUN groupadd -g 1000 inanzzz
# Create user "inanzzz"
# set user id "1000"
# assign to existing group id "1000"
# set home directory "/home/inanzzz"
# set shell "/bin/bash"
RUN useradd -d /home/inanzzz -s /bin/bash -u 1000 -g 1000 inanzzz
# Create home directory
RUN mkdir /home/inanzzz
# User and group own home directory
RUN chown -R inanzzz:inanzzz /home/inanzzz
USER inanzzz
CMD ["php-fpm", "--nodaemonize"]
# nginx.conf
user inanzzz;
...
# Dockerfile
FROM nginx:1.15.7
...
# Create group "inanzzz"
# set group id "1000"
RUN groupadd -g 1000 inanzzz
# Create user "inanzzz"
# set user id "1000"
# assign to existing group id "1000"
# set home directory "/home/inanzzz"
# set shell "/bin/bash"
RUN useradd -d /home/inanzzz -s /bin/bash -u 1000 -g 1000 inanzzz
# Create home directory
RUN mkdir /home/inanzzz
# User and group own home directory
RUN chown -R inanzzz:inanzzz /home/inanzzz
# Necessary steps to avoid permission errors
RUN touch /var/run/nginx.pid \
&& chown -R inanzzz:inanzzz /var/run/nginx.pid /var/cache/nginx
USER inanzzz
Our user inanzzz
is not privileged as nginx
user so we cannot use default 80
and 443
ports anymore so changing them as follows. After this change you can use '8081:8080'
and '4431:4443'
in your docker-compose.yml file if you wish.
# Site virtualhost config
server {
listen 8080;
listen 4443 default_server ssl;
...
}
If the application is linked to a shared folder in docker-compose.yml file, optionally you can change /home/inanzzz
as the shared folder so that the new user owns the application.