When you build an image you can assign ownership (chown
) and change permissions (chmod
) of paths within the image. However, when a volume is mounted from either the host or another container the permissions for that volume are present, potentially introducing a user/group unknown to the container it is mounted within.
I'm interested in a prescriptive method (if one exists) to handle permissions for users under an Alpine Docker image for both host mounted and container mounted volumes.
The two possible options that I can think of are:
- Use the same user and group between containers and mounted volumes.
- Use ACLs to control the permissions.
Is there a recommended approach for addressing permission issues for mounted volumes, especially when the uid/gid of the owners does not match with users/groups inside of a container? E.g.
Within my Alpine Docker image my www-data
user has a uid/gid of 82 (see: nginx www-data user id), if I mount a volume from another container or the host where a user with the uid 1001
and gid 1001
owns the volume, how do I deal with the disparity in ownership and permissions?
NB: Some application frameworks (e.g. Symfony) recommend using something like setfacl
[1] to manage permissions, but this does not seem to be possible under an Alpine Docker image with AUFS because the operation is"not supported".
Is using ACLs an anti-pattern in Docker?