Last active
April 6, 2023 08:38
-
-
Save dkarlovi/8de36f1d0768f0707113342be658b5c5 to your computer and use it in GitHub Desktop.
Setting up permissions for a (Symfony) web app on Docker
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| FROM alpine:3.7 | |
| # this is the "app" image, contains PHP-FPM | |
| RUN addgroup -g 82 -S www-data && \ | |
| adduser -u 82 -H -D -S -G www-data www-data && \ | |
| # etc.. | |
| # PHP-FPM is setup to run as "www-data" | |
| WORKDIR /app |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # this is a wrapper which allows you to run commands WITHIN your Docker-Compose cluster | |
| # as you would with on your local machine, but with everything in the cluster available | |
| # just by prepending it with "bin/dsh" | |
| # | |
| # for example: | |
| # bin/dsh bin/console doctrine:schema:update --force | |
| # bin/dsh bin/console cache:clear | |
| # etc. | |
| # can also be root, but almost never needed: | |
| # bin/dsh -u root bin/console must:be:root:to:run:this | |
| usage() { | |
| echo "Usage: $0 [-u <www-data|root>] [-c <app>]" 1>&2; | |
| exit; | |
| } | |
| CONTAINER="app" | |
| USER="$(id -u):$(id -g)" | |
| while getopts ":u:c:" o; do | |
| case "${o}" in | |
| c) | |
| CONTAINER="${OPTARG}" | |
| ((CONTAINER == 'app')) || usage | |
| ;; | |
| u) | |
| USER="${OPTARG}" | |
| ((USER == 'root' || USER == 'www-data')) || usage | |
| USER="${USER}:${USER}" | |
| ;; | |
| *) | |
| usage | |
| ;; | |
| esac | |
| done | |
| shift "$((OPTIND-1))" | |
| ROOT="$(cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd)"; | |
| COMMAND="${@}" | |
| if [ "${COMMAND}" == "" ]; then | |
| COMMAND="sh"; | |
| fi; | |
| docker-compose -f "${ROOT}/docker-compose.yml" exec --user="${USER}" "${CONTAINER}" ${COMMAND} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # same user ID as in the Dockerfile | |
| APP_RUNNER_ID=82 | |
| VAR_DIR=var | |
| CACHE_DIR=${VAR_DIR}/cache | |
| LOGS_DIR=${VAR_DIR}/logs | |
| # this sets up proper masking and (default and current) permissions for var/cache, var/logs | |
| # any user can create / edit / delete new and existing files regardless who the owner is | |
| # note: you do NOT need to run chmod 777 on these folders or "sudo" anything (hello, Ubuntu users!) | |
| # for this to work properly | |
| permissions: | |
| setfacl -dRm m:rwX ${CACHE_DIR} ${LOGS_DIR} | |
| setfacl -Rm m:rwX ${CACHE_DIR} ${LOGS_DIR} | |
| setfacl -dRm u:`whoami`:rwX ${CACHE_DIR} ${LOGS_DIR} | |
| setfacl -Rm u:`whoami`:rwX ${CACHE_DIR} ${LOGS_DIR} | |
| setfacl -dRm u:${APP_RUNNER_ID}:rwX ${CACHE_DIR} ${LOGS_DIR} | |
| setfacl -Rm u:${APP_RUNNER_ID}:rwX ${CACHE_DIR} ${LOGS_DIR} | |
| setfacl -dRm u:root:rwX ${CACHE_DIR} ${LOGS_DIR} | |
| setfacl -Rm u:root:rwX ${CACHE_DIR} ${LOGS_DIR} | |
| # you can run this directly from host as your current user has all correct privileges | |
| clean: | |
| rm -rf ${CACHE_DIR}/* ${LOGS_DIR}/* |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment