File permissions not handled, always root:root in container - MacOs Sonoma 14.5 - VirtuoFS & VZ

[Martin-B]

Actual Behavior

In a local setup to run a Drupal 10 web project using PHP 8.2 as a base image, a dockerfile, docker-compose.yml, .env file ans shell scripts to install the project, the file system is never writable and always owned by root:root. Project fails to build and runs on one wheel without proper files and directory permissions.

All other file system and virtualization options were teste and failed. The VirtuoFS & VZ and kind of work with this massive limitation.

Similar to #1979

Compare file permissions in local image and on remote kubernetes

Read a ton of docs and issues.
What am my missing?

Steps to Reproduce

• Remove any trace of Docker Desktop and Podman from Mac OS
• Downloads Rancher desktop as a dmg Disk image from official channels, install according to instructions
• Test recommended file system options on existing Drupal 10 projects with PHP 8.2 as a base image.
• Run project installation scripts (build, composer install, import DB, import config, fix permissions, etc.)
• Test all file system and virtualization options, failure after failure
• Realize that the project is not really functional as shell scripts or PHP cannot write to disk in the image, nor change ownership or permissions with the only somewhat functional VirtuoFS & VZ preferences

Here are my options below

Result

• All file ownership in local is root:root and locked as-is in build docker image.
• Shell scripts trying to delete and recreate temp file directories on build are useless and fail.
• PHP cannot write to files or assets directories
• Cannot run npm install over package.json in theme folder, npm fails to access filesystem
• Deploy script cannot set file and directory permissions on deploy

Expected Behavior

Same ability to interact with the filesystem as I had with this recipe in Docker Desktop.

Additional Information

Dockerfile (trimmed)

FROM php:8.2-apache
ARG env
ARG REDIS_PORT
ARG REDIS_HOST
ARG REDIS_PASSWORD
ARG ENABLE_REDIS_CACHE
ARG LOCAL_DEV

# To allow installation of php packages @see https://hub.docker.com/_/php
RUN rm /etc/apt/preferences.d/no-debian-php

# Build image
RUN a2enmod rewrite

# Set timezone, OS and php
ENV TZ=America/New_York
RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone && \
    printf '[Date]\ndate.timezone="%s"\n', $TZ > /usr/local/etc/php/conf.d/tzone.ini && \
    dpkg-reconfigure -f noninteractive tzdata

# Install the PHP extensions we need
RUN apt-get update && \
    apt-get install -y \
            wget 
... ... 

# Install lib to gb
RUN apt-get update && \
    apt-get install -y \
            libpng-dev 
... ... 

# Configure PHP GD extension
... ... 
# Install PHP extensions
... ... 
# Configure and install the PHP LDAP extension
... ... 

# Install Composer
RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer --version=2.6.5 && \
    rm -rf /var/lib/apt/lists/*
ENV PATH "/root/.composer/vendor/bin:$PATH"

RUN \
    mkdir -p /var/www/html/web/sites/default/files/private; \
    cp docker/config/.htaccess-private /var/www/html/web/sites/default/files/private/.htaccess; \
    chown -R www-data:www-data  /var/www/html/web/sites/default/files/private; \
    chmod -R g+w  /var/www/html/web/sites/default/files/private

# Copy files & set ownership
WORKDIR /var/www/html
COPY . /var/www/html
RUN chown -R www-data:www-data /var/www/html

# Configure drush
RUN ln -sf /var/www/html/vendor/bin/drush /usr/bin/drush

# Copy and bless build & deploy scripts
COPY /docker/scripts/* /usr/local/bin/
RUN	chmod +x /usr/local/bin/*

RUN composer install --no-interaction --optimize-autoloader --no-dev;
... ... 

RUN echo "CMD apachectl -D FOREGROUND"
CMD apachectl -D FOREGROUND

docker-compose.yml (trimmed)

Focus on the ENTRYPOINT in Dockerfile and web service volumes in docker-compose.yml

The local filesystem is completed mounted 1 to 1 in OS, filtered through a .dockerignore file

volumes:
  db-volume-sim:
  redis-cache:
services:
  web:
    container_name: web-${APP_NAME}
    links:
      - database:localhost
    build:
      context: .
      dockerfile: Dockerfile
      args:
        - PHP_VERSION=${PHP_VERSION}
        - env=${ENV}
        - LOCAL_DEV=${LOCAL_DEV}
    volumes:
      - .:/var/www/html
      - /var/www/html/.git
      - ./files:/var/www/html/web/sites/default/files:delegated
      - ~/.composer:/home/php/.composer:rw
    ports:
      - ${WEB_PORT}:80
    environment:
      ENV: ${ENV}
      LOCAL_DEV: ${LOCAL_DEV}
      DATABASE_NAME: ${DATABASE_NAME}
      DATABASE_USER: ${DATABASE_USER}
      DATABASE_PASSWORD: ${DATABASE_PASS}
      DATABASE_PORT: ${DATABASE_PORT}
      DATABASE_HOST: ${DATABASE_HOST}
      MARIADB_VERSION: ${MARIADB_VERSION}
      DRUPAL_CONFIG_SYNC_DIRECTORY: /var/www/html/config/all
      CACHE_DIRECTORY: ${CACHE_DIRECTORY}
      TWIG_PHP_CACHE_DIRECTORY: ${TWIG_PHP_CACHE_DIRECTORY}
      AGGREGATED_ASSETS_DIRECTORY: ${AGGREGATED_ASSETS_DIRECTORY}
      FILES_ROOT: ${FILES_ROOT}
    restart: always
  database:
    container_name: database-${APP_NAME}
    image: mariadb:${MARIADB_VERSION}
    ports:
      - ${DATABASE_PORT}:3306
    command:
      - --max_allowed_packet=32505856
      - --disable-log-bin
    restart: always
    environment:
      - MYSQL_DATABASE=${DATABASE_NAME}
      - MYSQL_USER=${DATABASE_USER}
      - MYSQL_PASSWORD=${DATABASE_PASS}
      - MYSQL_ALLOW_EMPTY_PASSWORD=1
      - TZ=America/Toronto
    volumes:
      - db-volume-sim:/var/lib/mysql:delegated
      - ./docker/provision/mysql/init:/docker-entrypoint-initdb.d

Deploy shell script exerpt and log

set_permissions () {
  chmod -R ug+rw /var/www/html/config
  chown -R www-data:www-data /var/www/html
  find /var/www/html -type d -exec chmod u=rwx,g=rx,o= '{}' \;
  find /var/www/html -type f -exec chmod u=rw,g=r,o= '{}' \;
  chmod -R g+w /var/www/html/web/sites/default/files
  chmod u+x /var/www/html/vendor/drush/drush/drush
  chmod u+x /var/www/html/vendor/bin/drush
}

create_private_files_dir () {
  if [ ! -d $PIVATE_FILES_DIRECTORY ]; then
      mkdir $PIVATE_FILES_DIRECTORY
  fi
}

create_cache_dirs () {
  if [ -d $SITE_ROOT/$CACHE_DIRECTORY ]; then
    rm -R -f $SITE_ROOT/$CACHE_DIRECTORY
  fi
  mkdir -p $SITE_ROOT/$TWIG_PHP_CACHE_DIRECTORY && \
  chown -R www-data:www-data $SITE_ROOT/$CACHE_DIRECTORY && \
  chmod -R ug+rw $SITE_ROOT/$CACHE_DIRECTORY

  if [ -d $WEB_ROOT/$AGGREGATED_ASSETS_DIRECTORY ]; then
    rm -R -f $WEB_ROOT/$AGGREGATED_ASSETS_DIRECTORY
  fi

  mkdir -p $WEB_ROOT/$AGGREGATED_ASSETS_DIRECTORY
  if [ -f $SITE_ROOT/docker/config/.htaccess-assets ]; then
    cp $SITE_ROOT/docker/config/.htaccess-assets  $WEB_ROOT/$AGGREGATED_ASSETS_DIRECTORY/.htaccess
  fi
  chown -R www-data:www-data $WEB_ROOT/$AGGREGATED_ASSETS_DIRECTORY && \
  chmod -R 755 $WEB_ROOT/$AGGREGATED_ASSETS_DIRECTORY
}

Log exerpt

... ... 

LOGS=/var/www/html/web/sites/default/files/log/2024/December/deploy-24-12-11.log

Deployment starts...
>> create_cache_dirs
rm: cannot remove '/var/www/html/web/sites/default/assets': Permission denied

... ... 

Rancher Desktop Version

1.16.0

Rancher Desktop K8s Version

1.30.6

Which container engine are you using?

moby (docker cli)

What operating system are you using?

macOS

Operating System / Build Version

MacOs Sonoma 14.5

What CPU architecture are you using?

arm64 (Apple Silicon)

Linux only: what package format did you use to install Rancher Desktop?

None

Windows User Only

No response