fix(project): run docker as host user with project dir group#1097
Open
bdgraue (bdgraue) wants to merge 1 commit into
Open
fix(project): run docker as host user with project dir group#1097bdgraue (bdgraue) wants to merge 1 commit into
bdgraue (bdgraue) wants to merge 1 commit into
Conversation
`project create --docker` and `project dev` fail with "Permission denied" for host users with a UID other than 1000: the docker-dev image runs as UID 1000 and cannot write to the bind-mounted project directory. Run the containers as the calling host user instead: the composer `docker run` gets `--user uid:gid` plus HOME/COMPOSER_HOME pointed at a writable location (an arbitrary UID has no passwd entry in the image), and the generated compose.yaml sets `user:` on the web service. The GID is taken from the project directory's owning group so shared, group-owned multi-user dev directories keep working. The mapping is Linux-only: Docker Desktop's VM handles ownership on macOS/Windows. Fixes shopware#1096 Refs shopware/shopware#15896 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #1096
Refs shopware/shopware#15896
Problem
project create --dockerandproject devfail with "Permission denied" for any host user whose UID is not1000(composer cannot writecomposer.lockduring create;system:installcannot writevar/logduring dev). Theghcr.io/shopware/docker-devimage runs as UID 1000, and on Linux bind mounts expose raw host ownership, so the containers cannot write into a project directory owned by any other user. See #1096 for full details.Approach
Run the containers as the calling host user (Linux only):
internal/system/docker_unix.go:IsDockerMountable()no longer hard-codesos.Getuid() == 1000— with user mapping in place, bind mounts are writable for any host user. New helpers:ProjectUserSpec(dir)returns theuid:gidspec (caller's UID + the project directory's owning group),DockerRunUserArgs(projectDir)returns thedocker runarguments (--userplusHOME/COMPOSER_HOMEpointed at a writable location, since an arbitrary UID has no passwd entry inside the image).cmd/project/project_create_install.go: the composerdocker rungets those user arguments.internal/docker/compose.go:ComposeOptionsgains aUserfield, emitted asuser:on thewebservice;WriteComposeFiledefaults it toProjectUserSpec(projectFolder). All existingWriteComposeFilecallers (project create,project dev, dev TUI) pick this up automatically.Using the project directory's owning group as the GID keeps shared, group-owned multi-user dev directories working (e.g. a setgid projects dir owned by a dev group): files created by the container stay writable for the whole group.
The mapping is deliberately Linux-only (
ProjectUserSpecreturns""elsewhere): on macOS and Windows, Docker Desktop's VM handles bind-mount ownership, so the containers keep running with the image default user there and existing behavior is unchanged.Testing
internal/docker/compose_test.gocover theuser:key emission (set vs. unset).gofmt,go build ./...,golangci-lint run --timeout 4mand the test suites forinternal/docker,internal/systemandcmd/projectall pass locally.0.16.0-alpha-3on Ubuntu (host UID 1001).Open question for review
Whether the
docker-devimage entrypoint starts cleanly as an arbitraryuid:gid(no passwd entry inside the container) — I will post the result of the firstdocker compose upwith the generateduser:key in this PR.🤖 Generated with Claude Code