AWS Elastic Beanstalk Change Permissions on Mounted Directory

Question

I'm deploying a Laravel application to a multicontainer Elastic Beanstalk configuration. The application code is packaged in a zip file and uploaded as part of the deployment, and is then mounted into the PHP-FPM Docker container. The containers run correctly and the code is mounted, however all the mounted directories are owned by root and therefore the application cannot write to these directories (required for log files, framework files etc). I need them to be owned by www-data

If I manually SSH on the the EC2 instance, then run docker exec -it container_id bash and run ls -la I can see all the files/dirs are owned by root. If I run chown -R www-data: storage vendor then the application works as expected.

Therefore I need to find a way to change the permissions on the mounted directories inside the php-fpm container.

I have tried the following command in .ebextensions/permissions.config

container_commands:
  01_change_storage_permissions:
    # Get the php fpm container ID and change permissions on the mounted directories
    command: sudo docker exec $(sudo docker ps -aqf "name=php-fpm") chown -R www-data:www-data storage vendor bootstrap

The deployment is successful so I can assume the command executed successfully but it unfortunately doesn't seem to change the permissions as upon logging into the container, the directories are still owned by root

Answer 1

You can chown the directories before mounting them, as described here. A brief overview:

If you control the Dockerfile, you run HOST_UID=$(id -u) and HOST_GID=$(id -g) and generate a Dockerfile that expands $HOST_GID and $HOST_UID in the below two commands:

RUN groupadd -g $HOST_GID mygroup
RUN useradd -l -u $HOST_UID -g mygroup myuser

Use the generated Dockerfile with the ID's filled in, to build your image.

If you don't control the Dockerfile, here’s a container pattern for assigning the userid / groupid at runtime in a way that’s easily portable.