Wrong folder 777 permissions when persisting wp-content only #473
Description
WHAT HAPPENED
I have a custom image that inherits from wordpress:5.3.2-apache (see below).
I'm trying to create a non-root Wordpress container and persist wp-content folder ONLY (not the whole Wordpress at /var/www/html).
When running the container:
- /var/www/html is set to 777.
- New plugins installed using the dashboard have a folder set to 777.
- New folders automatically created in wp-content and uploads are set to 777.
Tried to chmod /var/www/html in the Dockerfile, but it does nothing.
Folders have proper permissions when persisting /var/www/html (all Wordpress files).
WHAT YOU EXPECTED TO HAPPEN
Persist /var/www/html/wp-content ONLY with /var/www/html permission set to 755.
DOCKERFILE "wpcustom:5.3.2"
FROM wordpress:5.3.2-apache
ENV TZ="Europe/Paris"
RUN cp /usr/share/zoneinfo/${TZ} /etc/localtime
ENV APACHE_SERVER_NAME="localhost" \
APACHE_RUN_USER="myuser" \
APACHE_RUN_GROUP="myuser" \
APACHE_PORT_HTTP="8080" \
APACHE_PORT_HTTPS="8443" \
APACHE_LOG_DIR="/var/log/apache2"
RUN groupadd -g 2000 ${APACHE_RUN_GROUP} && \
useradd -s /bin/bash -u 2000 -g ${APACHE_RUN_GROUP} ${APACHE_RUN_USER};
RUN sed -i 's/Listen 80/Listen ${APACHE_PORT_HTTP}/g' /etc/apache2/ports.conf; \
sed -i 's/Listen 443/Listen ${APACHE_PORT_HTTPS}/g' /etc/apache2/ports.conf; \
sed -i 's/:80/:${APACHE_PORT_HTTP}/g' /etc/apache2/sites-enabled/000-default.conf; \
sed -i 's/#ServerName www.example.com/ServerName ${APACHE_SERVER_NAME}/g' /etc/apache2/sites-enabled/000-default.conf;
USER ${APACHE_RUN_USER}
EXPOSE ${APACHE_PORT_HTTP} ${APACHE_PORT_HTTPS}
CMD ["apache2-foreground"]
HOW TO REPRODUCE IT
Using Docker:
$ docker run --name wp -v ./wp-content:/var/www/html/wp-content -p 80:8080 -p 443:8443 wpcustom:5.3.2
$ docker exec -i -t wp /bin/bash
$ ls -la /var/www
Note: you can also reproduce it with the original image wordpress:5.3.2-apache.
Using Kubernetes:
apiVersion: apps/v1
kind: Deployment
metadata:
name: school-wordpress
namespace: dev
labels:
app: school
spec:
selector:
matchLabels:
app: school
role: frontend
tier: wordpress
replicas: 4
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 50%
maxUnavailable: 50%
template:
metadata:
labels:
app: school
role: frontend
tier: wordpress
spec:
securityContext:
fsGroup: 2000
runAsNonRoot: true
volumes:
- name: school-wordpress
persistentVolumeClaim:
claimName: school-wordpress
containers:
- name: school-wordpress
image: customwp:5.3.2
imagePullPolicy: Always
securityContext:
runAsUser: 2000
runAsGroup: 2000
allowPrivilegeEscalation: false
volumeMounts:
- name: school-wordpress
mountPath: /var/www/html/wp-content
ports:
- name: liveness
containerPort: 8080
readinessProbe:
initialDelaySeconds: 5
tcpSocket:
port: liveness
timeoutSeconds: 5
periodSeconds: 30
failureThreshold: 5
livenessProbe:
initialDelaySeconds: 5
tcpSocket:
port: liveness
timeoutSeconds: 5
periodSeconds: 30
failureThreshold: 5
envFrom:
- configMapRef: { name: school-wordpress }
- secretRef: { name: school-wordpress }
env:
- name: APACHE_SERVER_NAME
valueFrom:
fieldRef:
fieldPath: status.podIP
$ kubectl exec -it school-wordpress -n dev -- ls -la /var/www
Thank you!