Allow for setting of container UID/GID

[rgarcia6520]

Steps To Reproduce

Deploy docker container on host with volume mounted on share where uid 1000 does not exist.

Tested deploying on my unraid server where the default uid/gid for non-privileged containers is 99/100 and container is not able to write to any directories or create any files. If I could overwrite the UID/GID via env var then it would be successful. I don't see existing options in the container or in the documentation to perform this.

Expected Result

start up container, container is healthy and runs smoothly.

Actual Result

Permission Denied errors galore.

Screenshots or Videos

No response

Additional Context

Running on an Unraid server/host as a docker container. Have a dozen other containers running happily on the server.

Githash Version

N/A

Environment Details

• Operating System: Unraid 6.11.5
• Environment: Docker
• Hardware: R5 3600X, 32GB RAM, 16TB storage

Database Image

postgres:12

Issue-Link

#2480

Issue Tracking Info

• I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

[rgarcia6520]

Realized this wasn't very informative, was referring to being able to utilize something like linuxserver's PUID & PGID environment variables:

https://docs.linuxserver.io/general/understanding-puid-and-pgid

Or having the container work with dockers' --user flag.

[Profex]

I am facing exactly the same issue when deploying on a Synology NAS (DS918+, running DSM 7.1.1), with docker volume mounted on a share. Container starts, but log is full of permission denied errors

Generating a RSA private key
.....................................................++++
......................................................++++
writing new private key to '/etc/bitwarden/identity.key'
req: Can't open "/etc/bitwarden/identity.key" for writing, Permission denied

[vgrassia]

This should be fixed with #2495. The changes are live in the dev tag on Docker Hub.

[Profex]

Many thanks!
At first sight this now seems to work perfectly fine, but will check in more detail

Changes I did: branch changed to dev, and environment variables UID and GID set as needed for my environment

Generating a RSA private key
...................................................++++
......................................++++
writing new private key to '/etc/bitwarden/identity.key'
-----

[rgarcia6520]

Thank you @vgrassia pulling in that latest image and testing, it appears the container and all applications start and become healthy with permissions correctly allocated, however I am not able to access the UI anymore while I was able to before while running the beta tag for example (some quick and dirty testing on my local machine, unraid host is showing a similar situation):

❯ docker run -d --name bitwarden -v /home/ryan/bwdata/:/etc/bitwarden -p 80:80 -e UID=1001 -e GID=1000 -e BW_ENABLE_SSL=false bitwarden
/self-host:dev
08db66435db20e7b3c983c153f2fece87303d724b3e61cb03b7fe2de0735da58
❯ docker ps -a
CONTAINER ID   IMAGE                     COMMAND            CREATED         STATUS         PORTS                               NAMES
08db66435db2   bitwarden/self-host:dev   "/entrypoint.sh"   4 seconds ago   Up 2 seconds   0.0.0.0:80->80/tcp, :::80->80/tcp   bitwarden
❯ docker exec -it bitwarden sh
/app # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
/app # exit
❯ ls bwdata
identity.pfx
❯ ls bwdata -lh
total 4.0K
-rw------- 1 testser ryan 4.0K Dec 13 09:41 identity.pfx
❯ docker exec -it bitwarden sh
/app # ls /etc/bitwarden/
identity.pfx
/app # ls /etc/bitwarden/ -lh
total 4K
-rw-------    1 bitwarde bitwarde    4.0K Dec 13 16:41 identity.pfx
/app # id bitwarden
uid=1001(bitwarden) gid=1000(bitwarden) groups=1000(bitwarden),1000(bitwarden)
/app # ls -lh
total 148K
drwxr-xr-x    1 bitwarde bitwarde   16.0K Dec 13 15:37 Admin
drwxr-xr-x    1 bitwarde bitwarde   12.0K Dec 13 15:38 Api
drwxr-xr-x    1 bitwarde bitwarde   12.0K Dec 13 15:38 Events
drwxr-xr-x    1 bitwarde bitwarde   12.0K Dec 13 15:38 Icons
drwxr-xr-x    1 bitwarde bitwarde   12.0K Dec 13 16:41 Identity
drwxr-xr-x    1 bitwarde bitwarde   12.0K Dec 13 15:39 Notifications
drwxr-xr-x    1 bitwarde bitwarde   16.0K Dec 13 15:40 Scim
drwxr-xr-x    1 bitwarde bitwarde   12.0K Dec 13 16:41 Sso
drwxr-xr-x    1 bitwarde bitwarde    4.0K Dec 13 15:40 Web
-rw-r--r--    1 bitwarde bitwarde       3 Dec 13 16:42 supervisord.pid
/app # exit
❯ ss -ntlp
State       Recv-Q       Send-Q             Local Address:Port              Peer Address:Port      Process
LISTEN      0            4096                     0.0.0.0:80                     0.0.0.0:*
LISTEN      0            4096                        [::]:80                        [::]:*
❯ curl localhost:80
curl: (56) Recv failure: Connection reset by peer
❯ curl http://localhost:80
curl: (56) Recv failure: Connection reset by peer
(To unraid container at 192.168.1.210) ::
❯ nc -vz 192.168.1.210 80
nc: connect to 192.168.1.210 port 80 (tcp) failed: Connection refused
❯ nc -vz 192.168.1.210 443
nc: connect to 192.168.1.210 port 443 (tcp) failed: Connection refused

[Profex]

@rgarcia6520 not sure what is different in my case, but I can access the standard user UI and admin UI without issues on the new DEV build. So this does not seem to be a generic issue.

[rgarcia6520]

@Profex what UID/GID are you setting?

Also do you have anything showing up under the NGINX logs in /var/log/nginx ?

/app # cat /var/log/nginx/access.log
/app # cat /var/log/nginx/error.log
/app # cat /var/log/nginx/logs/
cat: read error: Is a directory
/app # ls /var/log/nginx/logs/
/app # ls /var/log/nginx/ -lh
total 4K
-rw-r--r--    1 bitwarde    bitwarde       0 Dec 13 17:34 access.log
-rw-r--r--    1 bitwarde    bitwarde       0 Dec 13 17:34 error.log
drwxr-xr-x    1 bitwarde    bitwarde    4.0K Dec 13 15:32 logs
/app # ls /var/log/nginx/logs/ -lh
total 0

[vgrassia]

@rgarcia6520 We have also recently added the ability to change ports on the internal NGINX web server. The defaults have been changed from 80 and 443 to 8080 and 8443 respectively. The port mapping in your docker-compose.yml file might need updating.

[rgarcia6520]

Ahh thank you @vgrassia I had missed that and that was my issue! Updated all ports to forward to 8080 instead of 80 and I can get to everything and log in successfully.

I believe this issue can be closed now, I have no further items.

[kspearrin]

Note that with the latest changes in dev, these env vars have changed to PGID and PUID. See #2514