File Permission Issues with Temporal Self-Hosted Deployment on Docker Compose

I’m facing file permission issues while deploying the Temporal self-hosted application using Docker Compose. The primary challenges arise from:

  1. Hardcoded User in Temporal Image: The Temporal image employs a fixed user with UID 1000:1000.
  2. Host User Mismatch: My deployment utilizes a different user on the host system (e.g., “ansible” with UID 1002:1002).
  3. File Ownership and Permissions: Files generated by the deployment process (e.g., dynamicconfig and TLS certificates) are owned by the host user and have permissions set to 0600.

These factors lead to two primary problems:

  1. Bind-Mount Issues: When binding volumes from the host to the container, the container user (1000) cannot access the files due to ownership discrepancies.
  2. tctl Configuration Failure: Running the container with the --user=1002:1002 flag causes the tctl command to fail during initial use. It’s unable to create the necessary configuration directory ~/.config/temporalio/tctl.yaml as the container user lacks the required permissions.

Ideal Solution:

The ideal solution would involve a mechanism similar to Kubernetes’ SecurityContext, allowing us to specify both runAsUser and runAsGroup within Docker Compose. This would enable the container to run with the desired user and group, ensuring proper file access.

Alternative Solution:

If the above functionality is unavailable in Docker Compose, a potential alternative could be implemented in the Temporal Docker image:

  1. Accept User and Group IDs as Environment Variables: Allow users to specify the desired user and group IDs as environment variables during image build.
  2. Dynamic User and Group Creation: Implement an entrypoint script that dynamically creates the specified user and group within the container.

This approach would provide greater flexibility and allow users to run the container with their preferred user and group, irrespective of the host system’s user configuration.

I’m eager to hear the community’s thoughts on this issue and potential solutions. Any suggestions or insights would be greatly appreciated.