Change user in Docker container

Installation & Configuration
1

I am trying to run Collabora as user 1000 and group 1000 but Collabora doesn’t seem to want to run as anything other than user 1001. How do I change this?

services:
  collabora:
    image: collabora/code:latest
    restart: always
    <<: *lockdown
    cap_drop:
      - ALL
    cap_add:
      - SYS_CHROOT
      - SYS_ADMIN
    user: 1000:1000
    ports:
      - 9980:9980
    volumes:
      - collabora-child-roots:/opt/cool/child-roots
    environment:
      - TZ=${TZ}
      - domain=${COLLABORA_DOMAIN}
      - extra_params=--o:ssl.enable=false
Collabora Online Weekly Meeting #234
2

hii @Factoid7499 welcome to community forum|

It’s not possible to simply run Collabora as UID/GID 1000, since coolwsd is designed to run as its internal cool user (1001:1001).

coolwsd expects to manage child roots, cache, and config files under directories owned by this user, and it enforces internal security checks that reject operations by any UID other than cool. As a result:

  • Files and directories in the container remain owned by cool, not an arbitrary UID.
  • coolwsd’s internal security model requires the cool user to spawn and manage processes.
  • If forced to run as a different UID (like with OpenShift’s restricted SCC, which assigns a random UID at runtime), coolwsd cannot spawn its forkit process and fails.

This issue was addressed in PR #12238 by introducing libnss-wrapper. The wrapper creates a /tmp/passwd file with the random UID assigned by OpenShift and makes libc use this file, allowing coolwsd to run correctly under OpenShift’s security model.

For more background, see the OpenShift-specific guidelines.