move app user creation to startup scripts

run fpm as app user

app/Dockerfile

@@ -14,9 +14,6 @@ ADD index.php /
 
 RUN sed -i.bak 's/^listen = 127.0.0.1:9000/listen = 9000/' /etc/php7/php-fpm.d/www.conf
 
-ARG OWNER_UID
+RUN mkdir -p /var/www
-ARG OWNER_GID
-
-RUN mkdir -p /var/www && addgroup -g ${OWNER_GID} app && adduser -D -h /var/www/html -G app -u ${OWNER_UID} app
 
 CMD /startup.sh

app/startup.sh

@@ -5,6 +5,9 @@ while ! pg_isready -h $DB_HOST -U $DB_USER; do
 	sleep 3
 done
 
+addgroup -g $OWNER_GID app
+adduser -D -h /var/www/html -G app -u $OWNER_UID app
+
 DST_DIR=/var/www/html/tt-rss
 SRC_REPO=https://git.tt-rss.org/fox/tt-rss.git
 
@@ -33,7 +36,8 @@ else
 	  	git pull origin master
 fi
 
-chown -R $OWNER_UID:$OWNER_GID $DST_DIR
+chown -R $OWNER_UID:$OWNER_GID $DST_DIR \
+	/var/log/php7
 
 for d in cache lock feed-icons; do
 	chmod -R 777 $DST_DIR/$d
@@ -72,5 +76,5 @@ fi
 
 touch $DST_DIR/.app_is_ready
 
-exec /usr/sbin/php-fpm7 -F
+sudo -u app /usr/sbin/php-fpm7 -F
 

app/updater.sh

@@ -3,6 +3,9 @@
 # wait for the app container to delete .app_is_ready and perform rsync, etc.
 sleep 30
 
+addgroup -g $OWNER_GID app
+adduser -D -h /var/www/html -G app -u $OWNER_UID app
+
 while ! pg_isready -h $DB_HOST -U $DB_USER; do
 	echo waiting until $DB_HOST is ready...
 	sleep 3
@@ -15,4 +18,4 @@ while [ ! -s $DST_DIR/config.php -a -e $DST_DIR/.app_is_ready ]; do
 	sleep 3
 done
 
-exec /usr/bin/php /var/www/html/tt-rss/update_daemon2.php
+sudo -u app /usr/bin/php /var/www/html/tt-rss/update_daemon2.php

docker-compose.yml

@@ -17,9 +17,6 @@ services:
     build: 
       context:
         ./app
-      args:
-        - OWNER_UID=${OWNER_UID}
-        - OWNER_GID=${OWNER_GID}
     restart: unless-stopped
     environment:
       - DB_TYPE=pgsql
@@ -39,9 +36,6 @@ services:
     build:
       context:
         ./app
-      args:
-        - OWNER_UID=${OWNER_UID}
-        - OWNER_GID=${OWNER_GID}
     restart: unless-stopped
     environment:
       - DB_TYPE=pgsql
@@ -56,7 +50,6 @@ services:
       - app:/var/www/html
     depends_on:
       - app
-    user: app
     command: /updater.sh
 
   web: