flex-edge: bind-mounted /sites resets to 500 permissions on restart despite EASY_DEV_MODE=1

[drmm]

Describe the bug

When running openemr/openemr:flex-edge with both sites and the full code directory bind-mounted from the host (per the flex example) and EASY_DEV_MODE=1, the container still locks /var/www/localhost/htdocs/openemr/sites down to mode 500 (owner UNKNOWN:root) as soon as it starts. Apache can’t read the site directory, so the install requires a manual chmod after every restart.

To Reproduce

1. In docker-compose.yml, define the service as:

   services:
     openemr:
       image: openemr/openemr:flex-edge
       environment:
         EASY_DEV_MODE: "1"
         MYSQL_HOST: db
         MYSQL_USER: openemr
         # secrets for MYSQL_PASS, MYSQL_ROOT_PASS, OE_PASS, OIDC*, etc.
       volumes:
         - ../runtime/sites:/var/www/localhost/htdocs/openemr/sites
         - ../runtime/code:/var/www/localhost/htdocs/openemr
         - ../runtime/logs:/var/log/openemr

2. On the host, prep the volumes (apache UID 48):

   sudo rm -rf runtime/code && sudo mkdir -p runtime/code
   docker cp deployment-openemr-1:/var/www/localhost/htdocs/openemr/. runtime/code/
   sudo chown -R 48:0 runtime/sites runtime/code
   sudo find runtime/sites -type d -exec chmod 755 {} +
   sudo find runtime/sites -type f -exec chmod 644 {} +
   sudo chmod 550 runtime/sites/default && sudo chmod 440 runtime/sites/default/sqlconf.php
   

3. docker compose down openemr && docker compose up -d openemr to pull and start flex-edge.

4. Run cd deployment && ./scripts/openemr/verify_site_permissions.sh (or docker exec deployment-openemr-1 stat -c '%a %U:%G %n' /var/www/localhost/htdocs/openemr/sites) immediately after the container reports healthy.

5. Observe the output:

   [FAIL] sites root: expected mode 755, got 500
   owner UNKNOWN:root /var/www/localhost/htdocs/openemr/sites
   

Expected behavior

/var/www/localhost/htdocs/openemr/sites (and default/sqlconf.php) should remain at 755/550/440 with owner apache:root throughout the container lifecycle so Apache can serve the site without manual intervention.

Client configuration

• OpenEMR version: openemr/openemr:flex-edge (latest published, pulled Nov 18, 2025)
• Operating system: Debian-based GCE VM running Docker Engine 29 + Docker Compose (Traefik reverse proxy, MariaDB 11.4)

Let me know if additional logs or compose files would help; I’m happy to provide them.

[drmm]

@eugeneiiim @adunsulag @bradymiller any advice on flex-edge bind-mount permissions?