Comments (15)
Please be aware that www-data
is a "system user" having higher privileges than normal users.
See UID-s in the top comment.
from docker-php.
how would down stream docker images add their project dependencies?
USER 0
MANAGE DEPS
USER 12345
Done!
from docker-php.
BTW Debian uses https://github.com/krallin/tini
from docker-php.
Does that sound like a good approach?
At first glace yes.
Staring a lot at htop may tell you much more.
from docker-php.
It is open-source. You can spend weeks with it!
from docker-php.
I totally agree and this is on my radar.
I am hoping this will be fixed in #15.
The only problem I had was if I set it to www-data
in this image, then later on I want to add a PHP package (like php-redis
or something), I was running into errors that www-data did not have permissions to install.
I will definitely be revisiting this because its one of the bigger worries I had about this set up.
from docker-php.
then later on I want to add a PHP package
Setting user in a Docker image should be the last step.
I hope you do not intent to install packages in a running container!
from docker-php.
I hope you do not intent to install packages in a running container!
No, this would be like this...
Problem
- If I set a USER 12345 to run the
serversideup/php:8.0-fpm-nginx
as, how would down stream docker images add their project dependencies?
For example
(I think I tried this earlier)
On a downstream docker project, I might want a new Dockerfile
that depends off of the base image from ServerSideUp:
FROM serversideup/php:8.0-fpm-nginx
RUN apt update && apt install php-redis
âī¸ If I have USER 12345
(telling the container to run as UID 12345 from the parent image), this will fail because USER 12345 cannot install php-redis
.
Thoughts?
from docker-php.
I will definitely give this a whirl, thanks!!
from docker-php.
Here is an update on this:
Problem
- When I use S6 Overlay, I cannot get logging to work on the
php-fpm
image
How to recreate the problem
1. Copy my Dockerfile
####################################################
# Server Side Up - PHP 7.4 / FPM image
#####################################################
FROM serversideup/php:beta-7.4-cli
LABEL maintainer="Jay Rogers (@jaydrogers)"
# Set default PHP environment variables
ENV PHP_DATE_TIMEZONE="UTC" \
PHP_DISPLAY_ERRORS=On \
PHP_ERROR_REPORTING="E_ALL & ~E_DEPRECATED & ~E_STRICT" \
PHP_MEMORY_LIMIT="256M" \
PHP_MAX_EXECUTION_TIME="99" \
PHP_POST_MAX_SIZE="100M" \
PHP_UPLOAD_MAX_FILE_SIZE="100M" \
PHP_POOL_NAME="www" \
PHP_PM_CONTROL=dynamic \
PHP_PM_MAX_CHILDREN="20" \
PHP_PM_START_SERVERS="2" \
PHP_PM_MIN_SPARE_SERVERS="1" \
PHP_PM_MAX_SPARE_SERVERS="3"
# Install FPM
RUN apt-get update \
&& apt-get -y --no-install-recommends install \
php7.4-fpm \
&& echo "Allow pool name to be set via env, default it to 'www'..." \
&& sed -i -e 's/\[www\]/\[$\{PHP_POOL_NAME\}]/g' /etc/php/7.4/fpm/pool.d/www.conf \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /usr/share/doc/*
# Apply PHP configuration file
# COPY etc/php/fpm/pool.d/y-override-php-defaults.conf /etc/php/7.4/fpm/pool.d/y-override-php-defaults.conf
CMD ["/usr/sbin/php-fpm7.4", "-O" ]
# Open up fcgi port
EXPOSE 9000
2. Build my Dockerfile locally
Run this from the folder where you placed the Dockerfile
:
docker build --pull . -t localhost/php:7.4-fpm
3. Run the local image
Run the
docker run -it --rm --name fpm localhost/php:7.4-fpm
Important note:
- The Dockerfile above depends on the beta image (
serversideup/php:beta-7.4-cli
), which is built from this file https://github.com/serversideup/docker-php/blob/dev/php/7.4/cli/Dockerfile - The CLI image is based off of
serversideup/docker-baseimage-s6-overlay-ubuntu:20.04
, which is located in this new repo https://github.com/serversideup/docker-baseimage-s6-overlay-ubuntu/blob/main/Dockerfile
Things that concern me
I don't even know if this is possible to run as a "non-root" user due to how PHP-FPM is structured. I'm pretty sure PHP-FPM needs root in order to start its processes.
Other repos that are running PHP as "root"
These very talented groups are also not running things as an unprivileged user:
- bitnami/php-fpm
- linuxserver/docker-nextcloud (great example of a PHP app running on S6 Overlay... they aren't PHP-FPM though...)
What I think I might have to do
My gut feeling is telling be that I will:
- Need to continue to run the container as
root
- Use the configurations of NGINX & PHP-FPM to select the proper user (my
9999
user)
Calling in help
@szepeviktor: Are you aware of any examples of projects running PHP as an unprivileged user?
from docker-php.
Hello! It is highly popular to give a sh*t about what is(is going on) inside a container.
People do not have time to follow CVE-s. So there's such a thing as breaking out of a container.
Actually it is a novice mistake to run something as root - no matter whether inside a container or not.
S6 Overlay needs to run as root but it does not mean that PHP-FPM needs too.
PHP-FPM opens a socket file and a TCP socket, starts threads, creates a PID file - what is the problem here?
from docker-php.
Are you aware of any examples of projects running PHP as an unprivileged user?
I think PHP-FPM operates this way
The master process runs as root, workers run as a normal user.
from docker-php.
Thanks for chiming in!
You confirmed my assumptions. I will need to remove the extra arguments on this line:
docker-php/php/7.4/cli/Dockerfile
Line 51 in 718f310
If I leave those lines in there above, PHP-FPM will not be able to start correctly because its trying to start the master process as webuser
(userid 9999).
Instead, I will have root
start the masterprocess, which will then use the PHP-FPM config to start the children as webuser
(userid 9999).
Does that sound like a good approach?
from docker-php.
php-fpm.conf could have daemonize = no
and I think PHP-FPM could run as non-privileged user if you don't set user and group in pool config.
from docker-php.
php-fpm.conf could have daemonize = no
Thanks! I have this set already.
and I think PHP-FPM could run as non-privileged user if you don't set user and group in pool config.
Interesting! I will play around with this. Thanks!!
from docker-php.
Related Issues (20)
- cannot run composer install in Dockerfile HOT 1
- Composer: /var/www/html/vendor does not exists and could not be created HOT 6
- Create a method to silence the initialization banner only HOT 2
- cannot create /etc/unit/config.d/config.json: Permission denied HOT 2
- New release of php versions breaks current spin setup HOT 1
- Latest beta-8.2-fpm-nginx breaks apt HOT 5
- Add versioning to docker image names
- php artisan tinker: Writing to directory /var/www/.config/psysh is not allowed HOT 2
- Debug mode permission denied HOT 2
- It worked fine for me until a few minutes ago when I did a --build, now I get these errors HOT 1
- Not a bug HOT 7
- cURL error 28: Operation timed out after 15000 milliseconds with 0 bytes received HOT 1
- Check shell scripts HOT 4
- More typos HOT 4
- PRs fail because of the Nuxt content ENV not being set
- PRs fail because of Docker Logins are not set HOT 5
- I encountered issues with some vulnerabilities but couldn't find a way to update the dependencies. HOT 6
- Adding custom script fails to start HOT 2
- gRPC can't be found anymore! HOT 1
- Nginx Unit Docker Image Exposes Ports 80 and 443 alongside 8080 and 8443? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
đ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. đđđ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google â¤ī¸ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from docker-php.