-
-
Notifications
You must be signed in to change notification settings - Fork 863
Add non-root user by default #850
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
ToshY
wants to merge
1
commit into
dunglas:main
Choose a base branch
from
ToshY:issue/679
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,153 @@ | ||
| # Non-root user | ||
|
|
||
| Following [Docker best practices](https://docs.docker.com/build/building/best-practices/#user), it is recommended to run your services as non-root user whenever possible. | ||
|
|
||
| ## Apply changes | ||
|
|
||
| You can apply the following patches to your `Dockerfile`, `compose.override.yaml` and `compose.prod.yaml` to run the FrankenPHP container as non-root for development and production usage. | ||
|
|
||
| `Dockerfile` | ||
|
|
||
| ```diff | ||
| +ARG PUID=${PUID:-1000} | ||
| +ARG PGID=${PGID:-1000} | ||
| +ARG USER=${USER:-frankenphp} | ||
| +ARG GROUP=${GROUP:-frankenphp} | ||
|
|
||
| # Versions | ||
| FROM dunglas/frankenphp:1-php8.4 AS frankenphp_upstream | ||
|
|
||
| # Base FrankenPHP image | ||
| FROM frankenphp_upstream AS frankenphp_base | ||
|
|
||
| +ARG PUID | ||
| +ARG PGID | ||
| +ARG USER | ||
| +ARG GROUP | ||
| + | ||
| WORKDIR /app | ||
|
|
||
| -VOLUME /app/var/ | ||
|
|
||
| # ... | ||
|
|
||
| +RUN set -eux; \ | ||
| + groupadd -g $PGID $GROUP; \ | ||
| + useradd -u $PUID -g $PGID --no-create-home $USER; \ | ||
| + mkdir -p var/cache var/log; \ | ||
| + chown -R $PUID:$PGID /data/ /config/ var/ | ||
| + | ||
| ENTRYPOINT ["docker-entrypoint"] | ||
|
|
||
| # ... | ||
|
|
||
| # Dev FrankenPHP image | ||
| FROM frankenphp_base AS frankenphp_dev | ||
|
|
||
| +ARG USER | ||
| + | ||
| ENV APP_ENV=dev | ||
| ENV XDEBUG_MODE=off | ||
| ENV FRANKENPHP_WORKER_CONFIG=watch | ||
|
|
||
| COPY --link frankenphp/conf.d/20-app.dev.ini $PHP_INI_DIR/app.conf.d/ | ||
|
|
||
| +USER $USER | ||
| + | ||
| CMD [ "frankenphp", "run", "--config", "/etc/frankenphp/Caddyfile", "--watch" ] | ||
|
|
||
| # Prod FrankenPHP image | ||
| FROM frankenphp_base AS frankenphp_prod | ||
|
|
||
| +ARG PUID | ||
| +ARG PGID | ||
| +ARG USER | ||
| + | ||
| ENV APP_ENV=prod | ||
|
|
||
| # ... | ||
|
|
||
| RUN mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini" | ||
| composer dump-autoload --classmap-authoritative --no-dev; \ | ||
| composer dump-env prod; \ | ||
| composer run-script --no-dev post-install-cmd; \ | ||
| - chmod +x bin/console; sync; | ||
| + chmod +x bin/console; \ | ||
| + chown -R $PUID:$PGID var/; sync | ||
| + | ||
| +USER $USER | ||
| ``` | ||
|
|
||
| `compose.override.yaml` | ||
|
|
||
| ```yaml | ||
| services: | ||
| php: | ||
| build: | ||
| context: . | ||
| target: frankenphp_dev | ||
| + args: | ||
| + PUID: ${PUID:-1000} | ||
| + PGID: ${PGID:-1000} | ||
| + user: "${PUID:-1000}:${PGID:-1000}" | ||
| ``` | ||
| `compose.prod.yaml` | ||
|
|
||
| ```yaml | ||
| services: | ||
| php: | ||
| build: | ||
| context: . | ||
| target: frankenphp_prod | ||
| + args: | ||
| + PUID: ${PUID:-1000} | ||
| + PGID: ${PGID:-1000} | ||
| + user: "${PUID:-1000}:${PGID:-1000}" | ||
| ``` | ||
|
|
||
| ## Usage | ||
|
|
||
| After applying the previous changes, you have to pass the `PUID` and `PGID` as environment variables to the Dockerfile. | ||
|
|
||
| You can do this in a myriad of different ways: | ||
|
|
||
| - Export your `PUID` and `PGID` to your current shell before running `docker compose`. | ||
|
|
||
| ```console | ||
| export PUID=$(id -u); export PGID=$(id -g); docker compose ... | ||
| ``` | ||
|
|
||
| - Pass `PUID` and `PGID` directly to `docker compose`. | ||
|
|
||
| ```console | ||
| PUID=$(id -u) PGID=$(id -g) docker compose ... | ||
| ``` | ||
|
|
||
| - Add `PUID` and `PGID` to your dotenv (`.env`) file. | ||
|
|
||
| ```dotenv | ||
| PUID=1000 | ||
| PGID=1000 | ||
| ``` | ||
|
|
||
| > [!CAUTION] | ||
| > This method is not recommended as it can cause issues in CI environment where the runner has a different UID/GID. | ||
|
|
||
| - Use third-party tools, like [`Task`](https://taskfile.dev/), to do the heavy lifting for you. | ||
|
|
||
| ```yaml | ||
| version: "3" | ||
| env: | ||
| PUID: | ||
| sh: id -u | ||
| PGID: | ||
| sh: id -g | ||
| tasks: | ||
| up: | ||
| desc: Up stack | ||
| cmds: | ||
| - docker compose ... | ||
| ``` | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why shouldn't the
/app/vardirectory be a volume?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While there are multiple considerations on why not to use
VOLUMEin the Dockerfile 1, regarding the scope of the this feature, if docker would not be run as "rootless" (not to be confused with "running docker as non-root user"), if a volume mounted./:/app(on development) but the./vardirectory does not exist on host, this will create the./vardirectory asrooton host (which prevents the application from starting as the container user can not write to./var).Think this would either require the
./varto already be present on host (untested), or remove theVOLUMEdirective as done now (or the user should use docker "rootless" but this comes with possible side-effects). Maybe using theVOLUMEwould only be really useful forprodstage (for docker/compose in production; not kubernetes).Footnotes
https://stackoverflow.com/a/55516433/9128538 ↩
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Interesting note. I can't find any simple ways to make this work while keeping this volume.