Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Container must be ran as root #1061

Open
LargoUsagi opened this issue Feb 9, 2024 · 2 comments
Open

Container must be ran as root #1061

LargoUsagi opened this issue Feb 9, 2024 · 2 comments

Comments

@LargoUsagi
Copy link

Updating to the latest version of the container I had to force my cluster to execute the container as the root user and add

            - name: COMPOSER_ALLOW_SUPERUSER
              value: "1"

Executing containers at the root user should be avoided as it opens unnecessary security risks as these are usually environments running multiple applications on the same server.

Consider updating the entrypoint to leverage a process like gosu https://github.com/tianon/gosu
@benjaminjonard
Copy link
Owner

The "COMPOSER_ALLOW_SUPERUSER" part is caused by the latest version of composer. But what error did you have that forced you to run the container as root ?

@LargoUsagi
Copy link
Author

If I didn't execute the container as root I wouldn't need to have the COMPOSER_ALLOW_SUPERUSER flag set.

during the entry point script you start editing the php configs in etcd

echo "session.cookie_secure=${HTTPS_ENABLED}" >> /etc/php/8.3/fpm/conf.d/php.ini

https://github.com/benjaminjonard/koillection/blob/1.5/docker/entrypoint.sh#L37

Section requires the containers execution to occur as root. I did not have the errors for COMPOSER_ALLOW_SUPERUSER when I executed the container as user 1000, but I could not start the application, when I ran the container as root, user 0, the composer error raised, adding the flag it continued on and was able to edit the configuration.

Example k8s manifest

apiVersion: apps/v1
kind: StatefulSet
metadata:
  labels:
    app: koillection
  name: koillection
  namespace: collection
spec:
  replicas: 1
  selector:
    matchLabels:
      app: koillection
  serviceName: koillection
  template:
    metadata:
      labels:
        app: koillection
    spec:
      securityContext:
        runAsUser: 0
        fsGroup: 1000
      initContainers:
        - name: fix-perms
          image: busybox
          command: [ "sh", "-c", "chown -R 1000:1000 /uploads" ]
          volumeMounts:
            - mountPath: /uploads
              name: koillection-data
      containers:
        - name: koillection
          image: koillection/koillection:1.5.3
          imagePullPolicy: IfNotPresent
          env:
            - name: APP_DEBUG
              value: "0"
            - name: APP_ENV
              value: "prod"
            - name: UPLOAD_MAX_FILESIZE
              value: "20M"
            - name: PHP_MEMORY_LIMIT
              value: "512M"
            - name: PHP_TZ
              value: "America/Detroit"
            - name: DB_PORT
              value: "5432"
            - name: DB_DRIVER
              value: "pdo_pgsql"
            - name: DB_VERSION
              value: "15"
            - name: DB_HOST
              value: "postgres"
            - name: DB_NAME
              value: "koillection"
            - name: DB_USER
              value: "koillection"
            - name: DB_PASSWORD
              value: "koillection"
            - name: COMPOSER_ALLOW_SUPERUSER
              value: "1"
          volumeMounts:
            - mountPath: /uploads
              name: koillection-data
      restartPolicy: Always
      volumes:
        - name: koillection-data
          persistentVolumeClaim:
            claimName: koillection-data

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@LargoUsagi @benjaminjonard