httpd could be launch without root user in alpine container

[bgauduch]

Hello 👋

Wouldn't it be better to launch httpd in the container without root, using unix capabilities ?

It could be done this way just before the EXPOSE and COMMAND instructions at the end of the alpine Dockerfile:

# add capacity management library
RUN apk add --no-cache libcap=2.25-r1 && \
  # chown apache working directory
  chown -hR www-data:www-data /usr/local/apache2/ && \
  # Set capability to bind privileged ports as non-root user for httpd
  setcap 'cap_net_bind_service=+ep' /usr/local/apache2/bin/httpd

# use non-root user
USER www-data

Any advice / comment on this ?
Could it break anything downstream ?

Related : issue 102, closed

Good day :-)

[yosifkit]

setcap will not work with some Docker storage drivers which is why tianon said the following in #102:

Your setcap probably doesn't round-trip through the graph drivers properly.

See also related moby/moby#8460 and especially moby/moby#8460 (comment).

[bgauduch]

Hello @yosifkit

Thanks for the feedback, so I guess this is the reason why apache start as root before defering to apache user.

In our case I think we will go on with the capability setup if we do not encounter issues with storage driver (deploying on k8s btw).
I believe this question / request can be close then.

Thanks again, good day :-)