Conversation
|
I'm not quite sure if that's within the concept of docker, because I don't know of any other image having that functionality. Usually you have a fixed user running everything inside the container e.g. nginx, elasticsearch, postgres, etc. |
|
The master process of FPM needs AFAIK root rights for eg. slowlog so it should be started as root. So i'm detecting that docker container is not running as root, privilege escalation via With this fix we can run FPM under any user and new files are also created under this UID and is not fixed to UID 1000 anymore. |
|
eg. FPM configuration and all other configuration which are modified after ENTRYPOINT startup (eg. by env vars) must be world writeable if we don't do privilege escalation. I'm really not happy with world writeable configuration files. |
| && rm -r "$GNUPGHOME" /usr/local/bin/gosu.asc \ | ||
| && chmod +x /usr/local/bin/gosu \ | ||
| && gosu nobody true \ | ||
| && apt-get purge -y -f --force-yes wget \ |
There was a problem hiding this comment.
How about adding wget in next section (below)
| && /usr/local/bin/apt-install wget gnupg \ | ||
| && dpkgArch="amd64" \ | ||
| && wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch" \ | ||
| && wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc" \ |
There was a problem hiding this comment.
wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture | awk -F- '{ print $NF }').asc"
There was a problem hiding this comment.
I've only used the part from the "official" installation and wanted to keep the steps :)
https://github.com/tianon/gosu
There was a problem hiding this comment.
|
@mblaschke ok, I'll get it. Brilliant solution! |
mblaschke
force-pushed
the
feature/container-uid
branch
from
4f9e8d9 to
52b95ea
Compare
3 participants
docker run --user 999 webdevops/php-apache:ubuntu-16.04