Skip to content

Comments

WIP: introduce unprivileged images#772

Closed
smueller18 wants to merge 2 commits intonextcloud:masterfrom
smueller18:non-root-images
Closed

WIP: introduce unprivileged images#772
smueller18 wants to merge 2 commits intonextcloud:masterfrom
smueller18:non-root-images

Conversation

@smueller18
Copy link

@smueller18 smueller18 commented Jun 7, 2019

Following Docker best practices, all images should run as non-root user. This PR introduces

  1. an unprivileged variant for each of the existing nextcloud images so that the existing images will not have breaking changes
  2. replacement of nginx image with nginxinc/nginx-unprivileged
  3. replacement of nextcloud images in the example docker-compose files with unprivileged variants

Todos:

  • Use non-root images for postgres, mariadb and redis in example docker-compose files
  • Test each example docker-compose
  • Maybe update readme with unprivileged images
  • Implement new image tags (e.g. nextcloud:unprivileged)

Closes #760

@smueller18 smueller18 mentioned this pull request Jun 11, 2019
Closed
@EWouters
Copy link

EWouters commented Sep 15, 2019

Nice work!

@pierreozoux
Copy link
Member

pierreozoux commented Aug 25, 2020

This is indeed nice.

Could you separate your PR on 2 commits, one with the changes and one with the update.sh?

This makes it easier to review.

Thanks :)

@smueller18
Copy link
Author

smueller18 commented Sep 4, 2020

@pierreozoux I did a rebase on the latest master commit and seperated the changes into two seperat commits.

In the meantime, I changed my mind and think it is not worth the effort to support both, privileged and unprivileged container images. The default one should always be unprivileged. With that in mind, I stopped working on this PR because it is not target-oriented for me.

@pierreozoux
Copy link
Member

pierreozoux commented Sep 4, 2020

You are right, everything should be unpriviledged and readonly, imho too :)

@tilosp
Copy link
Member

tilosp commented Sep 4, 2020

wouldn't it be enough to add a environment var, that changes the port? Running as an unprivileged user is already possible with --user.

@smueller18
Copy link
Author

smueller18 commented Sep 5, 2020

Using the --user option is possible for the fpm image but not for the apache image because port 80 is binded by default. Replacing port 80 with 8080 during runtime in the entrypoint based on an environment variable is not possible because the responsible file /etc/apache2/ports.conf is owned by root. So either it has to be changed during build time (as introduced in this PR) or ports.conf must be mounted during runtime which is not user friendly.

@jan-di
Copy link

jan-di commented Oct 17, 2020

wouldn't it be enough to add a environment var, that changes the port? Running as an unprivileged user is already possible with --user.

Additionally to what @smueller18 said, there are a few more cases where nextcloud don't work right when you set the --user parameter. For example (at least, with the apache image):

  • Redis cannot be used:
    /entrypoint.sh: 56: /entrypoint.sh: cannot create /usr/local/etc/php/conf.d/redis-session.ini: Permission denied
  • Apache IP-Rewrite cannot be disabled (as recommended when running behind a reverse proxy):
    Could not remove /etc/apache2/conf-enabled/remoteip.conf: Permission denied

I think the only clean solution to this would be to make the entrypoint script aware for UID/GID env variables. The entrypoint could make the changes above as root and then start the services under the unprivileged UID/GID. I think this is described in #359

@jan-di jan-di mentioned this pull request Oct 17, 2020
Closed
J0WI added a commit to J0WI/docker-nextcloud that referenced this pull request Sep 1, 2022
@J0WI
Allow to run with custom uid
31bfade 
fix: nextcloud#359, nextcloud#772, nextcloud#1081, nextcloud#1087, nextcloud#1278

Signed-off-by: J0WI <[email protected]>
@J0WI J0WI mentioned this pull request Sep 1, 2022
Merged
J0WI added a commit to J0WI/docker-nextcloud that referenced this pull request Sep 1, 2022
@J0WI
Allow to run with custom uid
883c3b1 
fix: nextcloud#359, nextcloud#772, nextcloud#1081, nextcloud#1087, nextcloud#1278

Signed-off-by: J0WI <[email protected]>
J0WI added a commit that referenced this pull request Sep 6, 2022
@J0WI
Allow to run with custom uid (#1812)
19256cd 
fix: #359, #772, #1081, #1087, #1278

Signed-off-by: J0WI <[email protected]>

Signed-off-by: J0WI <[email protected]>
@J0WI
Copy link
Contributor

J0WI commented Sep 6, 2022

closing due #1812

@J0WI J0WI closed this Sep 6, 2022
ananace pushed a commit to ananace/docker-nextcloud that referenced this pull request May 10, 2024
@J0WI @ananace
Allow to run with custom uid (nextcloud#1812)
96124b4 
fix: nextcloud#359, nextcloud#772, nextcloud#1081, nextcloud#1087, nextcloud#1278

Signed-off-by: J0WI <[email protected]>

Signed-off-by: J0WI <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Running as non-root user (Apache Privileged Ports)

6 participants

@smueller18 @EWouters @pierreozoux @tilosp @jan-di @J0WI