Run apps in containers as unprivileged user

7 years ago · ff2ac99739
parent 63d9d662a1
commit ff2ac99739
5 changed files with 17 additions and 5 deletions
--- a/2
+++ b/2
@ -16,6 +16,8 @@ COPY nginx/nginx.conf /etc/nginx/nginx.conf

 COPY --from=builder /ng-app/dist /quotes/quotes/assets

+RUN addgroup -g 9999 lilia
+
 EXPOSE 80

 ENTRYPOINT ["nginx", "-g", "daemon off;"]
--- a/api/Dockerfile
+++ b/api/Dockerfile
@ -5,6 +5,10 @@ COPY . .

 RUN pip install --no-cache-dir --requirement requirements.txt

+RUN addgroup -g 9999 lilia
+
 EXPOSE 5000

+USER nobody:lilia
+
 ENTRYPOINT ["python", "app.py"]
--- a/cms/Dockerfile
+++ b/cms/Dockerfile
@ -13,12 +13,18 @@ RUN sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/' /etc/php7/php.ini && \

 COPY php-fpm.conf /etc/php7/php-fpm.d/zz-docker.conf

-COPY grav /app/
+RUN addgroup -g 9999 lilia
+
+COPY --chown=nobody:lilia grav /app/
+
+USER nobody:lilia

 WORKDIR /app
 RUN php7 bin/gpm install admin form login email
 RUN php7 bin/grav install

+USER root:root
+
 EXPOSE 9000

-CMD ["php-fpm7", "--allow-to-run-as-root"]
+CMD ["php-fpm7"]
--- a/cms/php-fpm.conf
+++ b/cms/php-fpm.conf
@ -3,8 +3,8 @@ daemonize = no
 error_log = /proc/self/fd/2

 [www]
-user = root
-group = root
+user = nobody
+group = lilia
 listen = 9000
 clear_env = no
 catch_workers_output = yes
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@ -1,4 +1,4 @@
-user  nginx;
+user  nginx lilia;
 worker_processes  1;

 error_log  /var/log/nginx/error.log warn;