How to run only one thing as root in docker

Question

I'm trying to create a Dockerfile which runs as non-root user. When i building this all works fine, but nginx cannot write the log file because it dosen't have enough permissions. Can I, when building a Docker, give root permissions only for nginx?

I'm trying chmod, chown for blocked directories. Doesn't work

FROM php:7.1-fpm-alpine

RUN apk add --no-cache shadow

RUN apk add --no-cache --virtual .ext-deps \
        openssl \
        unzip \
        libjpeg-turbo-dev \
        libwebp-dev \
        libpng-dev \
        freetype-dev \
        libmcrypt-dev \
        imagemagick-dev \
        nodejs-npm \
        nginx \
        git \
        inkscape

# imagick
RUN apk add --update --no-cache autoconf g++ imagemagick-dev libtool make pcre-dev \
    && pecl install imagick \
    && docker-php-ext-enable imagick \
    && apk del autoconf g++ libtool make pcre-dev

# Install Blackfire
RUN version=$(php -r "echo PHP_MAJOR_VERSION.PHP_MINOR_VERSION;") \
    && curl -A "Docker" -o /tmp/blackfire-probe.tar.gz -D - -L -s https://blackfire.io/api/v1/releases/probe/php/linux/amd64/$version \
    && tar zxpf /tmp/blackfire-probe.tar.gz -C /tmp \
    && mv /tmp/blackfire-*.so $(php -r "echo ini_get('extension_dir');")/blackfire.so \
    && printf "extension=blackfire.so\nblackfire.agent_socket=tcp://blackfire:8707\n" > $PHP_INI_DIR/conf.d/blackfire.ini

RUN apk add -y icu-dev \
    && docker-php-ext-configure intl \
    && docker-php-ext-install intl

RUN docker-php-ext-configure pdo_mysql && \
    docker-php-ext-configure opcache && \
    docker-php-ext-configure exif && \
    docker-php-ext-configure pdo && \
    docker-php-ext-configure zip && \
    docker-php-ext-configure gd \
    --with-jpeg-dir=/usr/include --with-png-dir=/usr/include --with-webp-dir=/usr/include --with-freetype-dir=/usr/include && \
    docker-php-ext-configure sockets && \
    docker-php-ext-configure mcrypt

RUN docker-php-ext-install pdo zip pdo_mysql opcache exif gd sockets mcrypt && \
    docker-php-source delete

RUN ln -s /usr/bin/php7 /usr/bin/php && \
    curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer && \
    mkdir -p /run/nginx

COPY ./init.sh /
COPY ./default.conf /etc/nginx/conf.d/default.conf
COPY ./.env /
RUN chmod +x /init.sh


EXPOSE 80

RUN addgroup -g 1001 node \
    && adduser -u 1001 -G node -s /bin/sh -D node

    ARG UID=1001
    ARG GID=1001
    ENV UID=${UID}
    ENV GID=${GID}

RUN usermod -u $UID node \
    && groupmod -g $GID node


RUN chown 1001:1001 /var/lib/nginx -R
RUN mkdir -p /var/tmp/nginx
RUN chown 1001:1001 /var/tmp/nginx -R

USER node

ENTRYPOINT [ "/init.sh" ]

can you post your complete dockerfile – Adiii Jun 12 '19 at 18:36 — Adiii, Jun 12 '19 at 18:36
@Adiii added. Edit in question – Starshov Jun 13 '19 at 08:09 — Starshov, Jun 13 '19 at 08:09

score 0 · Answer 1 · answered Jun 13 '19 at 09:37

There are quite a few unknowns in your question, for example, the contents of your default.conf file. By default the nginx logs are stored in /var/log/nginx, but I'll assume you're overriding that in the configuration.

The next thing is that the master process of nginx needs to be run as root if you wan't it to be able to bind to system ports (0 - 1023) so in case you are using nginx as a web server and intend to use ports 80 and 443 you should stick with running the nginx process as root.

In case you plan to use other ports and are set on the idea of running the master process as non-root, then you can check this answer for suggestions on how to do that - https://stackoverflow.com/a/42329561/5359953

I am using the term master process a lot here, because nginx spawns worker processes to handle the actual requests and those can be run as a different user (Defined in the nginx configuration file)

How can i run nginx as root and all of another stuff as my 1001 — Starshov, Jun 13 '19 at 10:09
Here's an example nginx configuration https://www.nginx.com/resources/wiki/start/topics/examples/full/ Note the user definition at the top. You can do the same in your default.conf file by just setting the user to node `user node node;` And the worker processes should use that user — Kārlis Ābele, Jun 13 '19 at 10:15

score 0 · Answer 2 · answered Jun 13 '19 at 11:40

0

I found the solution. I just changed RUN chown 1001:1001 /var/lib/nginx -R to RUN chown -R 1001:1001 /var/. Thats works fine

answered Jun 13 '19 at 11:40

Starshov

1
5

This seems quite a "hammer down" kind of an approach since essentially you have given your node user ownership over all /var/ subdirectories... If the main concern for not running nginx as root user was security, then I don't think this is the best way to do it. For local development this is fine I guess, but I would not suggest using this image in a production environment though as it could possibly cause unpredictable behaviour... Not an expert in this though – Kārlis Ābele Jun 13 '19 at 13:20

score 0 · Answer 3 · answered Jul 18 '19 at 10:50

RUN chown -R 1001:1001 /var/ sometimes it's will be actually bad decision.

u can try add permissions like this

RUN chown -R 1001:1001 /var/tmp/nginx RUN chown -R 1001:1001 /var/lib/nginx RUN chown -R 1001:1001 /var/log/nginx RUN chown -R 1001:1001 /run/nginx

I guess RUN chown 1001:1001 /var/lib/nginx -R work wrong because I set the flag -R too late

How to run only one thing as root in docker

3 Answers3