Docker: Support running without root

Created on 12 Sep 2018  路  8Comments  路  Source: nextcloud/docker

I am setting up nextcloud instances on an Openshift cluster (Redhat's kubernetes distribution) where the default security context prevents running software as uid=0. I would see that as a good practice in general.

What it would need (at least):

  • Not binding to privileged ports (e.g. change 80 -> 8080, can be mapped to any host port anyway)
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80
(13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
  • Making sure apache directories are readable/writable by the non-root user as necessary
[Wed Sep 12 11:06:29.449612 2018] [core:error] [pid 1] (13)Permission denied: AH00099: could not create /var/run/apache2/apache2.pid
[Wed Sep 12 11:06:29.449713 2018] [core:error] [pid 1] AH00100: apache2: could not log pid to file /var/run/apache2/apache2.pid

Related: https://github.com/openshift/origin/issues/6629

upstream
Source
picture varesa

Most helpful comment

Is the nextcloud docker image actually capable of running as non root?

Absolutely. I'm running mine that way right now:

app:
  image: nextcloud:16-apache
  restart: unless-stopped
  user: $UID:$GID
  sysctls:
  - net.ipv4.ip_unprivileged_port_start=0
  environment:
  - MYSQL_HOST=db
  - APACHE_RUN_USER=#$UID
  - APACHE_RUN_GROUP=#$GID

(Omitted some irrelevant attributes, such as volume mounts)

picture rcdailey on 17 Aug 2019
👍2

All 8 comments

I think that this should be fixed in the parent image.
Could you open an issue here docker-library/php?

tilosp picture tilosp on 12 Sep 2018

I can verify this issue still exists...

  nextcloud:
    image: nextcloud
    restart: always
    user: $UID:$GID
    sysctls:
      - net.ipv4.ip_unprivileged_port_start=0
    environment:
      - APACHE_RUN_USER=#$UID
      - APACHE_RUN_GROUP=#$GID
rcdailey picture rcdailey on 11 Nov 2018

For reference, I opened an issue here:

https://github.com/docker-library/php/issues/743

rcdailey picture rcdailey on 27 Nov 2018
👍1

should be fixed by https://github.com/docker-library/php/pull/745 and https://github.com/docker-library/php/pull/755

tilosp picture tilosp on 29 Nov 2018
👍1

Great! Thanks @rcdailey and @tilosp

Sorry I got busy with life and didn't have time to evaluate and open an issue upstream as you suggested

varesa picture varesa on 29 Nov 2018

Is the nextcloud docker image actually capable of running as non root?

vogelfreiheit picture vogelfreiheit on 17 Aug 2019

Is the nextcloud docker image actually capable of running as non root?

Absolutely. I'm running mine that way right now:

app:
  image: nextcloud:16-apache
  restart: unless-stopped
  user: $UID:$GID
  sysctls:
  - net.ipv4.ip_unprivileged_port_start=0
  environment:
  - MYSQL_HOST=db
  - APACHE_RUN_USER=#$UID
  - APACHE_RUN_GROUP=#$GID

(Omitted some irrelevant attributes, such as volume mounts)

rcdailey picture rcdailey on 17 Aug 2019
👍2

Nice! Do you have by any chance pointers to a configuration example for using an nginx reverse proxy outside of the container? And having the nextcloud web server running at a non privileged port (so we avoid the pitfall of allowing <1024 ports being opened by non root).

Is nginx supported inside the container or only Apache with mod_php? I would definitely prefer fpm just for the isolation options.

Thank you!

vogelfreiheit picture vogelfreiheit on 18 Aug 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

DrMurx picture DrMurx  路  4Comments
gjedeer picture gjedeer  路  3Comments
alexbarnhill picture alexbarnhill  路  3Comments
all-the-good-ones-are-gone picture all-the-good-ones-are-gone  路  3Comments
Xanarkan picture Xanarkan  路  3Comments