Skip to content

Commit 32305b4

Browse files
thylongthylong
committed
feat(non-root): run container as non-root with read-only fs
This commit allows any container based on linkstack image to be run as non-root with apache user and limit to RO the filesystem permissions. Ensuring a much more secured runtime.
1 parent b56846d commit 32305b4

File tree

4 files changed

+17
-1
lines changed

4 files changed

+17
-1
lines changed

Dockerfile

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,12 +42,17 @@ COPY configs/apache2/httpd.conf /etc/apache2/httpd.conf
4242
COPY configs/apache2/ssl.conf /etc/apache2/conf.d/ssl.conf
4343
COPY configs/php/php.ini /etc/php8.2/php.ini
4444

45+
RUN chown apache:apache /etc/ssl/apache2/server.pem
46+
RUN chown apache:apache /etc/ssl/apache2/server.key
47+
4548
RUN chown -R apache:apache /htdocs
4649
RUN find /htdocs -type d -print0 | xargs -0 chmod 0755
4750
RUN find /htdocs -type f -print0 | xargs -0 chmod 0644
4851

4952
COPY --chmod=0755 docker-entrypoint.sh /usr/local/bin/
5053

54+
USER apache:apache
55+
5156
HEALTHCHECK CMD curl -f http://localhost -A "HealthCheck" || exit 1
5257

5358
# Set console entry path

configs/apache2/httpd.conf

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -487,3 +487,9 @@ LogLevel ${LOG_LEVEL}
487487
#
488488
IncludeOptional /etc/apache2/conf.d/*.conf
489489
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/javascript application/json
490+
491+
#
492+
# The PidFile directive sets the file to which the server records the
493+
# process id of the daemon. If the filename is not absolute, then it
494+
# is assumed to be relative to the ServerRoot.
495+
PidFile /htdocs/httpd.pid

docker-compose.yml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,11 +17,13 @@ services:
1717
ports:
1818
- '8080:80'
1919
- '8081:443'
20+
restart: unless-stopped
21+
user: apache:apache
22+
# read_only: true
2023
depends_on:
2124
- mysql
2225
links:
2326
- mysql
24-
restart: unless-stopped
2527
mysql:
2628
image: mysql:8
2729
environment:

docker-entrypoint.sh

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,9 @@ echo '+ ------------------------------------------------------------------ +'
3535
# | -- MISC -- | #
3636
# + ---------- + #
3737

38+
# Apache gets grumpy about PID files pre-existing
39+
rm -f /htdocs/httpd.pid
40+
3841
echo '| ------------------------------------------------------------------ |'
3942
echo '| Running Apache |'
4043
echo '+ ------------------------------------------------------------------ +'

0 commit comments

Comments
 (0)