Run the services in the container as non-privileged user

Dockerfile

@@ -11,18 +11,35 @@ RUN apk --no-cache add php7 php7-fpm php7-mysqli php7-json php7-openssl php7-cur
 COPY config/nginx.conf /etc/nginx/nginx.conf
 
 # Configure PHP-FPM
-COPY config/fpm-pool.conf /etc/php7/php-fpm.d/zzz_custom.conf
+COPY config/fpm-pool.conf /etc/php7/php-fpm.d/www.conf
 COPY config/php.ini /etc/php7/conf.d/zzz_custom.ini
 
 # Configure supervisord
 COPY config/supervisord.conf /etc/supervisor/conf.d/supervisord.conf
 
-# Add application
-RUN mkdir -p /var/www/html
-WORKDIR /var/www/html
-COPY src/ /var/www/html/
+# Make sure files/folders needed by the processes are accessable when they run under the nobody user
+RUN touch /run/nginx.pid && \
+  touch /run/supervisord.pid && \
+  chown -R nobody.nobody /run/nginx.pid && \
+  chown -R nobody.nobody /run/supervisord.pid && \
+  chown -R nobody.nobody /var/tmp/nginx && \
+  chown -R nobody.nobody /var/lib/nginx/logs
 
-EXPOSE 80
+# Setup document root
+RUN mkdir -p /var/www/html
+
+# Switch to use a non-root user from here on
+USER nobody
+
+# Add application
+WORKDIR /var/www/html
+COPY --chown=nobody src/ /var/www/html/
+
+# Expose the port nginx is reachable on
+EXPOSE 8080
+
+# Let supervisord start nginx & php-fpm
 CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]
 
+# Configure a healthcheck to validate that everything is up&running
 HEALTHCHECK --timeout=10s CMD curl --silent --fail http://127.0.0.1/fpm-ping

README.md

@@ -1,15 +1,31 @@
-Docker PHP-FPM 7.2 & Nginx 1.14 on Alpine Linux
-==============================================
+# Docker PHP-FPM 7.2 & Nginx 1.14 on Alpine Linux
 Example PHP-FPM 7.2 & Nginx 1.14 setup for Docker, build on [Alpine Linux](http://www.alpinelinux.org/).
 The image is only +/- 35MB large.
 
 
+* Built on the lightweight and secure Alpine Linux distribution
+* Very small Docker image size (+/-35MB)
+* Uses PHP 7.2 for better performance, lower cpu usage & memory footprint
+* Optimized for 100 concurrent users
+* Optimized to only use resources when there's traffic (by using PHP-FPM's ondemand PM)
+* The servers Nginx, PHP-FPM and supervisord run under a non-privileged user (nobody) to make it more secure
+* The logs of all the services are redirected to the output of the Docker container (visible with `docker logs -f <container name>`)
+
+
 [![Docker Pulls](https://img.shields.io/docker/pulls/trafex/alpine-nginx-php7.svg)](https://hub.docker.com/r/trafex/alpine-nginx-php7/)
 
-Usage
------
-Start the Docker containers:
+### Breaking changes (26/01/2019)
 
-    docker run -p 80:80 trafex/alpine-nginx-php7
+Please note that the new builds since 26/01/2019 are exposing a different port to access Nginx.
+To be able to run Nginx as a non-privileged user, the port it's running on needed
+to change to a non-privileged port (above 1024).
+
+The last build of the old version that exposed port 80 was `trafex/alpine-nginx-php7:ba1dd422`
+
+## Usage
+
+Start the Docker container:
+
+    docker run -p 80:8080 trafex/alpine-nginx-php7
 
 See the PHP info on http://localhost, or the static html page on http://localhost/test.html

config/fpm-pool.conf

@@ -3,6 +3,18 @@
 error_log = /dev/stderr
 
 [www]
+; The address on which to accept FastCGI requests.
+; Valid syntaxes are:
+;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
+;                            a specific port;
+;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
+;                            a specific port;
+;   'port'                 - to listen on a TCP socket to all addresses
+;                            (IPv6 and IPv4-mapped) on a specific port;
+;   '/path/to/unix/socket' - to listen on a unix socket.
+; Note: This value is mandatory.
+listen = 127.0.0.1:9000
+
 ; Enable status page
 pm.status_path = /fpm-status
 
@@ -18,7 +30,7 @@ pm = ondemand
 ; forget to tweak pm.* to fit your needs.
 ; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
 ; Note: This value is mandatory.
-pm.max_children = 50
+pm.max_children = 100
 
 ; The number of seconds after which an idle process will be killed.
 ; Note: Used only when pm is set to 'ondemand'
@@ -29,7 +41,7 @@ pm.process_idle_timeout = 10s;
 ; This can be useful to work around memory leaks in 3rd party libraries. For
 ; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
 ; Default Value: 0
-pm.max_requests = 500
+pm.max_requests = 1000
 
 ; Make sure the FPM workers can reach the environment variables for configuration
 clear_env = no

config/nginx.conf

@@ -1,4 +1,5 @@
 worker_processes  1;
+error_log stderr warn;
 pid /run/nginx.pid;
 
 events {
@@ -20,8 +21,8 @@ http {
     keepalive_timeout  65;
 
     server {
-        listen [::]:80 default_server;
-        listen 80 default_server;
+        listen [::]:8080 default_server;
+        listen 8080 default_server;
         server_name _;
 
         sendfile off;

config/supervisord.conf

@@ -1,5 +1,8 @@
 [supervisord]
 nodaemon=true
+logfile=/dev/null
+logfile_maxbytes=0
+pidfile=/run/supervisord.pid
 
 [program:php-fpm]
 command=php-fpm7 -F