Run the services in the container as non-privileged user

This commit is contained in:
Tim de Pater 2019-01-26 13:54:53 +01:00
parent ba1dd42210
commit 659806c6d0
5 changed files with 65 additions and 16 deletions

View File

@ -11,18 +11,35 @@ RUN apk --no-cache add php7 php7-fpm php7-mysqli php7-json php7-openssl php7-cur
COPY config/nginx.conf /etc/nginx/nginx.conf COPY config/nginx.conf /etc/nginx/nginx.conf
# Configure PHP-FPM # Configure PHP-FPM
COPY config/fpm-pool.conf /etc/php7/php-fpm.d/zzz_custom.conf COPY config/fpm-pool.conf /etc/php7/php-fpm.d/www.conf
COPY config/php.ini /etc/php7/conf.d/zzz_custom.ini COPY config/php.ini /etc/php7/conf.d/zzz_custom.ini
# Configure supervisord # Configure supervisord
COPY config/supervisord.conf /etc/supervisor/conf.d/supervisord.conf COPY config/supervisord.conf /etc/supervisor/conf.d/supervisord.conf
# Add application # Make sure files/folders needed by the processes are accessable when they run under the nobody user
RUN mkdir -p /var/www/html RUN touch /run/nginx.pid && \
WORKDIR /var/www/html touch /run/supervisord.pid && \
COPY src/ /var/www/html/ chown -R nobody.nobody /run/nginx.pid && \
chown -R nobody.nobody /run/supervisord.pid && \
chown -R nobody.nobody /var/tmp/nginx && \
chown -R nobody.nobody /var/lib/nginx/logs
EXPOSE 80 # Setup document root
RUN mkdir -p /var/www/html
# Switch to use a non-root user from here on
USER nobody
# Add application
WORKDIR /var/www/html
COPY --chown=nobody src/ /var/www/html/
# Expose the port nginx is reachable on
EXPOSE 8080
# Let supervisord start nginx & php-fpm
CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"] CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]
# Configure a healthcheck to validate that everything is up&running
HEALTHCHECK --timeout=10s CMD curl --silent --fail http://127.0.0.1/fpm-ping HEALTHCHECK --timeout=10s CMD curl --silent --fail http://127.0.0.1/fpm-ping

View File

@ -1,15 +1,31 @@
Docker PHP-FPM 7.2 & Nginx 1.14 on Alpine Linux # Docker PHP-FPM 7.2 & Nginx 1.14 on Alpine Linux
==============================================
Example PHP-FPM 7.2 & Nginx 1.14 setup for Docker, build on [Alpine Linux](http://www.alpinelinux.org/). Example PHP-FPM 7.2 & Nginx 1.14 setup for Docker, build on [Alpine Linux](http://www.alpinelinux.org/).
The image is only +/- 35MB large. The image is only +/- 35MB large.
* Built on the lightweight and secure Alpine Linux distribution
* Very small Docker image size (+/-35MB)
* Uses PHP 7.2 for better performance, lower cpu usage & memory footprint
* Optimized for 100 concurrent users
* Optimized to only use resources when there's traffic (by using PHP-FPM's ondemand PM)
* The servers Nginx, PHP-FPM and supervisord run under a non-privileged user (nobody) to make it more secure
* The logs of all the services are redirected to the output of the Docker container (visible with `docker logs -f <container name>`)
[![Docker Pulls](https://img.shields.io/docker/pulls/trafex/alpine-nginx-php7.svg)](https://hub.docker.com/r/trafex/alpine-nginx-php7/) [![Docker Pulls](https://img.shields.io/docker/pulls/trafex/alpine-nginx-php7.svg)](https://hub.docker.com/r/trafex/alpine-nginx-php7/)
Usage ### Breaking changes (26/01/2019)
-----
Start the Docker containers:
docker run -p 80:80 trafex/alpine-nginx-php7 Please note that the new builds since 26/01/2019 are exposing a different port to access Nginx.
To be able to run Nginx as a non-privileged user, the port it's running on needed
to change to a non-privileged port (above 1024).
The last build of the old version that exposed port 80 was `trafex/alpine-nginx-php7:ba1dd422`
## Usage
Start the Docker container:
docker run -p 80:8080 trafex/alpine-nginx-php7
See the PHP info on http://localhost, or the static html page on http://localhost/test.html See the PHP info on http://localhost, or the static html page on http://localhost/test.html

View File

@ -3,6 +3,18 @@
error_log = /dev/stderr error_log = /dev/stderr
[www] [www]
; The address on which to accept FastCGI requests.
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
; a specific port;
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses
; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = 127.0.0.1:9000
; Enable status page ; Enable status page
pm.status_path = /fpm-status pm.status_path = /fpm-status
@ -18,7 +30,7 @@ pm = ondemand
; forget to tweak pm.* to fit your needs. ; forget to tweak pm.* to fit your needs.
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand' ; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
; Note: This value is mandatory. ; Note: This value is mandatory.
pm.max_children = 50 pm.max_children = 100
; The number of seconds after which an idle process will be killed. ; The number of seconds after which an idle process will be killed.
; Note: Used only when pm is set to 'ondemand' ; Note: Used only when pm is set to 'ondemand'
@ -29,7 +41,7 @@ pm.process_idle_timeout = 10s;
; This can be useful to work around memory leaks in 3rd party libraries. For ; This can be useful to work around memory leaks in 3rd party libraries. For
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. ; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default Value: 0 ; Default Value: 0
pm.max_requests = 500 pm.max_requests = 1000
; Make sure the FPM workers can reach the environment variables for configuration ; Make sure the FPM workers can reach the environment variables for configuration
clear_env = no clear_env = no

View File

@ -1,4 +1,5 @@
worker_processes 1; worker_processes 1;
error_log stderr warn;
pid /run/nginx.pid; pid /run/nginx.pid;
events { events {
@ -20,8 +21,8 @@ http {
keepalive_timeout 65; keepalive_timeout 65;
server { server {
listen [::]:80 default_server; listen [::]:8080 default_server;
listen 80 default_server; listen 8080 default_server;
server_name _; server_name _;
sendfile off; sendfile off;

View File

@ -1,5 +1,8 @@
[supervisord] [supervisord]
nodaemon=true nodaemon=true
logfile=/dev/null
logfile_maxbytes=0
pidfile=/run/supervisord.pid
[program:php-fpm] [program:php-fpm]
command=php-fpm7 -F command=php-fpm7 -F