Run the services in the container as non-privileged user

2024-11-22 23:08:15 +08:00 · 2019-01-26 13:54:53 +01:00 · 2019-01-26 13:54:53 +01:00 · 659806c6d0
commit 659806c6d0
parent ba1dd42210
5 changed files with 65 additions and 16 deletions
--- a/29
+++ b/29
@ -11,18 +11,35 @@ RUN apk --no-cache add php7 php7-fpm php7-mysqli php7-json php7-openssl php7-cur
 COPY config/nginx.conf /etc/nginx/nginx.conf
 # Configure PHP-FPM
-COPY config/fpm-pool.conf /etc/php7/php-fpm.d/zzz_custom.conf
+COPY config/fpm-pool.conf /etc/php7/php-fpm.d/www.conf
 COPY config/php.ini /etc/php7/conf.d/zzz_custom.ini
 # Configure supervisord
 COPY config/supervisord.conf /etc/supervisor/conf.d/supervisord.conf
-# Add application
+# Make sure files/folders needed by the processes are accessable when they run under the nobody user
-RUN mkdir -p /var/www/html
+RUN touch /run/nginx.pid && \
-WORKDIR /var/www/html
+  touch /run/supervisord.pid && \
-COPY src/ /var/www/html/
+  chown -R nobody.nobody /run/nginx.pid && \
  chown -R nobody.nobody /run/supervisord.pid && \
  chown -R nobody.nobody /var/tmp/nginx && \
  chown -R nobody.nobody /var/lib/nginx/logs
-EXPOSE 80
+# Setup document root
 RUN mkdir -p /var/www/html
 # Switch to use a non-root user from here on
 USER nobody
 # Add application
 WORKDIR /var/www/html
 COPY --chown=nobody src/ /var/www/html/
 # Expose the port nginx is reachable on
 EXPOSE 8080
 # Let supervisord start nginx & php-fpm
 CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]
 # Configure a healthcheck to validate that everything is up&running
 HEALTHCHECK --timeout=10s CMD curl --silent --fail http://127.0.0.1/fpm-ping
--- a/README.md
+++ b/README.md
@ -1,15 +1,31 @@
-Docker PHP-FPM 7.2 & Nginx 1.14 on Alpine Linux
+# Docker PHP-FPM 7.2 & Nginx 1.14 on Alpine Linux
 ==============================================
 Example PHP-FPM 7.2 & Nginx 1.14 setup for Docker, build on [Alpine Linux](http://www.alpinelinux.org/).
 The image is only +/- 35MB large.
 * Built on the lightweight and secure Alpine Linux distribution
 * Very small Docker image size (+/-35MB)
 * Uses PHP 7.2 for better performance, lower cpu usage & memory footprint
 * Optimized for 100 concurrent users
 * Optimized to only use resources when there's traffic (by using PHP-FPM's ondemand PM)
 * The servers Nginx, PHP-FPM and supervisord run under a non-privileged user (nobody) to make it more secure
 * The logs of all the services are redirected to the output of the Docker container (visible with `docker logs -f <container name>`)
 [![Docker Pulls](https://img.shields.io/docker/pulls/trafex/alpine-nginx-php7.svg)](https://hub.docker.com/r/trafex/alpine-nginx-php7/)
-Usage
+### Breaking changes (26/01/2019)
 -----
 Start the Docker containers:
-    docker run -p 80:80 trafex/alpine-nginx-php7
+Please note that the new builds since 26/01/2019 are exposing a different port to access Nginx.
 To be able to run Nginx as a non-privileged user, the port it's running on needed
 to change to a non-privileged port (above 1024).
 The last build of the old version that exposed port 80 was `trafex/alpine-nginx-php7:ba1dd422`
 ## Usage
 Start the Docker container:
    docker run -p 80:8080 trafex/alpine-nginx-php7
 See the PHP info on http://localhost, or the static html page on http://localhost/test.html
--- a/config/fpm-pool.conf
+++ b/config/fpm-pool.conf
@ -3,6 +3,18 @@
 error_log = /dev/stderr
 [www]
 ; The address on which to accept FastCGI requests.
 ; Valid syntaxes are:
 ;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
 ;                            a specific port;
 ;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
 ;                            a specific port;
 ;   'port'                 - to listen on a TCP socket to all addresses
 ;                            (IPv6 and IPv4-mapped) on a specific port;
 ;   '/path/to/unix/socket' - to listen on a unix socket.
 ; Note: This value is mandatory.
 listen = 127.0.0.1:9000
 ; Enable status page
 pm.status_path = /fpm-status
@ -18,7 +30,7 @@ pm = ondemand
 ; forget to tweak pm.* to fit your needs.
 ; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
 ; Note: This value is mandatory.
-pm.max_children = 50
+pm.max_children = 100
 ; The number of seconds after which an idle process will be killed.
 ; Note: Used only when pm is set to 'ondemand'
@ -29,7 +41,7 @@ pm.process_idle_timeout = 10s;
 ; This can be useful to work around memory leaks in 3rd party libraries. For
 ; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
 ; Default Value: 0
-pm.max_requests = 500
+pm.max_requests = 1000
 ; Make sure the FPM workers can reach the environment variables for configuration
 clear_env = no
--- a/config/nginx.conf
+++ b/config/nginx.conf
@ -1,4 +1,5 @@
 worker_processes  1;
 error_log stderr warn;
 pid /run/nginx.pid;
 events {
@ -20,8 +21,8 @@ http {
    keepalive_timeout  65;
    server {
-        listen [::]:80 default_server;
+        listen [::]:8080 default_server;
-        listen 80 default_server;
+        listen 8080 default_server;
        server_name _;
        sendfile off;
--- a/config/supervisord.conf
+++ b/config/supervisord.conf
@ -1,5 +1,8 @@
 [supervisord]
 nodaemon=true
 logfile=/dev/null
 logfile_maxbytes=0
 pidfile=/run/supervisord.pid
 [program:php-fpm]
 command=php-fpm7 -F