Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Run the app container as a non-root user(nobody:nogroup) #263

Closed
wants to merge 1 commit into from
Closed

Run the app container as a non-root user(nobody:nogroup) #263

wants to merge 1 commit into from

Conversation

ucan-lab
Copy link
Owner

@ucan-lab ucan-lab commented May 2, 2024
edited
Loading

Problem

When a file system is bind mounted in a container, the uid and gid are used as they are between the host machine and the container, causing a problem where the owner of the file written by the container becomes the root user.

See #258

One possibility is to run Docker itself in rootless mode, but it also seems possible to assign non-root users the same UID and GID as Linux.

Run the container as nobody:nogroup, which is the opposite of the root user.

Operation confirmation

$ task for-linux-env # Linux environment only
$ task create-project

# or...

$ make for-linux-env # Linux environment only
$ make create-project

# or...

$ echo "UID=$(id -u)" >> .env # Linux environment only
$ echo "GID=$(id -g)" >> .env # Linux environment only

$ mkdir -p src
$ docker compose build
$ docker compose up -d
$ docker compose exec app composer create-project --prefer-dist laravel/laravel .
$ docker compose exec app php artisan key:generate
$ docker compose exec app php artisan storage:link
$ docker compose exec app chmod -R 777 storage bootstrap/cache
$ docker compose exec app php artisan migrate

http://localhost

@ucan-lab ucan-lab added the enhancement New feature or request label May 2, 2024
@ucan-lab ucan-lab self-assigned this May 2, 2024
@ucan-lab ucan-lab force-pushed the feat-258-nobody-nogroup branch 2 times, most recently from e8c891c to 3119ff8 Compare May 2, 2024 09:17
@ucan-lab ucan-lab changed the title Run the app container as a non-root user (nobody:nogroup) Run the app container as a non-root user May 2, 2024
@ucan-lab ucan-lab added the help wanted Extra attention is needed label May 2, 2024
@ucan-lab ucan-lab force-pushed the feat-258-nobody-nogroup branch 3 times, most recently from 05a9603 to b691b75 Compare May 2, 2024 09:35
@ucan-lab ucan-lab removed the help wanted Extra attention is needed label May 2, 2024
@ucan-lab ucan-lab force-pushed the feat-258-nobody-nogroup branch 2 times, most recently from 3004d41 to 24a8544 Compare May 3, 2024 03:21
@ucan-lab ucan-lab changed the title Run the app container as a non-root user Run the app container as a non-root user(nobody:nogroup) May 3, 2024
@ucan-lab
Copy link
Owner Author

ucan-lab commented May 3, 2024

Even if I gave write permission to the nobody user, writing would fail, so I switched to creating a new user.
#264

@ucan-lab ucan-lab closed this May 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@ucan-lab ucan-lab

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ucan-lab