Running processes without root user in webdevops/php-nginx containers

[edo-aleix-penella]

Hi there!

I hope this message finds you well. First and foremost, I wanted to thanks you for the work you've been doing on the webdevops project :)

I am reaching out with a specific query regarding the webdevops/php-nginx image within the project. My idea is to initiate a container from this image without running processes under the root user. I believe this adjustment could enhance the security and robustness of my containerized applications.

I tried to find similar issues or solutions within the project's repository. However, I was unable to find any related issue that could address my query. Therefore, I kindly request your assistance in exploring the feasibility of initiating containers from the webdevops/php-nginx image without running processes under the root user.

Let me give you a little context and explain the main steps I followed before opening that issue.

Background

As I said, I want to use the webdevops/php-nginx image as the base for a PHP application and want to ensure that processes inside the container do not run as the root user.
I've consulted the documentation for the webdevops/php-nginx image, which indicates that the application user is available and supervisord's daemon runs under that user. However, when executing a top command within a running container, I observed some processes executed by the root user.
I also attempted to set the SERVICE_SUPERVISOR_USER environment variable as application, but supervisord fails with the error Error: Cannot open an HTTP server: socket.error reported errno.EACCES (13).

How to reproduce

1. I created a new Docker image from the webdevops/php-nginx:8.2-alpine image. The PHP code is placed in /var/www/app/public. Below are the commands I used to initiate the container with the application:

 $ docker run --user application  --rm --name my-app -e WEB_DOCUMENT_ROOT=/var/www/app/public  -p 80:80 myregistry/my-app:8.2-alpine
-> Executing /opt/docker/provision/entrypoint.d/05-permissions.sh
-> Executing /opt/docker/provision/entrypoint.d/20-nginx.sh
-> Executing /opt/docker/provision/entrypoint.d/20-php-fpm.sh
-> Executing /opt/docker/provision/entrypoint.d/20-php.sh
-> Executing /opt/docker/bin/service.d/supervisor.d//10-init.sh
2024-02-06 10:20:50,574 INFO Included extra file "/opt/docker/etc/supervisor.d/cron.conf" during parsing
2024-02-06 10:20:50,575 INFO Included extra file "/opt/docker/etc/supervisor.d/dnsmasq.conf" during parsing
2024-02-06 10:20:50,576 INFO Included extra file "/opt/docker/etc/supervisor.d/nginx.conf" during parsing
2024-02-06 10:20:50,576 INFO Included extra file "/opt/docker/etc/supervisor.d/php-fpm.conf" during parsing
2024-02-06 10:20:50,577 INFO Included extra file "/opt/docker/etc/supervisor.d/postfix.conf" during parsing
2024-02-06 10:20:50,578 INFO Included extra file "/opt/docker/etc/supervisor.d/ssh.conf" during parsing
2024-02-06 10:20:50,578 INFO Included extra file "/opt/docker/etc/supervisor.d/syslog.conf" during parsing
2024-02-06 10:20:50,578 INFO Set uid to user 0 succeeded
2024-02-06 10:20:50,581 INFO RPC interface 'supervisor' initialized
2024-02-06 10:20:50,582 INFO supervisord started with pid 1
2024-02-06 10:20:51,585 INFO spawned: 'syslogd' with pid 46
2024-02-06 10:20:51,590 INFO spawned: 'nginxd' with pid 47
2024-02-06 10:20:51,620 INFO spawned: 'php-fpmd' with pid 49
2024-02-06 10:20:51,625 INFO spawned: 'crond' with pid 50
-> Executing /opt/docker/bin/service.d/syslog-ng.d//10-init.sh
-> Executing /opt/docker/bin/service.d/nginx.d//10-init.sh
-> Executing /opt/docker/bin/service.d/php-fpm.d//10-init.sh
Setting php-fpm user to 1000
2024-02-06 10:20:51,648 INFO success: nginxd entered RUNNING state, process has stayed up for > than 0 seconds (startsecs)
2024-02-06 10:20:51,649 INFO success: php-fpmd entered RUNNING state, process has stayed up for > than 0 seconds (startsecs)
2024-02-06 10:20:51,650 INFO success: crond entered RUNNING state, process has stayed up for > than 0 seconds (startsecs)
-> Executing /opt/docker/bin/service.d/cron.d//10-init.sh
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /opt/docker/etc/nginx/vhost.ssl.conf:1
[2024-02-06T10:20:51.691047] WARNING: Your configuration file uses an obsoleted keyword, please update your configuration; keyword='stats_freq', change='Use the stats() block. E.g. stats(freq(1));', location='/etc/syslog-ng/syslog-ng.conf:19:5'
crond[50]: crond (busybox 1.36.1) started, log level 8
[SYSLOG] syslog-ng[46]: syslog-ng starting up; version='4.5.0'
[06-Feb-2024 10:20:51] NOTICE: fpm is running, pid 49
[06-Feb-2024 10:20:51] NOTICE: ready to handle connections
2024-02-06 10:20:52,796 INFO success: syslogd entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)

...

2. I executed the top command inside the container. There you can see processes running as root.

~ $ docker exec -it my-app top
Mem: 1352044K used, 3760000K free, 6044K shrd, 98876K buff, 905600K cached
CPU:   0% usr   0% sys   0% nic 100% idle   0% io   0% irq   0% sirq
Load average: 0.00 0.00 0.00 1/216 73
  PID  PPID USER     STAT   VSZ %VSZ CPU %CPU COMMAND
   67    49 applicat S     442m   9%   0   0% php-fpm: pool www
   68    49 applicat S     442m   9%   0   0% php-fpm: pool www
   49     1 root     S     442m   9%   0   0% php-fpm: master process (/usr/local/etc/php-fpm.conf)
    1     0 root     S    29312   1%   0   0% {supervisord} /usr/bin/python3 /usr/bin/supervisord -c /opt/docker/etc/supervisor.conf --logfile /dev/null --pidfile /dev/nu
   46     1 root     S    10744   0%   0   0% syslog-ng -F --no-caps -p /var/run/syslog-ng.pid
   64    47 nginx    S     8396   0%   0   0% nginx: worker process
   47     1 root     S     7940   0%   0   0% nginx: master process /usr/sbin/nginx -g daemon off;
   69     0 applicat R     1616   0%   0   0% top
   50     1 root     S     1604   0%   0   0% /usr/sbin/crond -f

3. I started a new container with the SERVICE_SUPERVISOR_USER environment variable set to application. However, supervisord failed with the following error:

 $ docker run --user application  --rm --name my-app -e SERVICE_SUPERVISOR_USER=application -e WEB_DOCUMENT_ROOT=/var/www/app/public  -p 80:80 myregistry/my-app:8.2-alpine-master
-> Executing /opt/docker/provision/entrypoint.d/05-permissions.sh
-> Executing /opt/docker/provision/entrypoint.d/20-nginx.sh
-> Executing /opt/docker/provision/entrypoint.d/20-php-fpm.sh
-> Executing /opt/docker/provision/entrypoint.d/20-php.sh
-> Executing /opt/docker/bin/service.d/supervisor.d//10-init.sh
2024-02-06 10:43:16,919 INFO Included extra file "/opt/docker/etc/supervisor.d/cron.conf" during parsing
2024-02-06 10:43:16,919 INFO Included extra file "/opt/docker/etc/supervisor.d/dnsmasq.conf" during parsing
2024-02-06 10:43:16,920 INFO Included extra file "/opt/docker/etc/supervisor.d/nginx.conf" during parsing
2024-02-06 10:43:16,920 INFO Included extra file "/opt/docker/etc/supervisor.d/php-fpm.conf" during parsing
2024-02-06 10:43:16,920 INFO Included extra file "/opt/docker/etc/supervisor.d/postfix.conf" during parsing
2024-02-06 10:43:16,921 INFO Included extra file "/opt/docker/etc/supervisor.d/ssh.conf" during parsing
2024-02-06 10:43:16,921 INFO Included extra file "/opt/docker/etc/supervisor.d/syslog.conf" during parsing
2024-02-06 10:43:16,921 INFO Set uid to user 1000 succeeded
Error: Cannot open an HTTP server: socket.error reported errno.EACCES (13)
For help, use /usr/bin/supervisord -h

Thank you for considering my request, and I look forward to the opportunity to collaborate with you in addressing this matter.