How to run only one thing as root in docker - symfony

I'm trying to create a Dockerfile which runs as non-root user.
When i building this all works fine, but nginx cannot write the log file because it dosen't have enough permissions. Can I, when building a Docker, give root permissions only for nginx?
I'm trying chmod, chown for blocked directories. Doesn't work
FROM php:7.1-fpm-alpine
RUN apk add --no-cache shadow
RUN apk add --no-cache --virtual .ext-deps \
openssl \
unzip \
libjpeg-turbo-dev \
libwebp-dev \
libpng-dev \
freetype-dev \
libmcrypt-dev \
imagemagick-dev \
nodejs-npm \
nginx \
git \
inkscape
# imagick
RUN apk add --update --no-cache autoconf g++ imagemagick-dev libtool make pcre-dev \
&& pecl install imagick \
&& docker-php-ext-enable imagick \
&& apk del autoconf g++ libtool make pcre-dev
# Install Blackfire
RUN version=$(php -r "echo PHP_MAJOR_VERSION.PHP_MINOR_VERSION;") \
&& curl -A "Docker" -o /tmp/blackfire-probe.tar.gz -D - -L -s https://blackfire.io/api/v1/releases/probe/php/linux/amd64/$version \
&& tar zxpf /tmp/blackfire-probe.tar.gz -C /tmp \
&& mv /tmp/blackfire-*.so $(php -r "echo ini_get('extension_dir');")/blackfire.so \
&& printf "extension=blackfire.so\nblackfire.agent_socket=tcp://blackfire:8707\n" > $PHP_INI_DIR/conf.d/blackfire.ini
RUN apk add -y icu-dev \
&& docker-php-ext-configure intl \
&& docker-php-ext-install intl
RUN docker-php-ext-configure pdo_mysql && \
docker-php-ext-configure opcache && \
docker-php-ext-configure exif && \
docker-php-ext-configure pdo && \
docker-php-ext-configure zip && \
docker-php-ext-configure gd \
--with-jpeg-dir=/usr/include --with-png-dir=/usr/include --with-webp-dir=/usr/include --with-freetype-dir=/usr/include && \
docker-php-ext-configure sockets && \
docker-php-ext-configure mcrypt
RUN docker-php-ext-install pdo zip pdo_mysql opcache exif gd sockets mcrypt && \
docker-php-source delete
RUN ln -s /usr/bin/php7 /usr/bin/php && \
curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer && \
mkdir -p /run/nginx
COPY ./init.sh /
COPY ./default.conf /etc/nginx/conf.d/default.conf
COPY ./.env /
RUN chmod +x /init.sh
EXPOSE 80
RUN addgroup -g 1001 node \
&& adduser -u 1001 -G node -s /bin/sh -D node
ARG UID=1001
ARG GID=1001
ENV UID=${UID}
ENV GID=${GID}
RUN usermod -u $UID node \
&& groupmod -g $GID node
RUN chown 1001:1001 /var/lib/nginx -R
RUN mkdir -p /var/tmp/nginx
RUN chown 1001:1001 /var/tmp/nginx -R
USER node
ENTRYPOINT [ "/init.sh" ]

There are quite a few unknowns in your question, for example, the contents of your default.conf file. By default the nginx logs are stored in /var/log/nginx, but I'll assume you're overriding that in the configuration.
The next thing is that the master process of nginx needs to be run as root if you wan't it to be able to bind to system ports (0 - 1023) so in case you are using nginx as a web server and intend to use ports 80 and 443 you should stick with running the nginx process as root.
In case you plan to use other ports and are set on the idea of running the master process as non-root, then you can check this answer for suggestions on how to do that - https://stackoverflow.com/a/42329561/5359953
I am using the term master process a lot here, because nginx spawns worker processes to handle the actual requests and those can be run as a different user (Defined in the nginx configuration file)

I found the solution. I just changed RUN chown 1001:1001 /var/lib/nginx -R to RUN chown -R 1001:1001 /var/. Thats works fine

RUN chown -R 1001:1001 /var/
sometimes it's will be actually bad decision.
u can try add permissions like this
RUN chown -R 1001:1001 /var/tmp/nginx
RUN chown -R 1001:1001 /var/lib/nginx
RUN chown -R 1001:1001 /var/log/nginx
RUN chown -R 1001:1001 /run/nginx
I guess RUN chown 1001:1001 /var/lib/nginx -R work wrong because I set the flag -R too late

Related

Getting an error while starting up nginx container

I'm using dockerfile to create an nginx image and it is created successfully but when I try to start the container I get below error
Error - exec /docker-entrypoint.sh: no such file or directory
If I use /bin/bash as an entrypoint then I can see that the /docker-entrypoint.sh is present inside the image.
FROM linux:8
ARG USER="oracle"
RUN useradd --create-home --home-dir /app --shell /bin/bash ${USER} && \
dnf update -y && \
dnf module install -y nginx:1.20 && \
dnf clean all && \
ln -sf /dev/stdout /var/log/nginx/access.log && \
ln -sf /dev/stderr /var/log/nginx/error.log && \
mkdir /var/cache/nginx && \
chown -R ${USER}:${USER} /var/cache/nginx && \
chmod -R 775 /var/cache/nginx && \
chown -R ${USER}:${USER} /var/lib/nginx && \
chown -R ${USER}:${USER} /var/log/nginx && \
chown -R ${USER}:${USER} /etc/nginx && \
chmod -R 775 /etc/nginx
COPY --chown=oracle:oracle conf.d /etc/nginx/conf.d
COPY --chown=oracle:oracle nginx.conf /etc/nginx/
COPY --chown=oracle:oracle docker-entrypoint.d /docker-entrypoint.d
COPY --chown=oracle:oracle docker-entrypoint.sh /
ENTRYPOINT ["/docker-entrypoint.sh"]
USER ${USER}
WORKDIR /app
STOPSIGNAL SIGQUIT
EXPOSE 8000
CMD ["nginx", "-g", "daemon off;"]
Try to replace ENTRYPOINT ["/docker-entrypoint.sh"] to ENTRYPOINT ["bash", "/docker-entrypoint.sh"]

Access to the path /usr/share\OPC Foundation\pki\own is denied - this happens when deploying the OPC UA server

I have a Dockerfile for a DOTNET application with multi layered image where my first image creates the artifacts and my second image copies the artifacts from first and used for deployment.
I am creating a docker user and a group to avoid the root permission to the user.
when i deploy the application in the kubernetes cluster it doesn't run with the user created.
I am facing issue in accessing the default OPC UA server certificate path and can anyone tell me how to achieve this without providing the root permission to the user.
I also tried to change the location of the certificate in the configmap so that i can store in the image.
FROM mcr.microsoft.com/dotnet/core/sdk:3.1-focal AS build
# passing the root and nuget TLS certificates for the package to download
COPY ./CIdependencies/rootca.cer /etc/ssl/certs/rootca.cer
COPY ./CIdependencies/nuget.cer /etc/ssl/certs/nuget.cer
WORKDIR /etc/ssl/certs
RUN openssl x509 -inform DER -in nuget.cer -out nuget.crt \
&& openssl x509 -inform PEM -in rootca.cer -out rootca.crt \
&& update-ca-certificates \
&& echo $PWD
WORKDIR /src
EXPOSE 62501
COPY ["OPCUAServer.csproj", ""]
RUN dotnet restore "./OPCUAServer.csproj"
COPY . .
WORKDIR "/src/."
RUN dotnet build "OPCUAServer.csproj" -c Release -o /app/build \
&& dotnet publish "OPCUAServer.csproj" -c Release -o /app/publish
FROM ubuntu:20.04
ARG GIT_COMMIT
ARG DS_VERSION=0.0.0.0
# passing the root certificates for the package to download
COPY ./CIdependencies/zscaler-rootca.cer /etc/ssl/certs/rootca.cer
LABEL Name=OPCUAServer Version=$DS_VERSION git_commit=$GIT_COMMIT
#runtime-deps and runtime
RUN apt-get update \
&& DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
&& rm -rf /var/lib/apt/lists/*
ENV \
# Configure web servers to bind to port 80 when present
ASPNETCORE_URLS=http://+:8079 \
# Enable detection of running in a container
DOTNET_RUNNING_IN_CONTAINER=true
# Install .NET Core and ASPdotnet.3.1. focal
RUN dotnet_version=3.1.18 \
# passing the root certificates for the package to download
&& curl -fsl --cacert /etc/ssl/certs/rootca.cer --output dotnet.tar.gz https://dotnetcli.azureedge.net/dotnet/Runtime/$dotnet_version/dotnet-runtime-$dotnet_version-linux-x64.tar.gz \
&& dotnet_sha512='6f06dbc4625fa8a0e64ffb9269b5f657e369fd28e7f27bfd05d4f422c6aa95847b5089d70760024bdf1100990dbbffce220a' \
&& echo "$dotnet_sha512 dotnet.tar.gz" | sha512sum -c - \
&& mkdir -p /usr/share/dotnet \
&& tar -ozxf dotnet.tar.gz -C /usr/share/dotnet \
&& rm dotnet.tar.gz \
&& ln -s /usr/share/dotnet/dotnet /usr/bin/dotnet \
&& aspnetcore_version=3.1.18 \
&& curl -fsl --cacert /etc/ssl/certs/zscaler-rootca.cer --output aspnetcore.tar.gz https://dotnetcli.azureedge.net/dotnet/aspnetcore/Runtime/$aspnetcore_version/aspnetcore-runtime-$aspnetcore_version-linux-x64.tar.gz \
&& aspnetcore_sha512='be29a7611941d9b20d5d3ece64d3ce3c2342ba24bf0382eed3625713ce89957fa15671403af16ccb588397fc0b27e7f028952213e08db6' \
&& echo "$aspnetcore_sha512 aspnetcore.tar.gz" | sha512sum -c - \
&& tar -ozxf aspnetcore.tar.gz -C /usr/share/dotnet ./shared/Microsoft.AspNetCore.App \
&& rm aspnetcore.tar.gz
# Create a user, group and providing permission to access the built files
WORKDIR /app
RUN groupadd -r opc && useradd --no-log-init -r -g opc opc
USER opc
COPY --from=build --chown=opc:opc /app/publish .
ENTRYPOINT ["dotnet", "OPCUAServer.dll"]
From the error message, it is permission issue. Please just grant full permission to your folder and you can test it again.

Issue in Copying DLL from Common gitrepo to the application repo to make application run

I have a Dotnet application where my repo structure is as below
FolderA
SubfolderA
-Contains DLL file
FolderB
SubfolderA
-Contains application code and Dockerfile
SubfolderB
-Contains application code and Dockerfile
SubfolderC
-Contains application code and Dockerfile
When i build the Dockerfile in subfolder A, I want the Dockerfile to call or copy the DLL from the Folder A and run the application.
I have tried adding the following in the below Dockerfile
RUN ls -l /src
RUN cp '../../FolderA/subfolderA/OPCUAServer.dll' 'FolderB/subfolderA/'
The above command i added in the first phase of the image , but seems not working
FROM mcr.microsoft.com/dotnet/core/sdk:3.1-focal AS build
# passing the root and nuget TLS certificates for the package to download
COPY ./CIdependencies/rootca.cer /etc/ssl/certs/rootca.cer
COPY ./CIdependencies/nuget.cer /etc/ssl/certs/nuget.cer
WORKDIR /etc/ssl/certs
RUN openssl x509 -inform DER -in nuget.cer -out nuget.crt \
&& openssl x509 -inform PEM -in rootca.cer -out rootca.crt \
&& update-ca-certificates \
&& echo $PWD
WORKDIR /src
EXPOSE 62501
COPY ["OPCUAServer.csproj", ""]
RUN dotnet restore "./OPCUAServer.csproj"
COPY . .
WORKDIR "/src/."
RUN dotnet build "OPCUAServer.csproj" -c Release -o /app/build \
&& dotnet publish "OPCUAServer.csproj" -c Release -o /app/publish
FROM ubuntu:20.04
ARG GIT_COMMIT
ARG DS_VERSION=0.0.0.0
# passing the root certificates for the package to download
COPY ./CIdependencies/zscaler-rootca.cer /etc/ssl/certs/rootca.cer
LABEL Name=OPCUAServer Version=$DS_VERSION git_commit=$GIT_COMMIT
#runtime-deps and runtime
RUN apt-get update \
&& DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
&& rm -rf /var/lib/apt/lists/*
ENV \
# Configure web servers to bind to port 80 when present
ASPNETCORE_URLS=http://+:8079 \
# Enable detection of running in a container
DOTNET_RUNNING_IN_CONTAINER=true
# Install .NET Core and ASPdotnet.3.1. focal
RUN dotnet_version=3.1.18 \
# passing the root certificates for the package to download
&& curl -fsl --cacert /etc/ssl/certs/rootca.cer --output dotnet.tar.gz https://dotnetcli.azureedge.net/dotnet/Runtime/$dotnet_version/dotnet-runtime-$dotnet_version-linux-x64.tar.gz \
&& dotnet_sha512='6f06dbc4625fa8a0e64ffb9269b5f657e369fd28e7f27bfd05d4f422c6aa95847b5089d70760024bdf1100990dbbffce220a' \
&& echo "$dotnet_sha512 dotnet.tar.gz" | sha512sum -c - \
&& mkdir -p /usr/share/dotnet \
&& tar -ozxf dotnet.tar.gz -C /usr/share/dotnet \
&& rm dotnet.tar.gz \
&& ln -s /usr/share/dotnet/dotnet /usr/bin/dotnet \
&& aspnetcore_version=3.1.18 \
&& curl -fsl --cacert /etc/ssl/certs/zscaler-rootca.cer --output aspnetcore.tar.gz https://dotnetcli.azureedge.net/dotnet/aspnetcore/Runtime/$aspnetcore_version/aspnetcore-runtime-$aspnetcore_version-linux-x64.tar.gz \
&& aspnetcore_sha512='be29a7611941d9b20d5d3ece64d3ce3c2342ba24bf0382eed3625713ce89957fa15671403af16ccb588397fc0b27e7f028952213e08db6' \
&& echo "$aspnetcore_sha512 aspnetcore.tar.gz" | sha512sum -c - \
&& tar -ozxf aspnetcore.tar.gz -C /usr/share/dotnet ./shared/Microsoft.AspNetCore.App \
&& rm aspnetcore.tar.gz
# Create a user, group and providing permission to access the built files
WORKDIR /app
RUN groupadd -r opc && useradd --no-log-init -r -g opc opc
USER opc
COPY --from=build --chown=opc:opc /app/publish .
ENTRYPOINT ["dotnet", "OPCUAServer.dll"]

Add shiny server with ADD=Shiny with rocker verse image

Documentation for rocker/rstudio docker container.
I am able to get up and running in rstudio using Docker with the following set up in a directory:
Dockerfile:
FROM rocker/tidyverse:latest
docker-compose:
version: "3.5"
services:
ide-rstudio:
build:
context: .
ports:
- 8787:8787
environment:
ROOT: "TRUE"
PASSWORD: test
Now, if I enter this dir in the terminal and type: docker-compose build followed by docker-compose up -d and then navigate to localhost:8787 I see the rstudio login screen. So far so good.
I would like to add shiny to the same container per the documentation (as opposed to using a separate shiny image).
On the documentation I link to at the top it says:
Add shiny server on start up with e ADD=shiny
docker run -d -p 3838:3838 -p 8787:8787 -e ADD=shiny -e PASSWORD=yourpasswordhere rocker/rstudio
shiny server is now running on localhost:3838 and RStudio on localhost:8787.
Since I'm using docker-compose I updated my docker-compose file to this:
version: "3.5"
services:
ide-rstudio:
build:
context: .
ports:
- 8787:8787
- 3838:3838
environment:
ROOT: "TRUE"
ADD: "shiny"
PASSWORD: test
Now, when I go to the terminal like before and type: docker-compose build followed by docker-compose up -d I again see the rstudio login page at localhost:8787. However, if I go to localhost:3838, I see Firefox' 'connection was reset' page. It looks like nothing is there.
How can I add shiny to my container per the instructions?
It seems the image is missing shiny installer. If you run the same compose file without -d and using rocker/rstudio:3.2.0 image you will see in logs that shiny is installing. It failed to install for me (there was a problem with missing file /usr/local/lib/R/site-library/littler/examples/install2.r) but I found the script which installs the thing. For some reason the script does not exist in rocker/tidyverse:latest (I have no idea why, you'd better ask the maintainer) and ADD=shiny has no effect.
I managed to get things working by injecting that script into rocker/tidyverse:latest and here is how you can do it. Save the following as a file named add:
#!/usr/bin/with-contenv bash
ADD=${ADD:=none}
## A script to add shiny to an rstudio-based rocker image.
if [ "$ADD" == "shiny" ]; then
echo "Adding shiny server to container..."
apt-get update && apt-get -y install \
gdebi-core \
libxt-dev && \
wget --no-verbose https://s3.amazonaws.com/rstudio-shiny-server-os-build/ubuntu-12.04/x86_64/VERSION -O "version.txt" && \
VERSION=$(cat version.txt) && \
wget --no-verbose "https://s3.amazonaws.com/rstudio-shiny-server-os-build/ubuntu-12.04/x86_64/shiny-server-$VERSION-amd64.deb" -O ss-latest.deb && \
gdebi -n ss-latest.deb && \
rm -f version.txt ss-latest.deb && \
install2.r -e --skipinstalled shiny rmarkdown && \
cp -R /usr/local/lib/R/site-library/shiny/examples/* /srv/shiny-server/ && \
rm -rf /var/lib/apt/lists/* && \
mkdir -p /var/log/shiny-server && \
chown shiny.shiny /var/log/shiny-server && \
mkdir -p /etc/services.d/shiny-server && \
cd /etc/services.d/shiny-server && \
echo '#!/bin/bash' > run && echo 'exec shiny-server > /var/log/shiny-server.log' >> run && \
chmod +x run && \
adduser rstudio shiny && \
cd /
fi
if [ $"$ADD" == "none" ]; then
echo "Nothing additional to add"
fi
Then either add the following to your Dockefile:
COPY add /etc/cont-init.d/add
RUN chmod +x /etc/cont-init.d/add
or apply execution permission locally and mount it during runtime. To do this run the following locally:
chmod +x add
and add this to docker-compose.yml:
services:
ide-rstudio:
volumes: # this line and below
- ./add:/etc/cont-init.d/add

Symfony 3 and Docker (nginx, php7.1-fpm mysql8) Performances low on Windows

I'm using Docker to work on Symfony 3 project, Here is the following stack :
-Custom Php7.1FPM here's the DockerFile :
FROM php:7.1.0-fpm
MAINTAINER xxxxx xxxxxx <xxxx.xxxxxx#gmail.com>
ENV PHP_APCU_VERSION 5.1.8
ENV PHP_XDEBUG_VERSION 2.5.0
RUN apt-get update \
&& apt-get install -y \
libicu-dev \
zlib1g-dev \
&& docker-php-source extract \
&& curl -L -o /tmp/apcu-$PHP_APCU_VERSION.tgz https://pecl.php.net/get/apcu-$PHP_APCU_VERSION.tgz \
&& curl -L -o /tmp/xdebug-$PHP_XDEBUG_VERSION.tgz http://xdebug.org/files/xdebug-$PHP_XDEBUG_VERSION.tgz \
&& tar xfz /tmp/apcu-$PHP_APCU_VERSION.tgz \
&& tar xfz /tmp/xdebug-$PHP_XDEBUG_VERSION.tgz \
&& rm -r \
/tmp/apcu-$PHP_APCU_VERSION.tgz \
/tmp/xdebug-$PHP_XDEBUG_VERSION.tgz \
&& mv apcu-$PHP_APCU_VERSION /usr/src/php/ext/apcu \
&& mv xdebug-$PHP_XDEBUG_VERSION /usr/src/php/ext/xdebug \
&& docker-php-ext-install \
apcu \
intl \
mbstring \
mysqli \
xdebug \
zip \
&& pecl install apcu_bc-1.0.3 \
&& docker-php-source delete \
&& php -r "readfile('https://getcomposer.org/installer');" | php -- --install-dir=/usr/local/bin --filename=composer \
&& chmod +x /usr/local/bin/composer
last nginx image
mysql:8.0.0
I use docker-compose to build those 3 containers, here's the docker-compose.yml :
front:
image: nginx
ports:
- "81:80"
links:
- "engine:engine"
volumes:
- ".:/home/docker:ro"
- "./docker/front/default.conf:/etc/nginx/conf.d/default.conf:ro"
engine:
build: ./docker/engine/
volumes:
- ".:/home/docker:rw"
- "./docker/engine/php.ini:/usr/local/etc/php/conf.d/custom.ini:ro"
links:
- "db:db"
working_dir: "/home/docker"
db:
image: mysql:8.0.0
ports:
- "3306:3306"
environment:
- MYSQL_ROOT_PASSWORD=pwd
- MYSQL_USER=myUSer
- MYSQL_PASSWORD=pwd
- MYSQL_DATABASE=bddProject
The first time without cache the time is 1700 ms :
And the time with cache is :
The half time is initialisation time :
So What kind of problem could slow the page render of my project ?
Docker last version and 2 Go with Windows Hyper-v system.
Thank you for your help.
So i make an other image without xdebug ant the result is the same
(700ms with cache) :
My DockerFile :
FROM php:7.1.0-fpm
MAINTAINER XXXXX XXXXXX <XXXXXX.XXXXXX#gmail.com>
ENV PHP_APCU_VERSION 5.1.8
RUN apt-get update \
&& apt-get install -y \
libicu-dev \
zlib1g-dev \
&& docker-php-source extract \
&& curl -L -o /tmp/apcu-$PHP_APCU_VERSION.tgz https://pecl.php.net/get/apcu-$PHP_APCU_VERSION.tgz \
&& tar xfz /tmp/apcu-$PHP_APCU_VERSION.tgz \
&& rm -r \
/tmp/apcu-$PHP_APCU_VERSION.tgz \
&& mv apcu-$PHP_APCU_VERSION /usr/src/php/ext/apcu \
&& docker-php-ext-install \
apcu \
intl \
mbstring \
mysqli \
zip \
&& pecl install apcu_bc-1.0.3 \
&& docker-php-source delete \
&& php -r "readfile('https://getcomposer.org/installer');" | php -- --install-dir=/usr/local/bin --filename=composer \
&& chmod +x /usr/local/bin/composer
So it's the window's management of Docker volume which make that, so #Geoffrey Brier you know if Microsoft has planned to improve this performance problem ?
Is there a soft or other to improve that ?
Thank you for your help.
As far as I can see there are two things that are responsible for those performances :
Xdebug
Windows : it's no troll but it's a well known problem that the way your containers volumes are handled by Docker on Windows is not as efficient as on Linux.
You have three solutions : struggle to find a method that slightly improves the performances, use Linux (in a VM for instance) or deal with it :)

Resources