-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Container must be ran as root #1061
Comments
The "COMPOSER_ALLOW_SUPERUSER" part is caused by the latest version of composer. But what error did you have that forced you to run the container as root ? |
If I didn't execute the container as root I wouldn't need to have the COMPOSER_ALLOW_SUPERUSER flag set. during the entry point script you start editing the php configs in etcd echo "session.cookie_secure=${HTTPS_ENABLED}" >> /etc/php/8.3/fpm/conf.d/php.ini https://github.com/benjaminjonard/koillection/blob/1.5/docker/entrypoint.sh#L37 Section requires the containers execution to occur as root. I did not have the errors for COMPOSER_ALLOW_SUPERUSER when I executed the container as user 1000, but I could not start the application, when I ran the container as root, user 0, the composer error raised, adding the flag it continued on and was able to edit the configuration. Example k8s manifest apiVersion: apps/v1
kind: StatefulSet
metadata:
labels:
app: koillection
name: koillection
namespace: collection
spec:
replicas: 1
selector:
matchLabels:
app: koillection
serviceName: koillection
template:
metadata:
labels:
app: koillection
spec:
securityContext:
runAsUser: 0
fsGroup: 1000
initContainers:
- name: fix-perms
image: busybox
command: [ "sh", "-c", "chown -R 1000:1000 /uploads" ]
volumeMounts:
- mountPath: /uploads
name: koillection-data
containers:
- name: koillection
image: koillection/koillection:1.5.3
imagePullPolicy: IfNotPresent
env:
- name: APP_DEBUG
value: "0"
- name: APP_ENV
value: "prod"
- name: UPLOAD_MAX_FILESIZE
value: "20M"
- name: PHP_MEMORY_LIMIT
value: "512M"
- name: PHP_TZ
value: "America/Detroit"
- name: DB_PORT
value: "5432"
- name: DB_DRIVER
value: "pdo_pgsql"
- name: DB_VERSION
value: "15"
- name: DB_HOST
value: "postgres"
- name: DB_NAME
value: "koillection"
- name: DB_USER
value: "koillection"
- name: DB_PASSWORD
value: "koillection"
- name: COMPOSER_ALLOW_SUPERUSER
value: "1"
volumeMounts:
- mountPath: /uploads
name: koillection-data
restartPolicy: Always
volumes:
- name: koillection-data
persistentVolumeClaim:
claimName: koillection-data |
Updating to the latest version of the container I had to force my cluster to execute the container as the root user and add
Executing containers at the root user should be avoided as it opens unnecessary security risks as these are usually environments running multiple applications on the same server.
Consider updating the entrypoint to leverage a process like gosu https://github.com/tianon/gosu
The text was updated successfully, but these errors were encountered: