From 593fbb858b3a016d096780f595478ea02da487ec Mon Sep 17 00:00:00 2001 From: Magnus Walbeck Date: Fri, 22 Jan 2021 18:32:39 +0100 Subject: [PATCH] Switch images to using docker internal USER to run as non-root user and enable containers to be run with read-only enabled --- .drone.yml | 38 +++++++++++++++++++------------------- 1.6/Dockerfile | 10 +++++++--- 1.7/Dockerfile | 10 +++++++--- README.md | 28 +++++++++++++++------------- entrypoint.sh | 10 +--------- 5 files changed, 49 insertions(+), 47 deletions(-) diff --git a/.drone.yml b/.drone.yml index afb2922..d6d20a4 100644 --- a/.drone.yml +++ b/.drone.yml @@ -1,3 +1,20 @@ +--- +kind: pipeline +type: docker +name: test_1.6 + +steps: + - name: build test + image: plugins/docker + settings: + dockerfile: 1.6/Dockerfile + repo: mwalbeck/getgrav + dry_run: true + +trigger: + event: + - pull_request + --- kind: pipeline type: docker @@ -48,13 +65,13 @@ trigger: --- kind: pipeline type: docker -name: test_1.6 +name: test_1.7 steps: - name: build test image: plugins/docker settings: - dockerfile: 1.6/Dockerfile + dockerfile: 1.7/Dockerfile repo: mwalbeck/getgrav dry_run: true @@ -108,20 +125,3 @@ trigger: - master event: - push - ---- -kind: pipeline -type: docker -name: test_1.7 - -steps: - - name: build test - image: plugins/docker - settings: - dockerfile: 1.7/Dockerfile - repo: mwalbeck/getgrav - dry_run: true - -trigger: - event: - - pull_request diff --git a/1.6/Dockerfile b/1.6/Dockerfile index 063b69c..2c00efd 100644 --- a/1.6/Dockerfile +++ b/1.6/Dockerfile @@ -11,15 +11,14 @@ ENV PHP_YAML_VERSION 2.2.1 RUN set -ex; \ \ - groupadd --system foo; \ - useradd --no-log-init --system --gid foo --create-home foo; \ + groupadd --force --system --gid 33 www-data; \ + useradd --no-log-init --system --gid www-data --no-create-home --uid 33 www-data || true; \ \ apt-get update; \ apt-get install -y --no-install-recommends \ git \ unzip \ rsync \ - gosu \ ; \ rm -rf /var/lib/apt/lists/*; @@ -87,5 +86,10 @@ COPY entrypoint.sh /entrypoint.sh RUN mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini" COPY grav.ini $PHP_INI_DIR/conf.d/ +VOLUME [ "/var/www", "/tmp" ] +EXPOSE 9000 + +USER www-data:www-data + ENTRYPOINT ["/entrypoint.sh"] CMD ["php-fpm"] diff --git a/1.7/Dockerfile b/1.7/Dockerfile index 6a66f96..72900bb 100644 --- a/1.7/Dockerfile +++ b/1.7/Dockerfile @@ -11,15 +11,14 @@ ENV PHP_YAML_VERSION 2.2.1 RUN set -ex; \ \ - groupadd --system foo; \ - useradd --no-log-init --system --gid foo --create-home foo; \ + groupadd --force --system --gid 33 www-data; \ + useradd --no-log-init --system --gid www-data --no-create-home --uid 33 www-data || true; \ \ apt-get update; \ apt-get install -y --no-install-recommends \ git \ unzip \ rsync \ - gosu \ ; \ rm -rf /var/lib/apt/lists/*; @@ -87,5 +86,10 @@ COPY entrypoint.sh /entrypoint.sh RUN mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini" COPY grav.ini $PHP_INI_DIR/conf.d/ +VOLUME [ "/var/www", "/tmp" ] +EXPOSE 9000 + +USER www-data:www-data + ENTRYPOINT ["/entrypoint.sh"] CMD ["php-fpm"] diff --git a/README.md b/README.md index de2dd81..448511a 100644 --- a/README.md +++ b/README.md @@ -2,22 +2,23 @@ Docker container for [GRAV CMS](https://getgrav.org/). -This image is based on the PHP:7.3.*-fpm-buster image. +This image is based on the PHP fpm-buster image. -You can find the source [here](https://git.walbeck.it/walbeck-it/docker-getgrav) +You can find the source code [here](https://git.walbeck.it/walbeck-it/docker-getgrav) ## Tags * latest * 1.6 * 1.6.* -* 1.7-rc.* -* 1.7.\*-rc.\* +* 1.7 +* 1.7.* ## Usage -This is purely php-fpm bash image, which means you need another container to act as the webserver, I recommend nginx. For a nginx config to use with GRAV, you can have a look at the [GRAV documentation](https://learn.getgrav.org/16/webservers-hosting/servers/nginx) -GRAV is by default installed into /var/www/html where you will find all the folders from a normal GRAV install. A user has been created in container with a default id of 33 (same as www-data). +This is purely php-fpm based image, which means you need another container to act as the webserver, I recommend nginx. For a nginx config to use with GRAV, you can have a look at the [GRAV documentation](https://learn.getgrav.org/17/webservers-hosting/servers/nginx) + +GRAV is by default installed into /var/www/html where you will find all the folders from a normal GRAV install. By default the container is run as user www-data with id 33. To provide your site data to the container simply do use a volume mount to the desired folder. You can see the docker-compose example at the bottom for an example with volume mount and nginx webserver. @@ -33,13 +34,15 @@ All other folders will be overwritten, which also means that it's very easy to u After the GRAV files have been installed a **bin/grav install** will be run to install the correct composer dependencies into vendor and all plugins specified in your dependencies file, if you have one. Lastly the cache will be cleared. -You can customise the user id and group id the container user runs as, and the folder name under /var/www, that GRAV will be installed into, with environment variables: +You can customize which user the container runs as by using the [user option](https://docs.docker.com/engine/reference/run/#user). + +You can also change the folder name under /var/www, that GRAV will be installed into, by setting the following environment variable: - UID=1000 - GID=1000 GRAV_FOLDER=awesome-site -With the above options the container user will run with a user id and group id of 1000. Grav will be installed into /var/www/awesome-site. +With the above option Grav will be installed into /var/www/awesome-site. + +If you wish you can run the container with the read-only option enabled. ### Commandline @@ -57,7 +60,7 @@ To update the container you simple download the new container and replace it wit ### Example docker-compose -This is a sample docker-compose file using this image along with the official nginx container. +This is a sample docker-compose file using this image along with the official nginx container. The UID and GID has been changed to 1000 with the user option and the grav folder is "awesome-grav-site". ``` version: '2' @@ -72,14 +75,13 @@ services: app: image: mwalbeck/getgrav:latest restart: on-failure:5 + user: 1000:1000 networks: - frontend volumes: - grav:/var/www/html - /path/to/user:/var/www/html/user environment: - - UID=1000 - - GID=1000 - GRAV_FOLDER=awesome-grav-site web: diff --git a/entrypoint.sh b/entrypoint.sh index 089cb0c..28543a6 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,13 +1,8 @@ #!/bin/sh set -eu -UID=${UID:-33} -GID=${GID:-33} GRAV_FOLDER=${GRAV_FOLDER:-html} -usermod -o -u "$UID" foo -groupmod -o -g "$GID" foo - mkdir -p /var/www/$GRAV_FOLDER cd /var/www/$GRAV_FOLDER @@ -24,7 +19,4 @@ mkdir -p assets backup cache images logs tmp bin/grav install bin/grav clearcache -chown foo /proc/self/fd/1 /proc/self/fd/2 -chown -R foo:foo /var/www/$GRAV_FOLDER - -exec gosu foo "$@" +exec "$@" -- 2.45.2