Switch images to using docker internal USER to run as non-root user and enable containers to be run with read-only enabled #60
38
.drone.yml
38
.drone.yml
@ -1,3 +1,20 @@
|
||||
---
|
||||
kind: pipeline
|
||||
type: docker
|
||||
name: test_1.6
|
||||
|
||||
steps:
|
||||
- name: build test
|
||||
image: plugins/docker
|
||||
settings:
|
||||
dockerfile: 1.6/Dockerfile
|
||||
repo: mwalbeck/getgrav
|
||||
dry_run: true
|
||||
|
||||
trigger:
|
||||
event:
|
||||
- pull_request
|
||||
|
||||
---
|
||||
kind: pipeline
|
||||
type: docker
|
||||
@ -48,13 +65,13 @@ trigger:
|
||||
---
|
||||
kind: pipeline
|
||||
type: docker
|
||||
name: test_1.6
|
||||
name: test_1.7
|
||||
|
||||
steps:
|
||||
- name: build test
|
||||
image: plugins/docker
|
||||
settings:
|
||||
dockerfile: 1.6/Dockerfile
|
||||
dockerfile: 1.7/Dockerfile
|
||||
repo: mwalbeck/getgrav
|
||||
dry_run: true
|
||||
|
||||
@ -108,20 +125,3 @@ trigger:
|
||||
- master
|
||||
event:
|
||||
- push
|
||||
|
||||
---
|
||||
kind: pipeline
|
||||
type: docker
|
||||
name: test_1.7
|
||||
|
||||
steps:
|
||||
- name: build test
|
||||
image: plugins/docker
|
||||
settings:
|
||||
dockerfile: 1.7/Dockerfile
|
||||
repo: mwalbeck/getgrav
|
||||
dry_run: true
|
||||
|
||||
trigger:
|
||||
event:
|
||||
- pull_request
|
||||
|
||||
@ -11,15 +11,14 @@ ENV PHP_YAML_VERSION 2.2.1
|
||||
|
||||
RUN set -ex; \
|
||||
\
|
||||
groupadd --system foo; \
|
||||
useradd --no-log-init --system --gid foo --create-home foo; \
|
||||
groupadd --force --system --gid 33 www-data; \
|
||||
useradd --no-log-init --system --gid www-data --no-create-home --uid 33 www-data || true; \
|
||||
\
|
||||
apt-get update; \
|
||||
apt-get install -y --no-install-recommends \
|
||||
git \
|
||||
unzip \
|
||||
rsync \
|
||||
gosu \
|
||||
; \
|
||||
rm -rf /var/lib/apt/lists/*;
|
||||
|
||||
@ -87,5 +86,10 @@ COPY entrypoint.sh /entrypoint.sh
|
||||
RUN mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini"
|
||||
COPY grav.ini $PHP_INI_DIR/conf.d/
|
||||
|
||||
VOLUME [ "/var/www", "/tmp" ]
|
||||
EXPOSE 9000
|
||||
|
||||
USER www-data:www-data
|
||||
|
||||
ENTRYPOINT ["/entrypoint.sh"]
|
||||
CMD ["php-fpm"]
|
||||
|
||||
@ -11,15 +11,14 @@ ENV PHP_YAML_VERSION 2.2.1
|
||||
|
||||
RUN set -ex; \
|
||||
\
|
||||
groupadd --system foo; \
|
||||
useradd --no-log-init --system --gid foo --create-home foo; \
|
||||
groupadd --force --system --gid 33 www-data; \
|
||||
useradd --no-log-init --system --gid www-data --no-create-home --uid 33 www-data || true; \
|
||||
\
|
||||
apt-get update; \
|
||||
apt-get install -y --no-install-recommends \
|
||||
git \
|
||||
unzip \
|
||||
rsync \
|
||||
gosu \
|
||||
; \
|
||||
rm -rf /var/lib/apt/lists/*;
|
||||
|
||||
@ -87,5 +86,10 @@ COPY entrypoint.sh /entrypoint.sh
|
||||
RUN mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini"
|
||||
COPY grav.ini $PHP_INI_DIR/conf.d/
|
||||
|
||||
VOLUME [ "/var/www", "/tmp" ]
|
||||
EXPOSE 9000
|
||||
|
||||
USER www-data:www-data
|
||||
|
||||
ENTRYPOINT ["/entrypoint.sh"]
|
||||
CMD ["php-fpm"]
|
||||
|
||||
28
README.md
28
README.md
@ -2,22 +2,23 @@
|
||||
|
||||
Docker container for [GRAV CMS](https://getgrav.org/).
|
||||
|
||||
This image is based on the PHP:7.3.*-fpm-buster image.
|
||||
This image is based on the PHP fpm-buster image.
|
||||
|
||||
You can find the source [here](https://git.walbeck.it/walbeck-it/docker-getgrav)
|
||||
You can find the source code [here](https://git.walbeck.it/walbeck-it/docker-getgrav)
|
||||
|
||||
## Tags
|
||||
|
||||
* latest
|
||||
* 1.6
|
||||
* 1.6.*
|
||||
* 1.7-rc.*
|
||||
* 1.7.\*-rc.\*
|
||||
* 1.7
|
||||
* 1.7.*
|
||||
|
||||
## Usage
|
||||
This is purely php-fpm bash image, which means you need another container to act as the webserver, I recommend nginx. For a nginx config to use with GRAV, you can have a look at the [GRAV documentation](https://learn.getgrav.org/16/webservers-hosting/servers/nginx)
|
||||
|
||||
GRAV is by default installed into /var/www/html where you will find all the folders from a normal GRAV install. A user has been created in container with a default id of 33 (same as www-data).
|
||||
This is purely php-fpm based image, which means you need another container to act as the webserver, I recommend nginx. For a nginx config to use with GRAV, you can have a look at the [GRAV documentation](https://learn.getgrav.org/17/webservers-hosting/servers/nginx)
|
||||
|
||||
GRAV is by default installed into /var/www/html where you will find all the folders from a normal GRAV install. By default the container is run as user www-data with id 33.
|
||||
|
||||
To provide your site data to the container simply do use a volume mount to the desired folder. You can see the docker-compose example at the bottom for an example with volume mount and nginx webserver.
|
||||
|
||||
@ -33,13 +34,15 @@ All other folders will be overwritten, which also means that it's very easy to u
|
||||
|
||||
After the GRAV files have been installed a **bin/grav install** will be run to install the correct composer dependencies into vendor and all plugins specified in your dependencies file, if you have one. Lastly the cache will be cleared.
|
||||
|
||||
You can customise the user id and group id the container user runs as, and the folder name under /var/www, that GRAV will be installed into, with environment variables:
|
||||
You can customize which user the container runs as by using the [user option](https://docs.docker.com/engine/reference/run/#user).
|
||||
|
||||
You can also change the folder name under /var/www, that GRAV will be installed into, by setting the following environment variable:
|
||||
|
||||
UID=1000
|
||||
GID=1000
|
||||
GRAV_FOLDER=awesome-site
|
||||
|
||||
With the above options the container user will run with a user id and group id of 1000. Grav will be installed into /var/www/awesome-site.
|
||||
With the above option Grav will be installed into /var/www/awesome-site.
|
||||
|
||||
If you wish you can run the container with the read-only option enabled.
|
||||
|
||||
### Commandline
|
||||
|
||||
@ -57,7 +60,7 @@ To update the container you simple download the new container and replace it wit
|
||||
|
||||
### Example docker-compose
|
||||
|
||||
This is a sample docker-compose file using this image along with the official nginx container.
|
||||
This is a sample docker-compose file using this image along with the official nginx container. The UID and GID has been changed to 1000 with the user option and the grav folder is "awesome-grav-site".
|
||||
|
||||
```
|
||||
version: '2'
|
||||
@ -72,14 +75,13 @@ services:
|
||||
app:
|
||||
image: mwalbeck/getgrav:latest
|
||||
restart: on-failure:5
|
||||
user: 1000:1000
|
||||
networks:
|
||||
- frontend
|
||||
volumes:
|
||||
- grav:/var/www/html
|
||||
- /path/to/user:/var/www/html/user
|
||||
environment:
|
||||
- UID=1000
|
||||
- GID=1000
|
||||
- GRAV_FOLDER=awesome-grav-site
|
||||
|
||||
web:
|
||||
|
||||
@ -1,13 +1,8 @@
|
||||
#!/bin/sh
|
||||
set -eu
|
||||
|
||||
UID=${UID:-33}
|
||||
GID=${GID:-33}
|
||||
GRAV_FOLDER=${GRAV_FOLDER:-html}
|
||||
|
||||
usermod -o -u "$UID" foo
|
||||
groupmod -o -g "$GID" foo
|
||||
|
||||
mkdir -p /var/www/$GRAV_FOLDER
|
||||
cd /var/www/$GRAV_FOLDER
|
||||
|
||||
@ -24,7 +19,4 @@ mkdir -p assets backup cache images logs tmp
|
||||
bin/grav install
|
||||
bin/grav clearcache
|
||||
|
||||
chown foo /proc/self/fd/1 /proc/self/fd/2
|
||||
chown -R foo:foo /var/www/$GRAV_FOLDER
|
||||
|
||||
exec gosu foo "$@"
|
||||
exec "$@"
|
||||
|
||||
Loading…
Reference in New Issue
Block a user