search

hhvm / hhvm-docker

Dockerfiles for HHVM
MIT License
55 stars 11 forks source link

Running as root #20

Open Kilenaitor opened 3 years ago

Kilenaitor commented 3 years ago

Is it intentional that this image runs HHVM as root instead of www-data?

Running ps aux | grep hhvm inside the container shows:

root@692812879a71:/# ps aux | grep hhvm
root         1  0.3  1.0 846568 126760 ?       SLsl 13:09   0:02 /usr/bin/hhvm -m server -c /etc/hhvm/server.ini -c /etc/hhvm/site.ini
root         7  0.0  0.2 201832 25300 ?        Ss   13:09   0:00 /usr/bin/hhvm -m server -c /etc/hhvm/server.ini -c /etc/hhvm/site.ini
root         8  0.0  0.0   2608   604 ?        S    13:09   0:00 sh -c /opt/hhvm/4.73.1/bin/hh_single_compile --daemon --dump-symbol-refs
root        10  0.2  0.5  87596 61852 ?        S    13:09   0:01 /opt/hhvm/4.73.1/bin/hh_single_compile --daemon --dump-symbol-refs
root       716  0.4  0.3  84228 45736 ?        Ss   13:18   0:00 /opt/hhvm/4.73.1/bin/hh_server monitor_daemon_main
root       717  1.4  0.4 22114492 58292 ?      SN   13:18   0:00 /opt/hhvm/4.73.1/bin/hh_server ServerMain.daemon_main
root       718  0.4  0.3 22099908 43948 ?      SN   13:18   0:00 /opt/hhvm/4.73.1/bin/hh_server worker process 1/10 for server 717
root       719  0.4  0.3 22099908 44044 ?      SN   13:18   0:00 /opt/hhvm/4.73.1/bin/hh_server worker process 2/10 for server 717
root       720  0.4  0.3 22099908 43832 ?      SN   13:18   0:00 /opt/hhvm/4.73.1/bin/hh_server worker process 3/10 for server 717
root       721  0.4  0.3 22099908 43896 ?      SN   13:18   0:00 /opt/hhvm/4.73.1/bin/hh_server worker process 4/10 for server 717
root       722  0.4  0.3 22099908 43756 ?      SN   13:18   0:00 /opt/hhvm/4.73.1/bin/hh_server worker process 5/10 for server 717
root       723  0.4  0.3 22099908 43776 ?      SN   13:18   0:00 /opt/hhvm/4.73.1/bin/hh_server worker process 6/10 for server 717
root       724  0.4  0.3 22099908 43816 ?      SN   13:18   0:00 /opt/hhvm/4.73.1/bin/hh_server worker process 7/10 for server 717
root       725  0.4  0.3 22099908 43880 ?      SN   13:18   0:00 /opt/hhvm/4.73.1/bin/hh_server worker process 8/10 for server 717
root       726  0.4  0.3 22099908 43756 ?      SN   13:18   0:00 /opt/hhvm/4.73.1/bin/hh_server worker process 9/10 for server 717
root       727  0.5  0.3 22099908 43868 ?      SN   13:18   0:00 /opt/hhvm/4.73.1/bin/hh_server worker process 10/10 for server 717
root       728  1.0  0.3  73780 43088 ?        SN   13:18   0:00 /opt/hhvm/4.73.1/bin/hh_server file watching process for server 717
root       801  0.4  0.3  75596 44324 ?        S    13:18   0:00 /opt/hhvm/4.73.1/bin/hh_client Jsonrpc
root       804  0.0  0.0   3304   728 pts/0    S+   13:18   0:00 grep --color=auto hhvm

Seems like the invocation command in the Dockerfile should be modified to include --user=www-data.

Kilenaitor commented 3 years ago

As a bit of additional context, I can manage this myself by modifying my own Dockerfile that I'm including this base image in by configuring the container to run as privileged and adding my own CMD instruction that's based off the one in here.

e.g.

CMD ["/usr/bin/hhvm", "--user", "www-data", "-m", "server", "-c", "/etc/hhvm/server.ini", "-c", "/etc/hhvm/site.ini"]

Need to run as privileged otherwise you get

cap_set_proc failed: Operation not permitted