plushu / plushu-deploy-app-local-container

Runs the "web" process of a built App Container locally.
MIT License
0 stars 0 forks source link

Starting app as unprivileged user #8

Closed stuartpb closed 10 years ago

stuartpb commented 10 years ago

progrium/buildstep#109 indicates there's some issue in PHP caused by running the apps as root (under "Known Quirks"), and that Heroku doesn't run apps as root.

This plugin could conceivably be altered to not run apps as root (although that would break enter-sandbox, so there'd have to be some thought around how to fix that).

stuartpb commented 10 years ago

yabawock/buildstep@8b47bc0 makes this part of the created image - I'm not wild about that approach. On the other hand, using root within the container to create a non-privileged user does seem like the only viable way. So yeah maybe this is an aspect of building.

So, to recap:

Really, since it seems like the only user that can reliably jump cross-container boundaries, without specific foresight within the container regarding the uids and all, is root, it seems like the user-inside-the-container route is the only viable way to go. As such, it wouldn't be up to this plugin (this plugin can just keep executing with whatever user Docker decides).

stuartpb commented 10 years ago

And hey, maybe a future Plushu builder will use Dockerfiles or whatever to build app containers, and then it can set the default user, or use some mechanism like that (is it a flag on docker commit or something)?

Anyway, non-privileged users are something within containers, and as such the mechanism by which they are configured should be left up to the build step.