search

serversideup / docker-php

🐳 Production-ready Docker images for PHP. Optimized for Laravel, WordPress, and more!
https://serversideup.net/open-source/docker-php/
GNU General Public License v3.0
1.75k stars 118 forks source link

Cron #436

Closed IvayLoRD closed 1 month ago

IvayLoRD commented 1 month ago

Steps To Reproduce

Just instal apt-get install cron -y and try service start cron or something

Outcome

After start I got seteuid: Operation not permitted

I apologize for the silly question, but I would like to ask if you have any idea how to add cron to start as a process given that the user is www-data.

Affected Docker Images

php:8.1-fpm

Anything else?

No response

jaydrogers commented 1 month ago

I'd highly recommend taking a look at our docs, showing how we handle file permissions. Our containers are shipped unprivileged by default https://serversideup.net/open-source/docker-php/docs/guide/understanding-file-permissions

You need to switch to root to do root things, then switch back for best security.

IvayLoRD commented 1 month ago

I read your documentation, but in the context of Kubernetes and the following flags

securityContext: allowPrivilegeEscalation: false capabilities: drop:

When starting the container locally, there are no issues, but as soon as it is launched in Kubernetes, the service does not want to start. I was hoping you might have some suggestions or ideas on how this can be done. And as you mentioned earlier, it’s good for them to be unprivileged and not have privilege escalation.

jaydrogers commented 1 month ago

Someone has this PR opened, but I have to sit down and review it in detail yet: https://github.com/serversideup/docker-php/pull/393

Not sure if that will help?

I'm not a Kubernetes expert unfortunately, so I don't know the full implications of those flags.

IvayLoRD commented 1 month ago

The problem is that the allowPrivilegeEscalation flag does not allow you to switch users from security reason. Your image is very good, and we really like it. You have definitely done a great job, But there are many PHP applications that require cron аnd this is the only thing we are looking for a solution to: how to add it and start the process as www-data.

jaydrogers commented 1 month ago

The best resource I can offer at this moment are the notes from a community member, which have yet to be reviewed: https://github.com/serversideup/docker-php/pull/393/files

It looks like they are getting Cron to work as an unprivileged user.

We've never used cron internally because we've always used a Laravel task scheduler: https://serversideup.net/open-source/docker-php/docs/laravel/laravel-task-scheduler#important-concepts

This helped us avoid doing too many things in a container and keeping the configuration within the application itself.

I understand this may not be the answer for all PHP apps, especially if you're not using Laravel. If that is the case, then I'd need to get a feature request with community excitement to build it out: https://github.com/serversideup/docker-php/discussions/66

IvayLoRD commented 1 month ago

Thank you .