Closed IvayLoRD closed 1 month ago
I'd highly recommend taking a look at our docs, showing how we handle file permissions. Our containers are shipped unprivileged by default https://serversideup.net/open-source/docker-php/docs/guide/understanding-file-permissions
You need to switch to root
to do root things, then switch back for best security.
I read your documentation, but in the context of Kubernetes and the following flags
securityContext: allowPrivilegeEscalation: false capabilities: drop:
When starting the container locally, there are no issues, but as soon as it is launched in Kubernetes, the service does not want to start. I was hoping you might have some suggestions or ideas on how this can be done. And as you mentioned earlier, it’s good for them to be unprivileged and not have privilege escalation.
Someone has this PR opened, but I have to sit down and review it in detail yet: https://github.com/serversideup/docker-php/pull/393
Not sure if that will help?
I'm not a Kubernetes expert unfortunately, so I don't know the full implications of those flags.
The problem is that the allowPrivilegeEscalation flag does not allow you to switch users from security reason. Your image is very good, and we really like it. You have definitely done a great job, But there are many PHP applications that require cron аnd this is the only thing we are looking for a solution to: how to add it and start the process as www-data.
The best resource I can offer at this moment are the notes from a community member, which have yet to be reviewed: https://github.com/serversideup/docker-php/pull/393/files
It looks like they are getting Cron to work as an unprivileged user.
We've never used cron
internally because we've always used a Laravel task scheduler: https://serversideup.net/open-source/docker-php/docs/laravel/laravel-task-scheduler#important-concepts
This helped us avoid doing too many things in a container and keeping the configuration within the application itself.
I understand this may not be the answer for all PHP apps, especially if you're not using Laravel. If that is the case, then I'd need to get a feature request with community excitement to build it out: https://github.com/serversideup/docker-php/discussions/66
Thank you .
Steps To Reproduce
Just instal apt-get install cron -y and try service start cron or something
Outcome
After start I got seteuid: Operation not permitted
I apologize for the silly question, but I would like to ask if you have any idea how to add cron to start as a process given that the user is www-data.
Affected Docker Images
php:8.1-fpm
Anything else?
No response