feat(non-root): run container as non-root with read-only fs
This commit allows any container based on linkstack image to be run as non-root with apache user and limit to RO the filesystem permissions. Ensuring a much more secured runtime.
This commit is contained in:
parent
b56846d0ad
commit
32305b4d3a
|
@ -42,12 +42,17 @@ COPY configs/apache2/httpd.conf /etc/apache2/httpd.conf
|
||||||
COPY configs/apache2/ssl.conf /etc/apache2/conf.d/ssl.conf
|
COPY configs/apache2/ssl.conf /etc/apache2/conf.d/ssl.conf
|
||||||
COPY configs/php/php.ini /etc/php8.2/php.ini
|
COPY configs/php/php.ini /etc/php8.2/php.ini
|
||||||
|
|
||||||
|
RUN chown apache:apache /etc/ssl/apache2/server.pem
|
||||||
|
RUN chown apache:apache /etc/ssl/apache2/server.key
|
||||||
|
|
||||||
RUN chown -R apache:apache /htdocs
|
RUN chown -R apache:apache /htdocs
|
||||||
RUN find /htdocs -type d -print0 | xargs -0 chmod 0755
|
RUN find /htdocs -type d -print0 | xargs -0 chmod 0755
|
||||||
RUN find /htdocs -type f -print0 | xargs -0 chmod 0644
|
RUN find /htdocs -type f -print0 | xargs -0 chmod 0644
|
||||||
|
|
||||||
COPY --chmod=0755 docker-entrypoint.sh /usr/local/bin/
|
COPY --chmod=0755 docker-entrypoint.sh /usr/local/bin/
|
||||||
|
|
||||||
|
USER apache:apache
|
||||||
|
|
||||||
HEALTHCHECK CMD curl -f http://localhost -A "HealthCheck" || exit 1
|
HEALTHCHECK CMD curl -f http://localhost -A "HealthCheck" || exit 1
|
||||||
|
|
||||||
# Set console entry path
|
# Set console entry path
|
||||||
|
|
|
@ -487,3 +487,9 @@ LogLevel ${LOG_LEVEL}
|
||||||
#
|
#
|
||||||
IncludeOptional /etc/apache2/conf.d/*.conf
|
IncludeOptional /etc/apache2/conf.d/*.conf
|
||||||
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/javascript application/json
|
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/javascript application/json
|
||||||
|
|
||||||
|
#
|
||||||
|
# The PidFile directive sets the file to which the server records the
|
||||||
|
# process id of the daemon. If the filename is not absolute, then it
|
||||||
|
# is assumed to be relative to the ServerRoot.
|
||||||
|
PidFile /htdocs/httpd.pid
|
||||||
|
|
|
@ -17,11 +17,13 @@ services:
|
||||||
ports:
|
ports:
|
||||||
- '8080:80'
|
- '8080:80'
|
||||||
- '8081:443'
|
- '8081:443'
|
||||||
|
restart: unless-stopped
|
||||||
|
user: apache:apache
|
||||||
|
# read_only: true
|
||||||
depends_on:
|
depends_on:
|
||||||
- mysql
|
- mysql
|
||||||
links:
|
links:
|
||||||
- mysql
|
- mysql
|
||||||
restart: unless-stopped
|
|
||||||
mysql:
|
mysql:
|
||||||
image: mysql:8
|
image: mysql:8
|
||||||
environment:
|
environment:
|
||||||
|
|
|
@ -35,6 +35,9 @@ echo '+ ------------------------------------------------------------------ +'
|
||||||
# | -- MISC -- | #
|
# | -- MISC -- | #
|
||||||
# + ---------- + #
|
# + ---------- + #
|
||||||
|
|
||||||
|
# Apache gets grumpy about PID files pre-existing
|
||||||
|
rm -f /htdocs/httpd.pid
|
||||||
|
|
||||||
echo '| ------------------------------------------------------------------ |'
|
echo '| ------------------------------------------------------------------ |'
|
||||||
echo '| Running Apache |'
|
echo '| Running Apache |'
|
||||||
echo '+ ------------------------------------------------------------------ +'
|
echo '+ ------------------------------------------------------------------ +'
|
||||||
|
|
Loading…
Reference in a new issue