nune/furaolink
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

feat(non-root): run container as non-root with read-only fs

Browse source 
This commit allows any container based on linkstack image
to be run as non-root with apache user and limit to RO the
filesystem permissions. Ensuring a much more secured runtime.
This commit is contained in:
thylong 2023-12-27 17:31:07 +01:00
parent b56846d0ad
commit 32305b4d3a
No known key found for this signature in database
GPG key ID: 2708316F958DBF44
4 changed files with 17 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
Dockerfile
View file

@ -42,12 +42,17 @@ COPY configs/apache2/httpd.conf /etc/apache2/httpd.conf
COPY configs/apache2/ssl.conf /etc/apache2/conf.d/ssl.conf COPY configs/apache2/ssl.conf /etc/apache2/conf.d/ssl.conf
COPY configs/php/php.ini /etc/php8.2/php.ini COPY configs/php/php.ini /etc/php8.2/php.ini
RUN chown apache:apache /etc/ssl/apache2/server.pem
RUN chown apache:apache /etc/ssl/apache2/server.key
RUN chown -R apache:apache /htdocs RUN chown -R apache:apache /htdocs
RUN find /htdocs -type d -print0 | xargs -0 chmod 0755 RUN find /htdocs -type d -print0 | xargs -0 chmod 0755
RUN find /htdocs -type f -print0 | xargs -0 chmod 0644 RUN find /htdocs -type f -print0 | xargs -0 chmod 0644
COPY --chmod=0755 docker-entrypoint.sh /usr/local/bin/ COPY --chmod=0755 docker-entrypoint.sh /usr/local/bin/
USER apache:apache
HEALTHCHECK CMD curl -f http://localhost -A "HealthCheck" || exit 1 HEALTHCHECK CMD curl -f http://localhost -A "HealthCheck" || exit 1
# Set console entry path # Set console entry path

6
configs/apache2/httpd.conf
View file

@ -487,3 +487,9 @@ LogLevel ${LOG_LEVEL}
# #
IncludeOptional /etc/apache2/conf.d/*.conf IncludeOptional /etc/apache2/conf.d/*.conf
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/javascript application/json AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/javascript application/json
#
# The PidFile directive sets the file to which the server records the
# process id of the daemon. If the filename is not absolute, then it
# is assumed to be relative to the ServerRoot.
PidFile /htdocs/httpd.pid

4
docker-compose.yml
View file

@ -17,11 +17,13 @@ services:
ports: ports:
- '8080:80' - '8080:80'
- '8081:443' - '8081:443'
restart: unless-stopped
user: apache:apache
# read_only: true
depends_on: depends_on:
- mysql - mysql
links: links:
- mysql - mysql
restart: unless-stopped
mysql: mysql:
image: mysql:8 image: mysql:8
environment: environment:

3
docker-entrypoint.sh
View file

@ -35,6 +35,9 @@ echo '+ ------------------------------------------------------------------ +'
# | -- MISC -- | # # | -- MISC -- | #
# + ---------- + # # + ---------- + #
# Apache gets grumpy about PID files pre-existing
rm -f /htdocs/httpd.pid
echo '| ------------------------------------------------------------------ |' echo '| ------------------------------------------------------------------ |'
echo '| Running Apache |' echo '| Running Apache |'
echo '+ ------------------------------------------------------------------ +' echo '+ ------------------------------------------------------------------ +'