feat(non-root): run container as non-root with read-only fs
This commit allows any container based on linkstack image to be run as non-root with apache user and limit to RO the filesystem permissions. Ensuring a much more secured runtime.
This commit is contained in:
parent
b56846d0ad
commit
32305b4d3a
|
@ -42,12 +42,17 @@ COPY configs/apache2/httpd.conf /etc/apache2/httpd.conf
|
|||
COPY configs/apache2/ssl.conf /etc/apache2/conf.d/ssl.conf
|
||||
COPY configs/php/php.ini /etc/php8.2/php.ini
|
||||
|
||||
RUN chown apache:apache /etc/ssl/apache2/server.pem
|
||||
RUN chown apache:apache /etc/ssl/apache2/server.key
|
||||
|
||||
RUN chown -R apache:apache /htdocs
|
||||
RUN find /htdocs -type d -print0 | xargs -0 chmod 0755
|
||||
RUN find /htdocs -type f -print0 | xargs -0 chmod 0644
|
||||
|
||||
COPY --chmod=0755 docker-entrypoint.sh /usr/local/bin/
|
||||
|
||||
USER apache:apache
|
||||
|
||||
HEALTHCHECK CMD curl -f http://localhost -A "HealthCheck" || exit 1
|
||||
|
||||
# Set console entry path
|
||||
|
|
|
@ -487,3 +487,9 @@ LogLevel ${LOG_LEVEL}
|
|||
#
|
||||
IncludeOptional /etc/apache2/conf.d/*.conf
|
||||
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/javascript application/json
|
||||
|
||||
#
|
||||
# The PidFile directive sets the file to which the server records the
|
||||
# process id of the daemon. If the filename is not absolute, then it
|
||||
# is assumed to be relative to the ServerRoot.
|
||||
PidFile /htdocs/httpd.pid
|
||||
|
|
|
@ -17,11 +17,13 @@ services:
|
|||
ports:
|
||||
- '8080:80'
|
||||
- '8081:443'
|
||||
restart: unless-stopped
|
||||
user: apache:apache
|
||||
# read_only: true
|
||||
depends_on:
|
||||
- mysql
|
||||
links:
|
||||
- mysql
|
||||
restart: unless-stopped
|
||||
mysql:
|
||||
image: mysql:8
|
||||
environment:
|
||||
|
|
|
@ -35,6 +35,9 @@ echo '+ ------------------------------------------------------------------ +'
|
|||
# | -- MISC -- | #
|
||||
# + ---------- + #
|
||||
|
||||
# Apache gets grumpy about PID files pre-existing
|
||||
rm -f /htdocs/httpd.pid
|
||||
|
||||
echo '| ------------------------------------------------------------------ |'
|
||||
echo '| Running Apache |'
|
||||
echo '+ ------------------------------------------------------------------ +'
|
||||
|
|
Loading…
Reference in a new issue