koillection icon indicating copy to clipboard operation
koillection copied to clipboard

Published 20 hours ago verified publisher icon benjaminjonard

Container must be ran as root

Open LargoUsagi opened this issue 1 year ago • 2 comments

Updating to the latest version of the container I had to force my cluster to execute the container as the root user and add

            - name: COMPOSER_ALLOW_SUPERUSER
              value: "1"

Executing containers at the root user should be avoided as it opens unnecessary security risks as these are usually environments running multiple applications on the same server.

Consider updating the entrypoint to leverage a process like gosu https://github.com/tianon/gosu

LargoUsagi avatar Feb 09 '24 22:02 LargoUsagi

The "COMPOSER_ALLOW_SUPERUSER" part is caused by the latest version of composer. But what error did you have that forced you to run the container as root ?

benjaminjonard avatar Feb 10 '24 09:02 benjaminjonard

If I didn't execute the container as root I wouldn't need to have the COMPOSER_ALLOW_SUPERUSER flag set.

during the entry point script you start editing the php configs in etcd

echo "session.cookie_secure=${HTTPS_ENABLED}" >> /etc/php/8.3/fpm/conf.d/php.ini

https://github.com/benjaminjonard/koillection/blob/1.5/docker/entrypoint.sh#L37

Section requires the containers execution to occur as root. I did not have the errors for COMPOSER_ALLOW_SUPERUSER when I executed the container as user 1000, but I could not start the application, when I ran the container as root, user 0, the composer error raised, adding the flag it continued on and was able to edit the configuration.

Example k8s manifest

apiVersion: apps/v1
kind: StatefulSet
metadata:
  labels:
    app: koillection
  name: koillection
  namespace: collection
spec:
  replicas: 1
  selector:
    matchLabels:
      app: koillection
  serviceName: koillection
  template:
    metadata:
      labels:
        app: koillection
    spec:
      securityContext:
        runAsUser: 0
        fsGroup: 1000
      initContainers:
        - name: fix-perms
          image: busybox
          command: [ "sh", "-c", "chown -R 1000:1000 /uploads" ]
          volumeMounts:
            - mountPath: /uploads
              name: koillection-data
      containers:
        - name: koillection
          image: koillection/koillection:1.5.3
          imagePullPolicy: IfNotPresent
          env:
            - name: APP_DEBUG
              value: "0"
            - name: APP_ENV
              value: "prod"
            - name: UPLOAD_MAX_FILESIZE
              value: "20M"
            - name: PHP_MEMORY_LIMIT
              value: "512M"
            - name: PHP_TZ
              value: "America/Detroit"
            - name: DB_PORT
              value: "5432"
            - name: DB_DRIVER
              value: "pdo_pgsql"
            - name: DB_VERSION
              value: "15"
            - name: DB_HOST
              value: "postgres"
            - name: DB_NAME
              value: "koillection"
            - name: DB_USER
              value: "koillection"
            - name: DB_PASSWORD
              value: "koillection"
            - name: COMPOSER_ALLOW_SUPERUSER
              value: "1"
          volumeMounts:
            - mountPath: /uploads
              name: koillection-data
      restartPolicy: Always
      volumes:
        - name: koillection-data
          persistentVolumeClaim:
            claimName: koillection-data

LargoUsagi avatar Feb 10 '24 16:02 LargoUsagi