fpm-nginx
fpm-nginx copied to clipboard
bkuhl
Add `runuser` package for run php scripts as `www-data` user
Users very often user need to run php scripts in shell manually, but now shell works as root user, so PHP scripts work as root too. And if they generates some files, those files got root owner.
As I understand, we can't switch shell to www-data by default, because of using s6-overlay.
So workaround is to add sudo or runuser tools to run php scripts as www-data user.
I prefer runuser because it is more lightweight, so I add it to list of installed packages.
With this we can run scripts like this:
runuser -u www-data -- ./scripts/some-script-that-creates-files.php
Though 🤔 about this more... why would someone need to execute such a script within the container? I'm not sure that's a common enough of a task to justify putting such a package on the container.
Many CMS and frameworks provide cli tools to manage project, eg Laravel provides artisan, Symfony - console, Drupal - drush.
Even PHP has composer tool, that can be sometimes needed to use inside a container.
And now when users try to use, eg, composer require - it'll create files with root owner, instead of www-data, that can cause further problems.
I intended these containers to be used in the kind of environment where you're building your container and deploying that stateless container to production. Not running this container and putting something like Wordpress on it that's stateful. There shouldn't be much need in a stateless container scenario to run a command like composer require within any hosted environment, it would be run as part of a development environment where the files being root aren't an issue. Then the lock file would be used to composer install within the Dockerfile as shown here.
For framework-specific commands, I actually use these quite commonly when using a PHP-CLI container (used for queue workers, cron, etc.), but because the container is stateless, file permissions aren't an issue since they're never changed.