docker-joomla
docker-joomla copied to clipboard
joomla-docker
Run Joomla image without ROOT user
Hello,
I've tried to execute Joomla image without root user. Apache wasn't able to open tcp port.
Is there a way to execute Joomla image with am other user than root user?
If not, is-it possible to add the ability to run Joomla image without root user?
Thank's
Have you tried running other docker containers without root privileges? Maybe this manual help for you https://docs.docker.com/install/linux/linux-postinstall/
Hello,
Thank you for answering, and yes I use my user to start/stop container like describe in your reference.
The thing is not managing Docker it-self, but more the container security. Take a look at : https://www.redhat.com/en/blog/understanding-root-inside-and-outside-container
And, yes MySQL container can run as non-root privileges, take a look at "Running as an arbitrary user" in https://hub.docker.com/_/mysql. It's what I did for security reason.
I want to run Joomla container without root privileges.
Example :
docker run --restart always --name joomlaname --user 1501:1501 -p x.x.x.x:x:x -e JOOMLA_DB_HOST=xxxx:nnnn -e JOOMLA_DB_NAME=xxxx -e JOOMLA_DB_USER=xxxx -e JOOMLA_DB_PASSWORD=xxxxxx --network mynet -d joomla
Thank's again
Any chances this can be reviewed again? As @sylvoie said, the MySQL image runs as non-root if the correct UID and GID are passed — using docker or docker-compose.
The Bitnami image for Joomla! allows that also. I've seen also some images and articles pointing at using gosu, but I'm not entirely sure how to properly use it.
Hello,
I found a workaround, but first you need to know that non-root users can't open ports under 1024 without dealing with linux capability "CAP_NET_BIND_SERVICE" (ref: man capabilities). Joomla docker image try to listen on port 80. If you want to start container with non-root user, you need to deal with that capability or you can change the port that Apache use in the Joomla container to be over 1024. When you change that port, you are able to launch container on an other user than root.
My solution : I built an Docker image based on Joomla docker image with this Dockerfile :
FROM joomla:3.9.21-php7.2-apache
RUN sed -ri -e 's!Listen 80!Listen 8080!g' /etc/apache2/ports.conf
EXPOSE 8080
Like you see, the second line is changing the port in apache configuration to listen on 8080.
Voilà
Hope this helps!
Hello @HLeithner, it's a great idea, before I will need more information on how because there's more than 10 Dockerfiles! And that means each Dockerfile need to be tested? These changes will override the tcp port to 8080 permanently. Is that we want?
For what's worth, I'm able to "circumvent" this by using sysctls net.ipv4.ip_unprivileged_port_start=0 and user $uid:$gid, although I think that will only works for Linux.
This is what I do in my docker-compose.yml file:
joomla:
container_name: joomla
depends_on:
- database
environment:
APACHE_RUN_GROUP: #$GROUP_ID
APACHE_RUN_USER: #$USER_ID
JOOMLA_DB_HOST: database
JOOMLA_DB_NAME: joomla_db
JOOMLA_DB_PASSWORD_FILE: /run/secrets/mysql_user_password
JOOMLA_DB_USER: joomla
image: docker.io/library/joomla:3.9.22-php7.4-apache # https://registry.hub.docker.com/_/joomla/
networks:
- global-network
ports:
- "8080:80"
restart: on-failure
secrets:
- mysql_user_password
sysctls:
- net.ipv4.ip_unprivileged_port_start=0
user: "$USER_ID:$GROUP_ID"
volumes:
- ./assets/www:/var/www/html
Moreover, I think there are variables to control the port that Apache uses, but again, non-root users can't open ports under 1024 by default. The Bitnami folks did a great job on this regard. I think it's worth the time to look what they did and implement it on the default Joomla! image also, since it makes a lot of sense for Docker.
Please review https://github.com/joomla-docker/docker-joomla/issues/58
