Skip to content

Docker image as non-root user #243

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
froozeify wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Docker image as non-root user #243

froozeify wants to merge 2 commits into from

Conversation

@froozeify
Copy link
Member

@froozeify froozeify commented Dec 18, 2025
edited
Loading

This PR will closes #213, #234, #225 (probably, waiting for user feedback on it)

Port 80 Preserved: Using setcap on Apache to allow binding to port 80 without root privileges, avoiding breaking changes for existing deployments as explained in the next section (I'll be inclined to do a dedicated PR with that breaking change).

Process Management:
- Implemented Supervisord to manage services (handling auto restart of them, inspired on Symfony Messenger).
- Replaced system cron with a lightweight PHP worker (cron-worker.sh) managed by Supervisord.

PHP Configuration: Enabled native PHP session garbage collection (session.gc_probability = 1) in glpi.ini since the system cron is no longer available.

Updated startup scripts to check for writable permissions on volume directories instead of attempting to chown them.

Switching from port 80 to port 8080 (AI beautified)

This is open to debate and should probably be done in a separate PR.

Current Implementation: Port 80 with setcap

How:
We use the Linux capability CAP_NET_BIND_SERVICE to allow the non-root user (www-data) to bind to a privileged port (ports < 1024).

RUN setcap cap_net_bind_service=+ep /usr/sbin/apache2

Pros:

  • No Breaking Changes: Existing deployments using docker-compose.yml or docker run -p 80:80 continue to work without modification.
  • User Experience: Users don't need to change their habits or configurations.

Cons:

  • Dependencies: Requires installing libcap2-bin.
  • Security: Technically grants a small capability to the binary, though widely considered safe and standard practice for web servers.

Alternative Considered: Port 8080 (High Ports)

Proposal: Change standard Apache listener to Port 8080.

How:
Configure Apache to Listen on 8080 instead of 80.

Pros:

  • Pure Non-Root: No special Linux capabilities (setcap) required. The process is completely unprivileged standard application.
  • Simplicity: No need to install libcap2-bin.

Cons:

  • Breaking Change: This is a major breaking change for all existing users.
    • Current docker-compose.yml: 
      ports:
  - "80:80"  # BROKEN: Container no longer listens on 80
    • Required change: 
      ports:
  - "80:8080" # FIXED: Map host 80 to container 8080

@froozeify froozeify changed the title Rootless docker Docker image as non-root user Dec 18, 2025
@froozeify froozeify marked this pull request as ready for review December 18, 2025 12:52
@froozeify froozeify mentioned this pull request Dec 18, 2025
Open
@froozeify froozeify linked an issue Dec 18, 2025 that may be closed by this pull request
Got error chown: changing ownership of 'xxxx': Operation not permitted #234
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cedric-anne cedric-anne Awaiting requested review from cedric-anne

@AdrienClairembault AdrienClairembault Awaiting requested review from AdrienClairembault

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Got error chown: changing ownership of 'xxxx': Operation not permitted Docker image currently running as user root

2 participants

@froozeify