Comments (11)
At the startup, you can always do stuff like
FROM php:7.0-apache
ENV PORT 80
ENTRYPOINT []
CMD sed -i "s/80/$PORT/g" /etc/apache2/sites-available/000-default.conf /etc/apache2/ports.conf && docker-php-entrypoint apache2-foreground
Something like that will work : docker run -d -p 5000:5000 -e PORT=5000 'my_image'
from php.
Given both the solutions in this thread, and the solution in moby/moby#8460 (comment), I believe this is now a non-issue, and as such I'm going to close. I have personally used --sysctl net.ipv4.ip_unprivileged_port_start=0
to successfully run this image as-is without any modifications as a non-root user:
$ docker run -it --rm --user 1000:1000 --sysctl net.ipv4.ip_unprivileged_port_start=0 --tmpfs /run:uid=1000 php:7.2-apache
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.18.0.19. Set the 'ServerName' directive globally to suppress this message
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.18.0.19. Set the 'ServerName' directive globally to suppress this message
[Fri Dec 22 21:00:37.781952 2017] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.25 (Debian) PHP/7.2.0 configured -- resuming normal operations
[Fri Dec 22 21:00:37.781974 2017] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND'
from php.
Restricted ports isn't the only reason to want this. For example, running in Google Cloud Run requires that you listen on a port specified in an environment variable; you don't get to choose your own port.
The sed idea isn't going to pass anyone's code review - it's far too likely to break mysteriously on an update.
from php.
IMO it's worth pointing out that Docker now supports using user namespaces to remap your container root
user to another non-root
user on the host, which should make this essentially a non-issue.
For further configuration modification of this variety, I think our best (most maintainable) solution is going to be to have users provide custom configuration for custom requirements.
from php.
Making that change will break things for all existing users of this image. The security situation for Apache dropping privileges from root
is pretty well understood, so I'm not sure that the benefits outweigh the breakage for existing users, particularly since there is no good way to communicate the change to users.
from php.
@md5 You can run a container and docker top
it, you'll see a root process in running.
Even if you want to keep compatibility, how about the php-fpm image? This image also runs a root process but it never exposes a privileged port.
from php.
@xuhdev Indeed. It's also true that if you use lsof
or the equivalent on the processes inside that container, you'll see that the root
owned process is the one that has port 80 bound.
from php.
@xuhdev You might also be interested in this discussion around the logstash
image and allowing non-root
to bind "privileged" ports: docker-library/logstash#14
In that case, setcap
on the java
binary is being proposed to allow non-root
to bind the syslog port 514.
from php.
Also a related issue in Docker moby/moby#8460
from php.
Seeing as the latest best practice from Docker (https://www.youtube.com/watch?v=LmUw2H6JgJo) is to not use a restricted port: Here is what I've done locally #190
It does require users to add the -p 80:8080 or -p 443:8443 but seems like the shortest path to get the container updated. Documentation would look like deekthesqueak/docs@be93e6c
from php.
ENV PORT 80
ENTRYPOINT []
CMD sed -i "s/80/$PORT/g" /etc/apache2/sites-available/000-default.conf /etc/apache2/ports.conf && docker-php-entrypoint apache2-foreground
ERROR [stage-0 13/14] COPY cloud-run-entrypoint.sh /usr/local/bin/
from php.
Related Issues (20)
- curl error on php:8.2-apache (bookworm) HOT 1
- Add Support for shmop HOT 1
- Remove archive php.tar.xz from final images HOT 1
- php8.2.15 removed ftp extension HOT 12
- Connectivity issue after php:8.0-fpm HOT 13
- Error during build prod.Dockerfile
- Changes on httpd without reload HOT 6
- Configuring PHP directives without custom images HOT 5
- Can't install php7.4-sybase package on php:7.4-apache-bullseye HOT 3
- iconv ASCII//TRANSLIT invalid argument HOT 2
- Php
- Add mlocati/docker-php-extension-installer to base image HOT 1
- Update apache 2.4.57-2 to 2.4.58-1 HOT 4
- ext-sockets won't compile in official Docker image 8.3.3-fpm-alpine3.19 HOT 2
- Interpreter does not resolve builtin functions when provide nonexistente file to opcache.preload option HOT 1
- Can't rename the php.ini-development HOT 2
- Podman php:cli with xdebug: Unable to debug php:cli in Visual Studio Code when using podman (Works in Docker) HOT 10
- Bundled curl version is causing segfault HOT 1
- Update libxml in php:7.3-apache to version 2.9.14 HOT 1
- Bbb HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from php.