Tuesday, January 28, 2020

Dockerfile Example of Linux NonRoot User for Apache Httpd

Requirement:

      In the enterprise world, there is a concern that we should not run docker images via root user unless there is an exception.
      When we install apache2 via yum, by default, it runs via root. The root user binds the privileged port like 80. We need to find a way to start httpd via nonroot to address concerns of security

Solution:

FROM oraclelinux:7-slim
RUN   yum -y --setopt=tsflags=nodocs update && \
           yum -y --setopt=tsflags=nodocs install httpd && \
          yum -y --setopt=tsflags=nodocs install mod_ssl && \
          yum clean all
EXPOSE 80
RUN ln -sf   /proc/self/fd/1 /var/log/httpd/error_log && \
         ln -sf   /proc/self/fd/1 /var/log/httpd/access_log
RUN groupadd www-data && useradd -g www-data www-data
RUN chmod 755 -R /etc/pki && chown -hR www-data:www-data /etc/httpd/ &&  chown -hR www-data:www-data /run/httpd/ && chown -hR www-data:www-data /var/www/ && chown -hR www-data:www-data /var/log/httpd/
#setcap to bind to privileged ports as non-root
RUN setcap 'cap_net_bind_service=+ep' /usr/sbin/httpd &&  getcap /usr/sbin/httpd
ADD run-httpd.sh /run-httpd.sh
RUN chown www-data:www-data /run-httpd.sh
USER 1000
CMD ["/run-httpd.sh"]

run-httpd.sh :
#!/bin/bash
exec /usr/sbin/apachectl -DFOREGROUND
tail -f  /var/log/httpd/access_log

No comments:

Post a Comment