Requirement:
In the enterprise world, there is a concern that we should not run docker images via root user unless there is an exception.
When we install apache2 via yum, by default, it runs via root. The root user binds the privileged port like 80. We need to find a way to start httpd via nonroot to address concerns of security
When we install apache2 via yum, by default, it runs via root. The root user binds the privileged port like 80. We need to find a way to start httpd via nonroot to address concerns of security
Solution:
FROM oraclelinux:7-slim
RUN yum -y --setopt=tsflags=nodocs update && \
yum -y --setopt=tsflags=nodocs install httpd && \
yum -y --setopt=tsflags=nodocs install mod_ssl && \
yum clean all
EXPOSE 80
RUN ln -sf /proc/self/fd/1 /var/log/httpd/error_log && \
ln -sf /proc/self/fd/1 /var/log/httpd/access_log
RUN groupadd www-data && useradd -g www-data www-data
RUN chmod 755 -R /etc/pki && chown -hR www-data:www-data /etc/httpd/ && chown -hR www-data:www-data /run/httpd/ && chown -hR www-data:www-data /var/www/ && chown -hR www-data:www-data /var/log/httpd/
#setcap to bind to privileged ports as non-root
RUN setcap 'cap_net_bind_service=+ep' /usr/sbin/httpd && getcap /usr/sbin/httpd
ADD run-httpd.sh /run-httpd.sh
RUN chown www-data:www-data /run-httpd.sh
USER 1000
CMD ["/run-httpd.sh"]run-httpd.sh :#!/bin/bashexec /usr/sbin/apachectl -DFOREGROUNDtail -f /var/log/httpd/access_log
No comments:
Post a Comment