Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Docker: run as non-root #28849

Merged
merged 6 commits into from
Jan 3, 2025
Merged

Docker: run as non-root #28849

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
4825916
Docker: allow configuration of HTTP listen port via env var
richvdh Jan 2, 2025
098477e
Update docs/install.md
richvdh Jan 2, 2025
75a9fe2
prettier
richvdh Jan 2, 2025
076f93d
Docker: run as non-root
richvdh Jan 2, 2025
a56aea6
Simplify sed incantation
richvdh Jan 3, 2025
ec28f57
Merge branch 'develop' into rav/docker/unprivileged
richvdh Jan 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 21 additions & 3 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# Builder
FROM --platform=$BUILDPLATFORM node:22-bullseye as builder
FROM --platform=$BUILDPLATFORM node:22-bullseye AS builder

# Support custom branch of the js-sdk. This also helps us build images of element-web develop.
ARG USE_CUSTOM_SDKS=false
Expand All @@ -24,8 +24,26 @@ FROM nginx:alpine-slim

COPY --from=builder /src/webapp /app

# Override default nginx config
COPY /nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf
# Override default nginx config. Templates in `/etc/nginx/templates` are passed
# through `envsubst` by the nginx docker image entry point.
COPY /docker/nginx-templates/* /etc/nginx/templates/

# Override main nginx config, to make it suitable for use with non-root user
RUN sed -i \
-e '/user *nginx;/d' \
-e 's,/var/run/nginx.pid,/tmp/nginx.pid,' \
-e "/^http {/a \ proxy_temp_path /tmp/proxy_temp;\n client_body_temp_path /tmp/client_temp;\n fastcgi_temp_path /tmp/fastcgi_temp;\n uwsgi_temp_path /tmp/uwsgi_temp;\n scgi_temp_path /tmp/scgi_temp;\n" \
/etc/nginx/nginx.conf
richvdh marked this conversation as resolved.
Show resolved Hide resolved

# nginx user must own the cache and etc directory to write cache and tweak the nginx config
RUN chown -R nginx:0 /var/cache/nginx /etc/nginx
RUN chmod -R g+w /var/cache/nginx /etc/nginx

RUN rm -rf /usr/share/nginx/html \
&& ln -s /app /usr/share/nginx/html

# Run as nginx user by default
USER nginx

# HTTP listen port
ENV ELEMENT_WEB_PORT=80
4 changes: 2 additions & 2 deletions nginx/conf.d/default.conf → docker/nginx-templates/default.conf.template
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
server {
listen 80;
listen [::]:80;
listen ${ELEMENT_WEB_PORT};
listen [::]:${ELEMENT_WEB_PORT};
server_name localhost;

root /usr/share/nginx/html;
Expand Down
16 changes: 16 additions & 0 deletions docs/install.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,22 @@ would be:
docker run --rm -p 127.0.0.1:80:80 -v /etc/element-web/config.json:/app/config.json vectorim/element-web
```

The Docker image is configured to run as an unprivileged (non-root) user by
default. This should be fine on modern Docker runtimes, but binding to port 80
on other runtimes may require root privileges. To resolve this, either run the
image as root (`docker run --user 0`) or, better, change the port that nginx
listens on via the `ELEMENT_WEB_PORT` environment variable.

The behaviour of the docker image can be customised via the following
environment variables:

- `ELEMENT_WEB_PORT`

The port to listen on (within the docker container) for HTTP
traffic. Defaults to `80`.

### Building the docker image

To build the image yourself:

```bash
Expand Down
Loading