Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Docker: run as non-root #28849

Merged
merged 6 commits into from
Jan 3, 2025
Merged

Docker: run as non-root #28849

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
4825916
Docker: allow configuration of HTTP listen port via env var
richvdh Jan 2, 2025
098477e
Update docs/install.md
richvdh Jan 2, 2025
75a9fe2
prettier
richvdh Jan 2, 2025
076f93d
Docker: run as non-root
richvdh Jan 2, 2025
a56aea6
Simplify sed incantation
richvdh Jan 3, 2025
ec28f57
Merge branch 'develop' into rav/docker/unprivileged
richvdh Jan 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 11 additions & 1 deletion Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# Builder
FROM --platform=$BUILDPLATFORM node:22-bullseye as builder
FROM --platform=$BUILDPLATFORM node:22-bullseye AS builder

# Support custom branch of the js-sdk. This also helps us build images of element-web develop.
ARG USE_CUSTOM_SDKS=false
Expand All @@ -25,8 +25,18 @@ COPY --from=builder /src/webapp /app
# through `envsubst` by the nginx docker image entry point.
COPY /docker/nginx-templates/* /etc/nginx/templates/

# Tell nginx to put its pidfile elsewhere, so it can run as non-root
RUN sed -i -e 's,/var/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf

# nginx user must own the cache and etc directory to write cache and tweak the nginx config
RUN chown -R nginx:0 /var/cache/nginx /etc/nginx
RUN chmod -R g+w /var/cache/nginx /etc/nginx
Comment on lines +29 to +33
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rather than having to maintain two tmp file systems (/tmp and /var/cache), why not move both to the same place, e.g. /tmp?

(Sadly it seems impossible to prevent the creation of a PID file at all.)

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, and by the way rather than modifying the config via a scary regexp you could just launch nginx via a parameter override:

nginx -g "pid /tmp/nginx.pid;"

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Contributions welcome!

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tried to contribute under terms of AGPL-3.0, but I won't sign CLAs.


RUN rm -rf /usr/share/nginx/html \
&& ln -s /app /usr/share/nginx/html

# Run as nginx user by default
USER nginx

# HTTP listen port
ENV ELEMENT_WEB_PORT=80
6 changes: 6 additions & 0 deletions docs/install.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,12 @@ would be:
docker run --rm -p 127.0.0.1:80:80 -v /etc/element-web/config.json:/app/config.json vectorim/element-web
```

The Docker image is configured to run as an unprivileged (non-root) user by
default. This should be fine on modern Docker runtimes, but binding to port 80
on other runtimes may require root privileges. To resolve this, either run the
image as root (`docker run --user 0`) or, better, change the port that nginx
listens on via the `ELEMENT_WEB_PORT` environment variable.

The behaviour of the docker image can be customised via the following
environment variables:

Expand Down
Loading