loading...

re: Best Practices When It Comes to Writing Docker Related Files VIEW POST

FULL DISCUSSION
 

You might like to add an advice with respect to PoLP and the USER command here.

 

THIS. Always add a user and don't run your app as root!

 

do you have a better explanation about running with a different user? i've being having a bad time trying to run a service with php-fpm + nginx

A short tutorial on this:

Add a user:

RUN addgroup -g 1000 www \
    && adduser -D -u 1000 -G www www

In FPM case you have to run the master process of FPM as root, but you can run the actual pool as a specific user (PHP will have the permissions of that user then) by adding these lines:

[www]
...
user = www
group = www
...

On nginx you have the same problem, the main process will run as root, but the actual server can be run as a different user by adding following lines to the nginx.conf:

user www www;

BTW, one cool feature: The first user on linux gets the ID and GID 1000 (at least on my ubuntu machine). That's why I specifiy the ID and GID 1000 on the addgroup and adduser commands in the Dockerfile. This way you won't have any permission problems when mounting a folder on your machine into the docker machine. Both docker and the host have the same permissions on the volume :)

EDIT:

I guess there is a way to run nginx and fpm directly as user; My guess is that you have to set specific permissions to the binaries so they have permission to allocate a port on the machine.

thanks for the answer :D, it worked great for me on my deepin machine, but on a case that the user is gonna run in a windows machine or macOS machine ? is there a way to make this work cross OS ?

Code of Conduct Report abuse