draft: feat: Run as non-root by default to allow easier deployment on the restricted environments like OpenShift, Kubernetes and any corporate (or just secure) environments where root privileges are not allowed

.github/workflows/build.yml

@@ -99,13 +99,16 @@ jobs:
     - name: Spin up services
       run: docker-compose -f docker-compose.yml up -d
     - name: Wait 
-      run: sleep 60
+      run: sleep 70
     - name: Check status
       run: docker ps -a
     - name: Test
-      run: curl http://localhost:8080/ -L --fail -s | grep 'Sign in</button>' -q
+      run: curl http://localhost:8080/ -L --fail -vvv | grep 'Sign in</button>' -q
     - name: Test Email
       run: docker-compose exec -T humhub php /var/www/localhost/htdocs/protected/yii test/email '[email protected]' | grep 'Message successfully sent!' -q
+    - name: Collect logs
+      if: ${{ always() }}
+      run: docker-compose -f docker-compose.prod.yml logs
   test_prod:
     needs: build_variants
     runs-on: ubuntu-latest
@@ -140,13 +143,16 @@ jobs:
     - name: Spin up services
       run: docker-compose -f docker-compose.prod.yml up -d
     - name: Wait 
-      run: sleep 60
+      run: sleep 70
     - name: Check status
       run: docker ps -a
     - name: Test
-      run: curl http://localhost:8080/ -L --fail -s | grep 'Sign in</button>' -q
+      run: curl http://localhost:8080/ -L --fail -vvv | grep 'Sign in</button>' -q
     - name: Test Email
       run: docker-compose exec -T humhub php /var/www/localhost/htdocs/protected/yii test/email '[email protected]' | grep 'Message successfully sent!' -q
+    - name: Collect logs
+      if: ${{ always() }}
+      run: docker-compose -f docker-compose.prod.yml logs
   push_ghcr:
     needs: ["test_aio", "test_prod"]
     runs-on: ubuntu-latest

Dockerfile

@@ -59,7 +59,7 @@ ARG RUNTIME_DEPS="\
     php7-xmlwriter \
     php7-zip \
     sqlite \
-    supervisor \
+    multirun \
     tzdata \
     "
 
@@ -112,17 +112,15 @@ RUN apk add --no-cache --update $RUNTIME_DEPS && \
     apk add --no-cache --virtual temp_pkgs gettext && \
     cp /usr/bin/envsubst /usr/local/bin/envsubst && \
     apk del temp_pkgs && \
-    rm -rf /var/cache/apk/*
+    rm -rf /var/cache/apk/* && \
+    chmod +x /usr/bin/multirun
 
 ENV PHP_POST_MAX_SIZE=16M
 ENV PHP_UPLOAD_MAX_FILESIZE=10M
 ENV PHP_MAX_EXECUTION_TIME=60
 ENV PHP_MEMORY_LIMIT=1G
 ENV PHP_TIMEZONE=UTC
 
-RUN touch /var/run/supervisor.sock && \
-    chmod 777 /var/run/supervisor.sock
-
 # 100=nginx 101=nginx (group)
 COPY --from=builder --chown=100:101 /usr/src/humhub /var/www/localhost/htdocs/
 COPY --chown=100:101 humhub/ /var/www/localhost/htdocs/
@@ -132,23 +130,40 @@ RUN mkdir -p /usr/src/humhub/protected/config/ && \
     rm -f var/www/localhost/htdocs/protected/config/common.php /usr/src/humhub/protected/config/common.php && \
     echo "v${HUMHUB_VERSION}" >  /usr/src/humhub/.version
 
+# Non-root directories
+RUN mkdir -p /var/www/localhost/htdocs/protected/runtime/logs && \
+    mkdir -p /var/www/localhost/htdocs/uploads /var/www/localhost/htdocs/assets /var/www/localhost/htdocs/protected/modules /var/www/localhost/htdocs/themes /var/www/localhost/htdocs/protected/config && \
+    mkdir -p /run/nginx /run/php-fpm && \
+    touch /var/www/localhost/htdocs/protected/runtime/logs/app.log && \
+    chown 100:101 -R /var/www/localhost/htdocs/protected/runtime/logs /run/nginx /run/php-fpm \
+      /var/www/localhost/htdocs/uploads /var/www/localhost/htdocs/assets  \
+      /var/www/localhost/htdocs/protected/modules /var/www/localhost/htdocs/themes  \
+      /var/www/localhost/htdocs/protected/config
+
+
 COPY base/ /
 COPY docker-entrypoint.sh /docker-entrypoint.sh
 
 RUN chmod 600 /etc/crontabs/nginx && \
+    chown 100:101 /etc/crontabs/nginx && \
+    rm /etc/crontabs/root && \
     chmod +x /docker-entrypoint.sh
 
 VOLUME /var/www/localhost/htdocs/uploads
 VOLUME /var/www/localhost/htdocs/protected/config
 VOLUME /var/www/localhost/htdocs/protected/modules
 
 ENTRYPOINT ["/docker-entrypoint.sh"]
-CMD ["supervisord", "-n", "-c", "/etc/supervisord.conf"]
 
+
+#+-----------
+# HumHub PHP
+#+-----------
 FROM base as humhub_phponly
 
 LABEL variant="phponly"
 
+USER root
 RUN apk add --no-cache fcgi
 
 COPY phponly/ /
@@ -159,7 +174,13 @@ RUN chmod +x /usr/local/bin/php-fpm-healthcheck \
  && adduser --uid 100 -g 101 -S nginx
 
 EXPOSE 9000
+USER nginx
+CMD ["multirun", "/usr/sbin/php-fpm7 --fpm-config /etc/php-fpm.d/pool.conf -O -F", "tail -f /var/www/localhost/htdocs/protected/runtime/logs/app.log", "crond -f -L /proc/self/fd/2"]
+
 
+#+-------------
+# HumHub NGINX
+#+-------------
 FROM docker.io/library/nginx:1.23.3-alpine as humhub_nginx
 
 LABEL variant="nginx"
@@ -168,16 +189,29 @@ ENV NGINX_CLIENT_MAX_BODY_SIZE=10m \
     NGINX_KEEPALIVE_TIMEOUT=65 \
     NGINX_UPSTREAM=humhub:9000
 
+USER root
 COPY nginx/ /
 COPY --from=builder --chown=nginx:nginx /usr/src/humhub/ /var/www/localhost/htdocs/
+RUN mkdir -p /var/cache/nginx /run/nginx && \
+    chown nginx:nginx -R /etc/nginx /var/cache/nginx /run/nginx
+
+USER nginx
 
+#+------------------
+# HumHub All-in-one
+#+------------------
 FROM base as humhub_allinone
 
 LABEL variant="allinone"
 
+USER root
 RUN apk add --no-cache nginx && \
-    chown -R nginx:nginx /var/lib/nginx/
+    mkdir -p /etc/nginx && \
+    chown -R nginx:nginx /var/lib/nginx/ /etc/nginx
 
 COPY nginx/ /
+RUN chown nginx:nginx -R /etc/nginx
 
 EXPOSE 80
+USER nginx
+CMD ["/usr/bin/multirun", "/usr/sbin/php-fpm7 --fpm-config /etc/php-fpm.d/pool.conf -O -F", "tail -f /var/www/localhost/htdocs/protected/runtime/logs/app.log", "crond -f -L /proc/self/fd/2", "/usr/sbin/nginx -g 'daemon off;'"]

README.md

@@ -6,6 +6,8 @@
 
 > :warning: **Image Removal**: We have purged all registries from End-Of-Life images (1.4,1.5,1.6,1.7,1.8). These images were not maintained anymore and contained major security flaws. To protect the public we removed them. If you really want to use these images, you have to build them from source.
 
+> :warning: **Default privileges change:** This container is no longer starting as root and then dropping the privileges. Supervisord (running previously as root) was changed to lighter alternative "multirun" that runs as "nginx" user directly. This change opens possibility to easily run on OpenShift and Kubernetes.
+
 [HumHub](https://github.com/humhub/humhub) is a feature rich and highly flexible OpenSource Social Network Kit written in PHP.
 This container provides a quick, flexible and lightweight way to set up a proof-of-concept for detailed evaluation.
 Using this in production is possible, but please note that there is currently no official support available for this kind of setup.

base/etc/php-fpm.d/listen.conf

@@ -1,3 +1,3 @@
-listen = /run/php-fpm.sock
+listen = /run/nginx/php-fpm.sock
 listen.owner = nginx
 listen.group = nginx

docker-entrypoint.sh

@@ -128,12 +128,6 @@ else
 	mkdir -p /var/www/localhost/htdocs/protected/runtime/logs/
 	touch /var/www/localhost/htdocs/protected/runtime/logs/app.log
 
-	echo >&3 "$0: Setting permissions..."
-	chown -R nginx:nginx /var/www/localhost/htdocs/uploads
-	chown -R nginx:nginx /var/www/localhost/htdocs/protected/modules
-	chown -R nginx:nginx /var/www/localhost/htdocs/protected/config
-	chown -R nginx:nginx /var/www/localhost/htdocs/protected/runtime
-
 	wait_for_db
 
 	echo >&3 "$0: Creating database..."
@@ -191,9 +185,6 @@ else
 			php yii 'settings/set' 'base' 'mailer.encryption' "${HUMHUB_MAILER_ENCRYPTION}"
 			php yii 'settings/set' 'base' 'mailer.allowSelfSignedCerts' "${HUMHUB_MAILER_ALLOW_SELF_SIGNED_CERTS}"
 		fi
-
-		chown -R nginx:nginx /var/www/localhost/htdocs/protected/runtime
-		chown nginx:nginx /var/www/localhost/htdocs/protected/config/dynamic.php
 	fi
 fi
 

nginx/docker-entrypoint.d/60-nginx-config.sh

@@ -2,7 +2,7 @@
 
 set -e
 
-export NGINX_UPSTREAM="${NGINX_UPSTREAM:-unix:/run/php-fpm.sock}"
+export NGINX_UPSTREAM="${NGINX_UPSTREAM:-unix:/run/nginx/php-fpm.sock}"
 export NGINX_CLIENT_MAX_BODY_SIZE="${NGINX_CLIENT_MAX_BODY_SIZE:-10m}"
 export NGINX_KEEPALIVE_TIMEOUT="${NGINX_KEEPALIVE_TIMEOUT:-65}"
 

nginx/etc/nginx/nginx.conf

@@ -5,7 +5,7 @@ worker_processes  1;
 error_log  /dev/stderr  notice;
 #error_log  logs/error.log  info;
 
-pid        /run/nginx.pid;
+pid        /run/nginx/nginx.pid;
 
 
 events {