From 659806c6d06edfe08163243fc0ac9bfc7ca0fa81 Mon Sep 17 00:00:00 2001 From: Tim de Pater Date: Sat, 26 Jan 2019 13:54:53 +0100 Subject: [PATCH] Run the services in the container as non-privileged user --- Dockerfile | 29 +++++++++++++++++++++++------ README.md | 28 ++++++++++++++++++++++------ config/fpm-pool.conf | 16 ++++++++++++++-- config/nginx.conf | 5 +++-- config/supervisord.conf | 3 +++ 5 files changed, 65 insertions(+), 16 deletions(-) diff --git a/Dockerfile b/Dockerfile index ce53c92..8ba24f5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,18 +11,35 @@ RUN apk --no-cache add php7 php7-fpm php7-mysqli php7-json php7-openssl php7-cur COPY config/nginx.conf /etc/nginx/nginx.conf # Configure PHP-FPM -COPY config/fpm-pool.conf /etc/php7/php-fpm.d/zzz_custom.conf +COPY config/fpm-pool.conf /etc/php7/php-fpm.d/www.conf COPY config/php.ini /etc/php7/conf.d/zzz_custom.ini # Configure supervisord COPY config/supervisord.conf /etc/supervisor/conf.d/supervisord.conf -# Add application -RUN mkdir -p /var/www/html -WORKDIR /var/www/html -COPY src/ /var/www/html/ +# Make sure files/folders needed by the processes are accessable when they run under the nobody user +RUN touch /run/nginx.pid && \ + touch /run/supervisord.pid && \ + chown -R nobody.nobody /run/nginx.pid && \ + chown -R nobody.nobody /run/supervisord.pid && \ + chown -R nobody.nobody /var/tmp/nginx && \ + chown -R nobody.nobody /var/lib/nginx/logs -EXPOSE 80 +# Setup document root +RUN mkdir -p /var/www/html + +# Switch to use a non-root user from here on +USER nobody + +# Add application +WORKDIR /var/www/html +COPY --chown=nobody src/ /var/www/html/ + +# Expose the port nginx is reachable on +EXPOSE 8080 + +# Let supervisord start nginx & php-fpm CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"] +# Configure a healthcheck to validate that everything is up&running HEALTHCHECK --timeout=10s CMD curl --silent --fail http://127.0.0.1/fpm-ping diff --git a/README.md b/README.md index e1cd9f2..82d8667 100644 --- a/README.md +++ b/README.md @@ -1,15 +1,31 @@ -Docker PHP-FPM 7.2 & Nginx 1.14 on Alpine Linux -============================================== +# Docker PHP-FPM 7.2 & Nginx 1.14 on Alpine Linux Example PHP-FPM 7.2 & Nginx 1.14 setup for Docker, build on [Alpine Linux](http://www.alpinelinux.org/). The image is only +/- 35MB large. +* Built on the lightweight and secure Alpine Linux distribution +* Very small Docker image size (+/-35MB) +* Uses PHP 7.2 for better performance, lower cpu usage & memory footprint +* Optimized for 100 concurrent users +* Optimized to only use resources when there's traffic (by using PHP-FPM's ondemand PM) +* The servers Nginx, PHP-FPM and supervisord run under a non-privileged user (nobody) to make it more secure +* The logs of all the services are redirected to the output of the Docker container (visible with `docker logs -f `) + + [![Docker Pulls](https://img.shields.io/docker/pulls/trafex/alpine-nginx-php7.svg)](https://hub.docker.com/r/trafex/alpine-nginx-php7/) -Usage ------ -Start the Docker containers: +### Breaking changes (26/01/2019) - docker run -p 80:80 trafex/alpine-nginx-php7 +Please note that the new builds since 26/01/2019 are exposing a different port to access Nginx. +To be able to run Nginx as a non-privileged user, the port it's running on needed +to change to a non-privileged port (above 1024). + +The last build of the old version that exposed port 80 was `trafex/alpine-nginx-php7:ba1dd422` + +## Usage + +Start the Docker container: + + docker run -p 80:8080 trafex/alpine-nginx-php7 See the PHP info on http://localhost, or the static html page on http://localhost/test.html diff --git a/config/fpm-pool.conf b/config/fpm-pool.conf index 67cd711..b5504c4 100644 --- a/config/fpm-pool.conf +++ b/config/fpm-pool.conf @@ -3,6 +3,18 @@ error_log = /dev/stderr [www] +; The address on which to accept FastCGI requests. +; Valid syntaxes are: +; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on +; a specific port; +; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on +; a specific port; +; 'port' - to listen on a TCP socket to all addresses +; (IPv6 and IPv4-mapped) on a specific port; +; '/path/to/unix/socket' - to listen on a unix socket. +; Note: This value is mandatory. +listen = 127.0.0.1:9000 + ; Enable status page pm.status_path = /fpm-status @@ -18,7 +30,7 @@ pm = ondemand ; forget to tweak pm.* to fit your needs. ; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand' ; Note: This value is mandatory. -pm.max_children = 50 +pm.max_children = 100 ; The number of seconds after which an idle process will be killed. ; Note: Used only when pm is set to 'ondemand' @@ -29,7 +41,7 @@ pm.process_idle_timeout = 10s; ; This can be useful to work around memory leaks in 3rd party libraries. For ; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. ; Default Value: 0 -pm.max_requests = 500 +pm.max_requests = 1000 ; Make sure the FPM workers can reach the environment variables for configuration clear_env = no diff --git a/config/nginx.conf b/config/nginx.conf index 7c6bad6..107d202 100644 --- a/config/nginx.conf +++ b/config/nginx.conf @@ -1,4 +1,5 @@ worker_processes 1; +error_log stderr warn; pid /run/nginx.pid; events { @@ -20,8 +21,8 @@ http { keepalive_timeout 65; server { - listen [::]:80 default_server; - listen 80 default_server; + listen [::]:8080 default_server; + listen 8080 default_server; server_name _; sendfile off; diff --git a/config/supervisord.conf b/config/supervisord.conf index 6801c89..edd5207 100644 --- a/config/supervisord.conf +++ b/config/supervisord.conf @@ -1,5 +1,8 @@ [supervisord] nodaemon=true +logfile=/dev/null +logfile_maxbytes=0 +pidfile=/run/supervisord.pid [program:php-fpm] command=php-fpm7 -F