phpdockernginxdocker-composefpm

Docker: NGINX and PHP: Why change the default user/group?


I started learning about Docker and setting up NGINX and PHP. I looked at some examples and saw the following example: https://github.com/aschmelyun/lc-the-docker-tutorial/blob/main/nginx.dockerfile

There are two dockerfiles, one for NGINX (nginx.dockerfile):

FROM nginx:stable-alpine

ENV NGINXUSER=laravel
ENV NGINXGROUP=laravel

RUN mkdir -p /var/www/html/public

ADD nginx/default.conf /etc/nginx/conf.d/default.conf

RUN sed -i "s/user www-data/user ${NGINXUSER}/g" /etc/nginx/nginx.conf

RUN adduser -g ${NGINXGROUP} -s /bin/sh -D ${NGINXUSER}

and one for PHP (php.dockerfile):

FROM php:8-fpm-alpine

ENV PHPGROUP=laravel
ENV PHPUSER=laravel

RUN adduser -g ${PHPGROUP} -s /bin/sh -D ${PHPUSER}

RUN sed -i "s/user = www-data/user = ${PHPUSER}/g" /usr/local/etc/php-fpm.d/www.conf
RUN sed -i "s/group = www-data/group = ${PHPGROUP}/g" /usr/local/etc/php-fpm.d/www.conf

RUN mkdir -p /var/www/html/public

RUN docker-php-ext-install pdo pdo_mysql

CMD ["php-fpm", "-y", "/usr/local/etc/php-fpm.conf", "-R"]

In both cases new user & group are created (user laravel assigned to the group laravel), and then using sed command config files are modified:


3 interrelated questions:

Question 1: Does this mean that NGINX and PHP (I guess just FPM, and CLI will not be there because it pulls php:8-fpm-alpine base image from Docker Hub which doesn't include CLI, right?) will run as the laravel user inside containers? (If yes, please also look at Question 3).

Question 2: Is there any practical reason to change the default user for NGINX and PHP-FPM, as in the examples above?

Question 3: In php.dockerfile at the end there's this command:

CMD ["php-fpm", "-y", "/usr/local/etc/php-fpm.conf", "-R"]

I searched on Stackoverflow what this -R means, and I found the following answer: https://stackoverflow.com/a/49178410/4437206 If I understand correctly, this means that PHP-FPM will run as root? If so, then it will not run as the laravel user we added and therefore, what's the point of adding the laravel user?


Solution

  • If you are going to run your images from an orchestrator (like kubernetes or openshift) running in unprivileged mode, you are not allowed to run processes as some user uids. The same applies for ports.

    Nginx's root process always needs to starts as a root user, while it spawns child processes as the user you have provided. That's why there are unprivileged nginx images that fixes that. Php-fpm doesn't work like that, it just starts as the user stated in the Dockerfile or stated by the orchestrator.

    And it's always a bad practice to run processes in your image as root, since the kernel of the host is available inside the container. If somebody get access to the shell of your running image, they will have access to the kernel and basically the entire host.

    The same applies for ports, every listener on ports 1 to 1000 need to be bound by root. All the other ports from 1001 to 65535 don't. That's why you often see nginx port configuration on port 8080 and 8443.

    To answer your last question, php-fpm -R is used to allow child processes to run as root, not to start as root.