Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Root user inside Composer container

I have a basic question when running running a Composer in a Docker container.

Is it OK to run the composer as user root inside the container? I am confusing that the owner of the created files (for example when using composer require) is root.

Is run as root inside the container OK best practice?

like image 948
serghei Avatar asked Mar 08 '16 16:03

serghei


People also ask

How do I login as root container?

As an alternative, we can also access the Docker container as root. In this case, we'll use the nsenter command to access the Docker container. To use the nsenter command, we must know the PID of the running container. This allows us to access the Docker container as a root user and run any command to access any file.

Should Docker compose be run as root?

The Docker daemon always runs as the root user . If you don't want to preface the docker command with sudo, create a Unix group called docker and add users to it. When the Docker daemon starts, it creates a Unix socket accessible by members of the docker group.

What is composer Docker?

Docker Compose is a tool that was developed to help define and share multi-container applications. With Compose, we can create a YAML file to define the services and with a single command, can spin everything up or tear it all down.


1 Answers

Using root inside the container is okay, because the container has a lot of dropped privileges. It can't access hardware or mount paths. It's essentially a non-privileged user.

Installing the application should definitely be done inside the container. The Dockerfile that builds the image has to install the application to begin with, and that occurs inside the container. If you're using a container to run a custom application (e.g. php7) that gets built with node and such, a build container that performs the installation is the correct way to isolate the application's update and install behavior from the host system.

Essentially nothing should run outside of a container when deploying an application with Docker. Any cron scripts should run a docker exec container script.sh or similar to run periodic jobs inside the container, for example.

Generally, if the application requires root privileges to do something like update modules based on a configuration, I use docker-compose to establish a build container which does all of that as root and then exits. I use a cap-drop section for the actual application container to remove as many capabilities as possible.

Many applications require setuid or setgid to drop privileges—e.g. nginx requires these so it can change from root to www-data:www-data. nginx will fail if it comes up as user www-data. The application should drop those capabilities after making the change itself.

like image 113
John Moser Avatar answered Sep 27 '22 21:09

John Moser