I have a basic question when running running a Composer in a Docker container.
Is it OK to run the composer
as user root
inside the container?
I am confusing that the owner of the created files (for example when using composer require
) is root
.
Is run as root
inside the container OK best practice?
As an alternative, we can also access the Docker container as root. In this case, we'll use the nsenter command to access the Docker container. To use the nsenter command, we must know the PID of the running container. This allows us to access the Docker container as a root user and run any command to access any file.
The Docker daemon always runs as the root user . If you don't want to preface the docker command with sudo, create a Unix group called docker and add users to it. When the Docker daemon starts, it creates a Unix socket accessible by members of the docker group.
Docker Compose is a tool that was developed to help define and share multi-container applications. With Compose, we can create a YAML file to define the services and with a single command, can spin everything up or tear it all down.
Using root inside the container is okay, because the container has a lot of dropped privileges. It can't access hardware or mount paths. It's essentially a non-privileged user.
Installing the application should definitely be done inside the container. The Dockerfile
that builds the image has to install the application to begin with, and that occurs inside the container. If you're using a container to run a custom application (e.g. php7) that gets built with node and such, a build container that performs the installation is the correct way to isolate the application's update and install behavior from the host system.
Essentially nothing should run outside of a container when deploying an application with Docker. Any cron
scripts should run a docker exec container script.sh
or similar to run periodic jobs inside the container, for example.
Generally, if the application requires root privileges to do something like update modules based on a configuration, I use docker-compose
to establish a build
container which does all of that as root and then exits. I use a cap-drop
section for the actual application container to remove as many capabilities as possible.
Many applications require setuid
or setgid
to drop privileges—e.g. nginx
requires these so it can change from root
to www-data:www-data
. nginx
will fail if it comes up as user www-data
. The application should drop those capabilities after making the change itself.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With