rootless php

USA-RedDragon · USA-RedDragon · commit 0a75fdd38e29 · 2025-10-03T16:28:48.000-05:00
diff --git a/Dockerfile b/Dockerfile
@@ -7,7 +7,6 @@ ARG ALPINE_VERSION
 FROM composer:$COMPOSER_VERSION AS local-composer
 
 FROM php:$PHP_VERSION-fpm-alpine$ALPINE_VERSION AS base
-WORKDIR /app
 
 COPY --from=mlocati/php-extension-installer:2.8.5 /usr/bin/install-php-extensions /usr/bin/
 
@@ -36,7 +35,7 @@ RUN <<EOT
       -e 's/^;?(expose_php).*/\1 = Off/' \
       php.ini-production
   ln -s php.ini-production php.ini
-  mkdir -p /run/nginx
+  mkdir -p /run/nginx /var/lib/nginx/tmp /var/log/nginx
   sed -ri -e 's/#(tcp_nopush on;)/\1/' /etc/nginx/nginx.conf
   if [ -d /etc/nginx/http.d ]; then
     mv /etc/nginx/http.d /etc/nginx/conf.d
@@ -91,6 +90,22 @@ COPY rootfs/ /
 
 CMD ["s6-svscan", "/etc/services.d"]
 
+FROM base AS base-rootless
+
+RUN <<EOT
+  sed -ri \
+    -e 's/^;(user) = .*/\1 = www-data/' \
+    -e 's/^;(group) = .*/\1 = www-data/' \
+    "$PHP_INI_DIR"/php-fpm.d/www.conf
+  sed -i 's/^user .*;/user www-data;/' /etc/nginx/nginx.conf
+  chown -R www-data:www-data /run/nginx /var/lib/nginx /var/log/nginx
+EOT
+
+USER www-data:www-data
+WORKDIR /app
+
+CMD ["s6-svscan-rootless", "/etc/services.d"]
+
 FROM base AS onbuild
 
 ONBUILD ARG PHP_FPM_PM_MAX_CHILDREN
@@ -141,3 +156,16 @@ ONBUILD RUN <<EOT
     clevyr-build
   fi
 EOT
+
+FROM onbuild AS onbuild-rootless
+
+ONBUILD USER root
+
+ONBUILD RUN <<EOT
+  set -eux
+  if [ "${SKIP_BUILD:-}" != "true" ]; then
+    clevyr-build
+  fi
+EOT
+
+ONBUILD USER www-data:www-data
diff --git a/rootfs/etc/nginx/conf.d/default.conf.tpl b/rootfs/etc/nginx/conf.d/default.conf.tpl
@@ -1,6 +1,6 @@
 server {
-    listen 80;
-    listen [::]:80 default ipv6only=on;
+    listen 8080;
+    listen [::]:8080 default ipv6only=on;
 
     server_name _;
 
diff --git a/rootfs/usr/bin/s6-svscan-rootless b/rootfs/usr/bin/s6-svscan-rootless
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+set -euo pipefail
+
+# Wrapper to run s6-svscan from a writable directory
+# s6-svscan creates .s6-svscan in the service directory, so we need to copy services to /tmp
+
+SERVICE_DIR="$1"
+
+if [ -z "$SERVICE_DIR" ]; then
+    echo "Usage: $0 <service-directory>" >&2
+    exit 1
+fi
+
+# Create a unique directory in /tmp for our services
+TEMP_SERVICE_DIR="/tmp/s6-services-$$"
+mkdir -p "$TEMP_SERVICE_DIR"
+
+# Copy the service directory contents to /tmp
+cp -r "$SERVICE_DIR"/* "$TEMP_SERVICE_DIR/" 2>/dev/null || cp -r "$SERVICE_DIR"/. "$TEMP_SERVICE_DIR/"
+
+# Run s6-svscan against the copied services
+exec s6-svscan "$TEMP_SERVICE_DIR"
