Docker: run as non-root (#28849)

* Docker: allow configuration of HTTP listen port via env var * Update docs/install.md Co-authored-by: Michael Telatynski <7t3chguy@gmail.com> * prettier * Docker: run as non-root * Simplify sed incantation --------- Co-authored-by: Michael Telatynski <7t3chguy@gmail.com>
2025-01-03 22:54:52 +00:00
parent cf49f9e22c
commit 3fb10baedf
2 changed files with 17 additions and 1 deletions
--- a/12
+++ b/12
@@ -1,5 +1,5 @@
 # Builder
-FROM --platform=$BUILDPLATFORM node:22-bullseye as builder
+FROM --platform=$BUILDPLATFORM node:22-bullseye AS builder

 # Support custom branch of the js-sdk. This also helps us build images of element-web develop.
 ARG USE_CUSTOM_SDKS=false
@@ -25,8 +25,18 @@ COPY --from=builder /src/webapp /app
 # through `envsubst` by the nginx docker image entry point.
 COPY /docker/nginx-templates/* /etc/nginx/templates/

+# Tell nginx to put its pidfile elsewhere, so it can run as non-root
+RUN sed -i -e 's,/var/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf
+
+# nginx user must own the cache and etc directory to write cache and tweak the nginx config
+RUN chown -R nginx:0 /var/cache/nginx /etc/nginx
+RUN chmod -R g+w /var/cache/nginx /etc/nginx
+
 RUN rm -rf /usr/share/nginx/html \
  && ln -s /app /usr/share/nginx/html

+# Run as nginx user by default
+USER nginx
+
 # HTTP listen port
 ENV ELEMENT_WEB_PORT=80