Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cron #436

Closed
IvayLoRD opened this issue Sep 25, 2024 · 6 comments
Closed

Cron #436

IvayLoRD opened this issue Sep 25, 2024 · 6 comments
Assignees
@jaydrogers
Labels
🧐 Bug: Needs Confirmation Something isn't working, but needs to be confirmed by a team member.

Comments

@IvayLoRD
Copy link

Steps To Reproduce

Just instal apt-get install cron -y and try service start cron or something

Outcome

After start I got seteuid: Operation not permitted

I apologize for the silly question, but I would like to ask if you have any idea how to add cron to start as a process given that the user is www-data.

Affected Docker Images

php:8.1-fpm

Anything else?

No response
@IvayLoRD IvayLoRD added the 🧐 Bug: Needs Confirmation Something isn't working, but needs to be confirmed by a team member. label Sep 25, 2024
@jaydrogers
Copy link
Member

I'd highly recommend taking a look at our docs, showing how we handle file permissions. Our containers are shipped unprivileged by default https://serversideup.net/open-source/docker-php/docs/guide/understanding-file-permissions

You need to switch to root to do root things, then switch back for best security.

@jaydrogers jaydrogers closed this as not planned Won't fix, can't repro, duplicate, stale Sep 25, 2024
@IvayLoRD
Copy link
Author

IvayLoRD commented Sep 25, 2024
edited
Loading

I read your documentation, but in the context of Kubernetes and the following flags

securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
runAsNonRoot: true
runAsUser: 33
runAsGroup: 33
seccompProfile:
type: RuntimeDefault

When starting the container locally, there are no issues, but as soon as it is launched in Kubernetes, the service does not want to start. I was hoping you might have some suggestions or ideas on how this can be done. And as you mentioned earlier, it’s good for them to be unprivileged and not have privilege escalation.

@jaydrogers
Copy link
Member

Someone has this PR opened, but I have to sit down and review it in detail yet: #393

Not sure if that will help?

I'm not a Kubernetes expert unfortunately, so I don't know the full implications of those flags.

@IvayLoRD
Copy link
Author

The problem is that the allowPrivilegeEscalation flag does not allow you to switch users from security reason. Your image is very good, and we really like it. You have definitely done a great job, But there are many PHP applications that require cron аnd this is the only thing we are looking for a solution to: how to add it and start the process as www-data.

@jaydrogers
Copy link
Member

The best resource I can offer at this moment are the notes from a community member, which have yet to be reviewed: https://github.com/serversideup/docker-php/pull/393/files

It looks like they are getting Cron to work as an unprivileged user.

We've never used cron internally because we've always used a Laravel task scheduler: https://serversideup.net/open-source/docker-php/docs/laravel/laravel-task-scheduler#important-concepts

This helped us avoid doing too many things in a container and keeping the configuration within the application itself.

I understand this may not be the answer for all PHP apps, especially if you're not using Laravel. If that is the case, then I'd need to get a feature request with community excitement to build it out: #66

@IvayLoRD
Copy link
Author

Thank you .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jaydrogers jaydrogers

Labels
🧐 Bug: Needs Confirmation Something isn't working, but needs to be confirmed by a team member.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jaydrogers @IvayLoRD