docs: run as non-root in Docker containers

dunglas · Jan 29, 2024 · be08c1e · be08c1e
1 parent 62d5325
commit be08c1e
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 15 deletions.
diff --git a/docs/docker.md b/docs/docker.md
@@ -29,13 +29,11 @@ FROM dunglas/frankenphp
 
 # add additional extensions here:
 RUN install-php-extensions \
-    pdo_mysql \
-    gd \
-    intl \
-    zip \
-    opcache
-
-# ...
+	pdo_mysql \
+	gd \
+	intl \
+	zip \
+	opcache
 ```
 
 ## How to Install More Caddy Modules
@@ -53,13 +51,13 @@ COPY --from=caddy:builder /usr/bin/xcaddy /usr/bin/xcaddy
 # CGO must be enabled to build FrankenPHP
 ENV CGO_ENABLED=1 XCADDY_SETCAP=1 XCADDY_GO_BUILD_FLAGS="-ldflags '-w -s'"
 RUN xcaddy build \
-    --output /usr/local/bin/frankenphp \
-    --with github.com/dunglas/frankenphp=./ \
-    --with github.com/dunglas/frankenphp/caddy=./caddy/ \
-    # Mercure and Vulcain are included in the official build, but feel free to remove them
-    --with github.com/dunglas/mercure/caddy \
-    --with github.com/dunglas/vulcain/caddy
-    # Add extra Caddy modules here
+	--output /usr/local/bin/frankenphp \
+	--with github.com/dunglas/frankenphp=./ \
+	--with github.com/dunglas/frankenphp/caddy=./caddy/ \
+	# Mercure and Vulcain are included in the official build, but feel free to remove them
+	--with github.com/dunglas/mercure/caddy \
+	--with github.com/dunglas/vulcain/caddy
+	# Add extra Caddy modules here
 
 FROM dunglas/frankenphp AS runner
 
@@ -127,3 +125,22 @@ volumes:
   caddy_data:
   caddy_config:
 ```
+
+## Running as a Non-Root User
+
+FrankenPHP can run as non root user in Docker.
+
+Here is a sample `Dockerfile` doing this:
+
+```dockerfile
+FROM dunglas/frankenphp
+
+ARG USER=www-data
+USER ${USER}
+
+RUN adduser -D ${USER} \
+	# Caddy requires an additional capability to bind to port 80 and 443
+	setcap CAP_NET_BIND_SERVICE=+eip /usr/local/bin/frankenphp
+	# Caddy requires write access to /data/caddy and /config/caddy
+	RUN chown -R ${USER}:${USER} /data/caddy && chown -R ${USER}:${USER} /config/caddy
+```
diff --git a/docs/production.md b/docs/production.md
@@ -70,7 +70,7 @@ To deploy your application in production, you need a server.
 In this tutorial, we will use a virtual machine provided by DigitalOcean, but any Linux server can work.
 If you already have a Linux server with Docker installed, you can skip straight to [the next section](#configuring-a-domain-name).
 
-Otherwise, use [this affiliate link](https://m.do.co/c/5d8aabe3ab80) to get $100 of free credit, create an account, then click on "Create a Droplet".
+Otherwise, use [this affiliate link](https://m.do.co/c/5d8aabe3ab80) to get $200 of free credit, create an account, then click on "Create a Droplet".
 Then, click on the "Marketplace" tab under the "Choose an image" section and search for the app named "Docker".
 This will provision an Ubuntu server with the latest versions of Docker and Docker Compose already installed!