Docker Community Forums

Share and learn in the Docker community.

Moving/Copying the WORKDIR of base image in child image - Dockerfile


(Farhanraza15) #1

Hi -

I am extending base httpd2.4 image (https://github.com/docker-library/httpd/blob/b814ed0f036c6084d67ce5d996b4648a9bda6275/2.4/Dockerfile) in my project.

Installation/workdir for apache2 is getting created inside as /usr/local/apache2

I want to move this location to e;g /myappusers/usr/local/apache2. Is this a valid approach?

Part of security implementation we have to run all containers as non-root and we are trying to move all dirs/files under the same user.

We can also give R/W permission to the same user on the existing WORKDIR but would like to have a consistent approach

This is my current Dockefile

FROM httpd:2.4

RUN apt-get update
&& apt-get install -y wget
&& rm -rf /var/lib/apt/lists/*

COPY httpd.conf /usr/local/apache2/conf/httpd.conf
COPY httpd-ssl.conf /usr/local/apache2/conf/extra/httpd-ssl.conf

Trying something like this:

ADD /usr/local/apache2 /$MYAPP_USER
RUN chown -R $MYAPP_USER /$MYAPP_USER

Please suggest

Thanks


(David Maze) #2

IMHO, not worth the trouble. Since every Docker container has an isolated filesystem it tends to be easier to just use the default system directories for things.

If you’re planning to move the entire /usr/local/apache2 tree then you’d probably have to recompile the server, which is a pretty big endeavor, and it seems like you’re drawing an artificial distinction between services installed via OS package managers and things installed from source.

“Run containers as non-root” is generally considered a best practice. There are layers to this, though. It’s probably a good idea to have the server process itself owned by root and not writeable by the user actually running it; in a setup where the config files will probably be injected from outside or built into the container, a similar setup there makes sense. Blindly making all of /usr/local/apache2 owned by some non-root user is probably not a huge improvement in your overall security posture.


(Farhanraza15) #3

Thanks for the reply David!

Our all containers running as non-root now and we are facing issue with some of these like apache http etc. Is it advisable to built our own apache http image using debian base image?

This way we would have more control over it and can achieve what we want.