Allow building sail to run PHP as root #677
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit is a proof-of-concept to kickstart the PR and should not be merged as-is.
|
Well done and thank you @vmsh0. Your explanation and PoC were helpful to me. |
tisnamuliarta
referenced
this pull request
in tisnamuliarta/laravel-shadcn
Mar 14, 2024
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [laravel/sail](https://togithub.com/laravel/sail) | `1.28.2` -> `1.29.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>laravel/sail (laravel/sail)</summary> ### [`v1.29.0`](https://togithub.com/laravel/sail/blob/HEAD/CHANGELOG.md#v1290---2024-03-08) [Compare Source](https://togithub.com/laravel/sail/compare/v1.28.2...v1.29.0) - Allow building sail to run PHP as root by [@​vmsh0](https://togithub.com/vmsh0) in [https://github.com/laravel/sail/pull/677](https://togithub.com/laravel/sail/pull/677) - Update MAILER config to use mailpit on L11 by [@​SamuelMwangiW](https://togithub.com/SamuelMwangiW) in [https://github.com/laravel/sail/pull/678](https://togithub.com/laravel/sail/pull/678) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/tisnamuliarta/laravel-shadcn). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yMzguMSIsInVwZGF0ZWRJblZlciI6IjM3LjIzOC4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
](https://renovatebot.com){kind=link}
|
Thank you for merging this, I'm glad to see it's useful to people. Please, help me with the next steps to improve this:
|
|
Some documentation would be very helpful. I spent several hours today trying to sort out this exact issue, trawling through hundreds of forum and blog posts to try to fix it. Steps to fixAdd services:
laravel.test:
environment:
SUPERVISOR_PHP_USER: rootRebuild the containers: sail down
sail build --no-cache
sail up -d |
I agree -- that's why I was asking for guidance to update the documentation. I currently do not have much free time to work on this, but perhaps you could try to contribute a PR yourself :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi,
Today, I tried running Sail in a rootless Podman container, and the experience was less-than-ideal. You might better recognize the class of issues as being similar to Docker Desktop - this would be precisely right: it's the same all over again.
The reason boils down to the follow: the image, as it is laid out currently, has its entrypoint running as root, and its main functionality (i.e. php) running as the sail user. This means that root inside the container is the host user I'm using to run the container, and sail is some random UID.
Some relevant supporting documentation and references to previous issues:
The proposed proof-of-concept patch simply allows setting the
$SUPERVISOR_PHP_USERenv variable to run PHP in the container as root. Users should be instructed about this by the "getting started" documentation, to avoid spending an evening figuring it out (or not) like I just did.In my opinion this is the only valid long-term solution for rootless containers, as:
sailin the sail container) have an effective ("host") UID that will not in any case be able to access /var/www/html (i.e. the user's project files), regardless of the value of--userns, if the files themselves are not chowned to this unprivileged by either Podman (U flag for bind mounts) or something running on the host. This is because root in the container is mapped to the user launching the container, and all other uids in the container are mapped to random junk host uids (usually >100000). It's simple to test this: open a root shell in a Sail container, and runtouch /var/www/html/example && chown sail:sail /var/www/html/example; go on that directory outside the container, the UID will be some junk number. You can also runcat /proc/self/uid_mapinside the container to see the mappingThis will effectively make PHP have the permissions and capabilities of the launching user, which imho is the standard expectation for a dev environment. Furthermore, in a world where people don't just go around launching containers as root, this would also be a sensible default setting, but since the real world is the insurmountable single point of truth I won't advocate for that.
So, to recap: