add non-root user documentation

ToshY · ToshY · commit 90fb72efec56 · 2025-09-28T12:15:04.000Z
diff --git a/docs/non-root-user.md b/docs/non-root-user.md
@@ -0,0 +1,120 @@
+# Non-root user
+
+Following [docker best practices](https://docs.docker.com/build/building/best-practices/#user), it is recommended to run your services as non-root user whenever possible.
+
+You can apply the following patches to your `Dockerfile`, `compose.prod.yaml` and `compose.override.yaml` to run the FrankenPHP container as non-root for development and production usage.
+
+`Dockerfile`
+
+```diff
+--- Dockerfile
++++ Dockerfile
+@@ -1,4 +1,8 @@
+ #syntax=docker/dockerfile:1
++ARG UID=${UID:-1000}
++ARG GID=${GID:-1000}
++ARG USER=${USER:-frankenphp}
++ARG GROUP=${GROUP:-frankenphp}
+ 
+ # Versions
+ FROM dunglas/frankenphp:1-php8.4 AS frankenphp_upstream
+@@ -11,6 +15,11 @@
+ # Base FrankenPHP image
+ FROM frankenphp_upstream AS frankenphp_base
+ 
++ARG UID
++ARG GID
++ARG USER
++ARG GROUP
++
+ WORKDIR /app
+ 
+ VOLUME /app/var/
+@@ -46,6 +55,12 @@
+ COPY --link --chmod=755 frankenphp/docker-entrypoint.sh /usr/local/bin/docker-entrypoint
+ COPY --link frankenphp/Caddyfile /etc/frankenphp/Caddyfile
+ 
++RUN set -eux; \
++    groupadd -g $GID $GROUP; \
++    useradd -u $UID -g $GID --no-create-home $USER; \
++    mkdir -p var/cache var/log; \
++    chown -R $UID:$GID /data/ /config/ var/cache var/log
++
+ ENTRYPOINT ["docker-entrypoint"]
+ 
+ HEALTHCHECK --start-period=60s CMD curl -f http://localhost:2019/metrics || exit 1
+@@ -54,6 +69,8 @@
+ # Dev FrankenPHP image
+ FROM frankenphp_base AS frankenphp_dev
+ 
++ARG USER
++
+ ENV APP_ENV=dev
+ ENV XDEBUG_MODE=off
+ ENV FRANKENPHP_WORKER_CONFIG=watch
+@@ -67,11 +84,17 @@
+ 
+ COPY --link frankenphp/conf.d/20-app.dev.ini $PHP_INI_DIR/app.conf.d/
+ 
++USER $USER
++
+ CMD [ "frankenphp", "run", "--config", "/etc/frankenphp/Caddyfile", "--watch" ]
+ 
+ # Prod FrankenPHP image
+ FROM frankenphp_base AS frankenphp_prod
+ 
++ARG UID
++ARG GID
++ARG USER
++
+ ENV APP_ENV=prod
+ 
+ RUN mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini"
+@@ -92,4 +115,7 @@
+ 	composer dump-autoload --classmap-authoritative --no-dev; \
+ 	composer dump-env prod; \
+ 	composer run-script --no-dev post-install-cmd; \
+-	chmod +x bin/console; sync;
++	chmod +x bin/console; sync; \
++	chown -R $UID:$GID var/cache var/log
++
++USER $USER
+```
+
+`compose.override.yaml`
+```yaml
+--- compose.override.yaml
++++ compose.override.yaml
+@@ -5,6 +5,10 @@
+     build:
+       context: .
+       target: frankenphp_dev
++      args:
++        UID: ${UID:-1000}
++        GID: ${GID:-1000}
++    user: "${UID:-1000}:${GID:-1000}"
+     volumes:
+       - ./:/app
+       - ./frankenphp/Caddyfile:/etc/frankenphp/Caddyfile:ro
+```
+
+`compose.prod.yaml`
+```yaml
+--- compose.prod.yaml
++++ compose.prod.yaml
+@@ -5,6 +5,11 @@
+     build:
+       context: .
+       target: frankenphp_prod
++      args:
++        UID: ${UID:-1000}
++        GID: ${GID:-1000}
++    user: "${UID:-1000}:${GID:-1000}"
+     environment:
+       APP_SECRET: ${APP_SECRET}
+       MERCURE_PUBLISHER_JWT_KEY: ${CADDY_MERCURE_JWT_SECRET}
+```
+
+> [!TIP]
+> You can copy-paste the contents of the above diffs into patch files and run `patch <original> <patched>` to apply the changes directly. 
+> Example: `patch Dockerfile < Dockerfile.patch`
