Document not working features in nonroot images

diff --git a/README.md b/README.md
index 0f045db54d0d2ade93ed4573bd136145056fe970..dbdb3ff7a2ecffa5c8afe7df6ae69db26191da47 100644 (file)
--- a/README.md
+++ b/README.md
@@ -42,11 +42,11 @@ The following env variables can be set to configure your Roundcube Docker instan
 
 `ROUNDCUBEMAIL_SKIN` - Configures the default theme. Defaults to `elastic`
 
-`ROUNDCUBEMAIL_UPLOAD_MAX_FILESIZE` - File upload size limit; defaults to `5M`
+`ROUNDCUBEMAIL_UPLOAD_MAX_FILESIZE` - File upload size limit; defaults to `5M`. (*Note: this variable does not work in the `nonroot`-image!*)
 
 `ROUNDCUBEMAIL_SPELLCHECK_URI` - Fully qualified URL to a Google XML spell check API like [google-spell-pspell](https://github.com/roundcube/google-spell-pspell)
 
-`ROUNDCUBEMAIL_ASPELL_DICTS` - List of aspell dictionaries to install for spell checking (comma-separated, e.g. `de,fr,pl`).
+`ROUNDCUBEMAIL_ASPELL_DICTS` - List of aspell dictionaries to install for spell checking (comma-separated, e.g. `de,fr,pl`). (*Note: this variable does not work in the `nonroot`-image!*)
 
 By default, the image will use a local SQLite database for storing user account metadata.
 It'll be created inside the container directory `/var/roundcube/db`. In order to persist the database, a volume
@@ -78,6 +78,15 @@ Run it with a link to the MySQL host and the username/password variables:
 docker run --link=mysql:mysql -d roundcube/roundcubemail
 ```
 
+## Nonroot image
+
+We provide `nonroot`-images that run all processes as a normal user instead of as root. This limits possible damage in case of a mis-configuration or breach.
+
+Not running any process as root disables a few features that require to install packages or write to system files on container start. Specifically you cannot use the environment variables `ROUNDCUBEMAIL_UPLOAD_MAX_FILESIZE` and `ROUNDCUBEMAIL_ASPELL_DICTS`.
+
+* To specify a maximum upload filesize, write the required php configuration options into a file and bind-mount that to `/usr/local/etc/php/conf.d/$filename`. See `examples/docker-compose-nonroot.yaml` and `examples/nonroot-custom-php-config.ini` for an example.
+* To install additionall aspell dictionaries you will have to build your own container image on top of ours and install them during the build.
+
 ## Persistent data
 
 The Roundcube containers do not store any data persistently by default. There are, however,

diff --git a/examples/docker-compose-nonroot.yaml b/examples/docker-compose-nonroot.yaml
new file mode 100644 (file)
index 0000000..24e05f7
--- /dev/null
+++ b/examples/docker-compose-nonroot.yaml
@@ -0,0 +1,12 @@
+services:
+  roundcubemail:
+    image: roundcube/roundcubemail:latest-nonroot
+    container_name: roundcubemail
+    volumes:
+      - ./db/sqlite:/var/roundcube/db
+      - ./nonroot-custom-php-config.ini:/usr/local/etc/php/conf.d/nonroot-custom-php-config.ini
+    ports:
+      - 9003:80
+    environment:
+      - ROUNDCUBEMAIL_DEFAULT_HOST=tls://mail.example.org
+      - ROUNDCUBEMAIL_SMTP_SERVER=tls://mail.example.org

diff --git a/examples/nonroot-custom-php-config.ini b/examples/nonroot-custom-php-config.ini
new file mode 100644 (file)
index 0000000..f5a244b
--- /dev/null
+++ b/examples/nonroot-custom-php-config.ini
@@ -0,0 +1,3 @@
+; Use this to specify a maximum upload filesize in the nonroot-image.
+;post_max_size=128M
+;upload_max_filesize=128M