From: Pablo Zmdl Date: Thu, 17 Jul 2025 13:08:56 +0000 (+0200) Subject: Document not working features in nonroot images X-Git-Url: http://git.99rst.org/?a=commitdiff_plain;h=141018e5543574b5ede307fbcd5e1fa57ee9cf1b;p=roundcube-roundcubemail-docker.git Document not working features in nonroot images --- diff --git a/README.md b/README.md index 0f045db..dbdb3ff 100644 --- a/README.md +++ b/README.md @@ -42,11 +42,11 @@ The following env variables can be set to configure your Roundcube Docker instan `ROUNDCUBEMAIL_SKIN` - Configures the default theme. Defaults to `elastic` -`ROUNDCUBEMAIL_UPLOAD_MAX_FILESIZE` - File upload size limit; defaults to `5M` +`ROUNDCUBEMAIL_UPLOAD_MAX_FILESIZE` - File upload size limit; defaults to `5M`. (*Note: this variable does not work in the `nonroot`-image!*) `ROUNDCUBEMAIL_SPELLCHECK_URI` - Fully qualified URL to a Google XML spell check API like [google-spell-pspell](https://github.com/roundcube/google-spell-pspell) -`ROUNDCUBEMAIL_ASPELL_DICTS` - List of aspell dictionaries to install for spell checking (comma-separated, e.g. `de,fr,pl`). +`ROUNDCUBEMAIL_ASPELL_DICTS` - List of aspell dictionaries to install for spell checking (comma-separated, e.g. `de,fr,pl`). (*Note: this variable does not work in the `nonroot`-image!*) By default, the image will use a local SQLite database for storing user account metadata. It'll be created inside the container directory `/var/roundcube/db`. In order to persist the database, a volume @@ -78,6 +78,15 @@ Run it with a link to the MySQL host and the username/password variables: docker run --link=mysql:mysql -d roundcube/roundcubemail ``` +## Nonroot image + +We provide `nonroot`-images that run all processes as a normal user instead of as root. This limits possible damage in case of a mis-configuration or breach. + +Not running any process as root disables a few features that require to install packages or write to system files on container start. Specifically you cannot use the environment variables `ROUNDCUBEMAIL_UPLOAD_MAX_FILESIZE` and `ROUNDCUBEMAIL_ASPELL_DICTS`. + +* To specify a maximum upload filesize, write the required php configuration options into a file and bind-mount that to `/usr/local/etc/php/conf.d/$filename`. See `examples/docker-compose-nonroot.yaml` and `examples/nonroot-custom-php-config.ini` for an example. +* To install additionall aspell dictionaries you will have to build your own container image on top of ours and install them during the build. + ## Persistent data The Roundcube containers do not store any data persistently by default. There are, however, diff --git a/examples/docker-compose-nonroot.yaml b/examples/docker-compose-nonroot.yaml new file mode 100644 index 0000000..24e05f7 --- /dev/null +++ b/examples/docker-compose-nonroot.yaml @@ -0,0 +1,12 @@ +services: + roundcubemail: + image: roundcube/roundcubemail:latest-nonroot + container_name: roundcubemail + volumes: + - ./db/sqlite:/var/roundcube/db + - ./nonroot-custom-php-config.ini:/usr/local/etc/php/conf.d/nonroot-custom-php-config.ini + ports: + - 9003:80 + environment: + - ROUNDCUBEMAIL_DEFAULT_HOST=tls://mail.example.org + - ROUNDCUBEMAIL_SMTP_SERVER=tls://mail.example.org diff --git a/examples/nonroot-custom-php-config.ini b/examples/nonroot-custom-php-config.ini new file mode 100644 index 0000000..f5a244b --- /dev/null +++ b/examples/nonroot-custom-php-config.ini @@ -0,0 +1,3 @@ +; Use this to specify a maximum upload filesize in the nonroot-image. +;post_max_size=128M +;upload_max_filesize=128M