Docker: run as non-root (#28849)

* Docker: allow configuration of HTTP listen port via env var

* Update docs/install.md

Co-authored-by: Michael Telatynski <[email protected]>

* prettier

* Docker: run as non-root

* Simplify sed incantation

---------

Co-authored-by: Michael Telatynski <[email protected]>

Author: richvdh

Dockerfile

@@ -1,5 +1,5 @@
 # Builder
-FROM --platform=$BUILDPLATFORM node:22-bullseye as builder
+FROM --platform=$BUILDPLATFORM node:22-bullseye AS builder
 
 # Support custom branch of the js-sdk. This also helps us build images of element-web develop.
 ARG USE_CUSTOM_SDKS=false
@@ -25,8 +25,18 @@ COPY --from=builder /src/webapp /app
 # through `envsubst` by the nginx docker image entry point.
 COPY /docker/nginx-templates/* /etc/nginx/templates/
 
+# Tell nginx to put its pidfile elsewhere, so it can run as non-root
+RUN sed -i -e 's,/var/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf
+
+# nginx user must own the cache and etc directory to write cache and tweak the nginx config
+RUN chown -R nginx:0 /var/cache/nginx /etc/nginx
+RUN chmod -R g+w /var/cache/nginx /etc/nginx
+
 RUN rm -rf /usr/share/nginx/html \
   && ln -s /app /usr/share/nginx/html
 
+# Run as nginx user by default
+USER nginx
+
 # HTTP listen port
 ENV ELEMENT_WEB_PORT=80

docs/install.md

@@ -60,6 +60,12 @@ would be:
 docker run --rm -p 127.0.0.1:80:80 -v /etc/element-web/config.json:/app/config.json vectorim/element-web
 ```
 
+The Docker image is configured to run as an unprivileged (non-root) user by
+default. This should be fine on modern Docker runtimes, but binding to port 80
+on other runtimes may require root privileges. To resolve this, either run the
+image as root (`docker run --user 0`) or, better, change the port that nginx
+listens on via the `ELEMENT_WEB_PORT` environment variable.
+
 The behaviour of the docker image can be customised via the following
 environment variables: