Non-root Docker images issues with OCI8 driver in PHP

You might come to a situation where you will need to build a docker image where security policies do NOT allow for root-based images. And while searching you might come across articles like this one. So after applying those changes and installing oci8 driver you might run into this error:

libmql1.so: cannot open shared object file: No such file or directory

While running your container. Or something similar. You might have tried running commands like ldd oci8.so and ldd libmql1.so and have verifiied the libraries point to the correct locations and yet you still see this same error.

What I've noticed is that by adding this line to the Docker

setcap 'cap_net_bind_service=+ep' /usr/local/apache2/bin/httpd

Somehow it prevents Apache from accessing certain libraries. I'm not certain why but it does. Maybe it's some manner of security restriction. Anyway it seems the purpose of this line is to allow Apache2 to utilize a reserved port 80 without root access. The simplest workaround is to NOT use 80 and remove that line. Port 8080 tends to be the more popular one and afterwards the port can be proxied to 80 externally. You'd just need to configure Apache configs and rerun the image and hopefully the error disappears.

 

Blog tags