<div dir="ltr">Hi,<div><br></div><div>I added the lines to my dockerfile</div><div><span style="color:rgb(80,0,80);font-size:12.8px"><br></span></div><div><span style="color:rgb(80,0,80);font-size:12.8px">Run ...</span></div><div><font color="#500050"><span style="font-size:12.8px"> </span></font> && chmod 777 <span style="color:rgb(80,0,80);font-size:12.8px">/var/log/nginx /</span><br style="color:rgb(80,0,80);font-size:12.8px"></div><div><span style="color:rgb(80,0,80);font-size:12.8px"> && rm -rf </span><span style="color:rgb(80,0,80);font-size:12.8px">/var/log/nginx/error.log /</span></div><div><span style="color:rgb(80,0,80);font-size:12.8px"> </span><span style="color:inherit;font-family:Menlo,'Liberation Mono',Consolas,'DejaVu Sans Mono','Ubuntu Mono','Courier New','andale mono','lucida console',monospace;font-size:inherit;line-height:1.5;background-color:transparent">&& rm -rf /var/log/nginx/access.log </span></div><div><span style="color:inherit;font-family:Menlo,'Liberation Mono',Consolas,'DejaVu Sans Mono','Ubuntu Mono','Courier New','andale mono','lucida console',monospace;font-size:inherit;line-height:1.5;background-color:transparent"><br></span></div><div><span style="color:inherit;font-family:Menlo,'Liberation Mono',Consolas,'DejaVu Sans Mono','Ubuntu Mono','Courier New','andale mono','lucida console',monospace;font-size:inherit;line-height:1.5;background-color:transparent">It worked for me!</span></div><div><span style="color:inherit;font-family:Menlo,'Liberation Mono',Consolas,'DejaVu Sans Mono','Ubuntu Mono','Courier New','andale mono','lucida console',monospace;font-size:inherit;line-height:1.5;background-color:transparent"><br></span></div><div><span style="color:inherit;font-family:Menlo,'Liberation Mono',Consolas,'DejaVu Sans Mono','Ubuntu Mono','Courier New','andale mono','lucida console',monospace;font-size:inherit;line-height:1.5;background-color:transparent">Thanks for your help.</span></div><div><span style="color:inherit;font-family:Menlo,'Liberation Mono',Consolas,'DejaVu Sans Mono','Ubuntu Mono','Courier New','andale mono','lucida console',monospace;font-size:inherit;line-height:1.5;background-color:transparent"><br></span></div><div><span style="color:inherit;font-family:Menlo,'Liberation Mono',Consolas,'DejaVu Sans Mono','Ubuntu Mono','Courier New','andale mono','lucida console',monospace;font-size:inherit;line-height:1.5;background-color:transparent">Paulo Leal</span></div><div><span style="color:rgb(80,0,80);font-size:12.8px"><br></span></div><div><span style="color:rgb(80,0,80);font-size:12.8px"><br></span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, May 5, 2016 at 12:57 PM, Aleksandar Lazic <span dir="ltr"><<a href="mailto:al-nginx@none.at" target="_blank">al-nginx@none.at</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi.<span class=""><br>
<br>
Am 04-05-2016 23:50, schrieb Francis Daly:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Wed, May 04, 2016 at 06:25:01PM -0300, Paulo Leal wrote:<br>
<br>
Hi there,<br>
<br>
Completely untested by me; and I've not used openshift or docker, but:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I have been playing around with the<br>
<a href="https://github.com/nginxinc/openshift-nginx" rel="noreferrer" target="_blank">https://github.com/nginxinc/openshift-nginx</a> dockerfile and trying to find<br>
a way to run run nginx as non-root with openshift/k8/docker.<br>
<br>
I am currently getting the error:<br>
nginx: [alert] could not open error log file: open()<br>
"/var/log/nginx/error.log" failed (13: Permission denied)<br>
</blockquote>
<br>
That says that the user you run as cannot open that file.<br>
<br>
ls -ld / /var /var/log /var/log/nginx<br>
ls -l /var/log/nginx/error.log<br>
<br>
You may need a "-Z" in there too, if you have some extra security enabled.<br>
<br>
Does your user have permission to write the current error.log file;<br>
or to create a new one? If not, do whatever it takes to make that possible.<br>
<br>
You do mention some "chmod" commands below, but none that refer to this<br>
directory or file.<br>
</blockquote>
<br></span>
In openshift you normally not know with which user your run.<br>
<br>
<a href="https://docs.openshift.org/latest/architecture/additional_concepts/authorization.html#scc-strategies" rel="noreferrer" target="_blank">https://docs.openshift.org/latest/architecture/additional_concepts/authorization.html#scc-strategies</a><br>
<br>
I think the default is 'MustRunAsRange', this suggest this file.<br>
<br>
<a href="https://github.com/openshift/openshift-ansible/blob/master/roles/openshift_master/templates/master.yaml.v1.j2#L177" rel="noreferrer" target="_blank">https://github.com/openshift/openshift-ansible/blob/master/roles/openshift_master/templates/master.yaml.v1.j2#L177</a><br>
<br>
There is a solution to run for a dedicated user id.<br>
<br>
<a href="https://docs.openshift.org/latest/creating_images/guidelines.html#use-uid" rel="noreferrer" target="_blank">https://docs.openshift.org/latest/creating_images/guidelines.html#use-uid</a><br>
<br>
You should change the location of the pid file and you can use a syslog server for the logs. I have created a more or less ready to use solution.<br>
<br>
<a href="https://github.com/git001/nginx-osev3" rel="noreferrer" target="_blank">https://github.com/git001/nginx-osev3</a><br>
<br>
Please tell me if the solution is helpful for you.<br>
<br>
I can then make a pull request to the <a href="https://github.com/nginxinc/openshift-nginx" rel="noreferrer" target="_blank">https://github.com/nginxinc/openshift-nginx</a> .<span class=""><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I have alredy added to my Dockerfile:<br>
Run ...<br>
&& chmod 777 /etc/nginx/nginx.conf \<br>
&& chmod 777 /var/run \<br>
&& chmod 777 /etc/nginx/conf.d/default.conf<br>
</blockquote>
<br>
777 is possibly excessive; but if it works for you, it works. If you<br>
don't have "x" permissions on /etc/nginx/conf.d, though, you probably<br>
won't be able to read the default.conf file within.<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I also run bash on the container and was albe to "cat" the "default.conf"<br>
and the "nginx.conf" files.<br>
</blockquote>
<br>
Do you do that as the same user/group that you run nginx as?<br>
</blockquote>
<br></span>
To OP:<br>
the output of ' id && ps axfu && ls -laR /etc/nginx/ ' would be interesting.<br>
<br>
In general the Images in openshift are running with a random user id which it makes difficult to set proper file permissions :-/<br>
You can define some service accounts to be able to run as root, this should be used very carefully as in non PaaS environments ;-).<br>
<br>
Cheers<br>
Aleks<div class="HOEnZb"><div class="h5"><br>
<br>
_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br>
</div></div></blockquote></div><br></div>