openshift-nginx docker image running as non-root
screeley at redhat.com
Thu Nov 12 19:34:26 UTC 2015
I got it to work with a combo of what you provided and I also had to chmod /var/run or I would get a permission error on the /var/run/nginx.pid and it wouldn't start.
----- Original Message -----
From: "Aleksandar Lazic" <al-nginx at none.at>
To: nginx at nginx.org
Cc: "Scott Creeley" <screeley at redhat.com>, nginx-devel at nginx.org
Sent: Wednesday, November 11, 2015 3:10:44 PM
Subject: Re: Fwd: openshift-nginx docker image running as non-root
I think this is not a devel question so I answer primarly to nginx list.
Am 11-11-2015 19:23, schrieb Scott Creeley:
> ----- Forwarded Message -----
> From: "Scott Creeley" <screeley at redhat.com>
> To: nginx-devel at nginx.org
> Sent: Wednesday, November 11, 2015 12:13:49 PM
> Subject: openshift-nginx docker image running as non-root
> Been playing around with the
> https://github.com/nginxinc/openshift-nginx dockerfile and trying to
> find a way to run run nginx as non-root with openshift/k8/docker. Not
> having much luck, if I pass in a user or specify a user in the
> nginx.con or Dockerfile or via openshift/k8 runAsUser I always get
> some form permission errors. Is there a way to do this or am I
> wasting my time messing with this?
> nginx: [alert] could not open error log file: open()
> "/var/log/nginx/error.log" failed (13: Permission denied)
> 2015/11/10 14:40:40 [warn] 1#1: the "user" directive makes sense only
> if the master process runs with super-user privileges, ignored in
> 2015/11/10 14:40:40 [emerg] 1#1: mkdir()
> "/var/cache/nginx/client_temp" failed (13: Permission denied)
We had the same problem.
Add this to the dockerfile.
&& chmod -R 777 /var/log/nginx /var/cache/nginx/ \
&& chmod 644 /etc/nginx/*
Openshift v3 uses a randomly User inside the container.
This makes the user and group setting in the most Dockerfile and app not
You can take a look into the node-js example container
oc exec nodejs-example-1-qerx1 -it bash
bash-4.2$ ps aafxu
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME
1000100+ 19 0.0 0.0 11740 1840 ? Ss 14:58 0:00 bash
1000100+ 34 0.0 0.0 19764 1204 ? R+ 14:58 0:00 \_ ps
1000100+ 1 0.0 0.0 863264 26216 ? Ssl Nov09 0:00 npm
1000100+ 17 0.0 0.0 701120 25892 ? Sl Nov09 0:00 node
The reason why the most of the programs have this user & group stuff is
a security reason.
Due to the fact that almost all Containers in Openshift v3 runs under a
dedicated user (e.g.: 1000100+) you don't need and not allowed to change
to a dedicated user.
Please take a look into this docs.
Due to the fact that I don't know if you use Openshift Enterprise (OSE)
or Openshift origin I post the doc links from the origin ;-)
Please give you some time to learn the Openshift ecosystem it's not like
a 'docker run ...' on any machine ;-)
More information about the nginx-devel