Fwd: openshift-nginx docker image running as non-root

Aleksandar Lazic al-nginx at none.at
Wed Nov 11 20:10:44 UTC 2015


Dear Scott.

I think this is not a devel question so I answer primarly to nginx list.

Am 11-11-2015 19:23, schrieb Scott Creeley:
> ----- Forwarded Message -----
> From: "Scott Creeley" <screeley at redhat.com>
> To: nginx-devel at nginx.org
> Sent: Wednesday, November 11, 2015 12:13:49 PM
> Subject: openshift-nginx docker image running as non-root
> 
> Hi,
> Been playing around with the
> https://github.com/nginxinc/openshift-nginx  dockerfile and trying to
> find a way to run run nginx as non-root with openshift/k8/docker.  Not
> having much luck, if I pass in a user or specify a user in the
> nginx.con or Dockerfile or via openshift/k8 runAsUser I always get
> some form permission errors.  Is there a way to do this or am I
> wasting my time messing with this?
> 
> nginx: [alert] could not open error log file: open()
> "/var/log/nginx/error.log" failed (13: Permission denied)
> 2015/11/10 14:40:40 [warn] 1#1: the "user" directive makes sense only
> if the master process runs with super-user privileges, ignored in
> /etc/nginx/nginx.conf:2
> 2015/11/10 14:40:40 [emerg] 1#1: mkdir()
> "/var/cache/nginx/client_temp" failed (13: Permission denied)

We had the same problem.

tl;dr
Add this to the dockerfile.

RUN ....
     && chmod -R 777 /var/log/nginx /var/cache/nginx/ \
     && chmod 644 /etc/nginx/*

Longer explanation.

Openshift v3 uses a randomly User inside the container.
This makes the user and group setting in the most Dockerfile and app not 
very helpfully.

You can take a look into the node-js example container

oc exec nodejs-example-1-qerx1 -it bash

######
bash-4.2$ ps aafxu
USER        PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME 
COMMAND
1000100+     19  0.0  0.0  11740  1840 ?        Ss   14:58   0:00 bash
1000100+     34  0.0  0.0  19764  1204 ?        R+   14:58   0:00  \_ ps 
aafxu
1000100+      1  0.0  0.0 863264 26216 ?        Ssl  Nov09   0:00 npm
1000100+     17  0.0  0.0 701120 25892 ?        Sl   Nov09   0:00 node 
server.js
#######

The reason why the most of the programs have this user & group stuff is 
a security reason.
Due to the fact that almost all Containers in Openshift v3 runs under a 
dedicated user (e.g.: 1000100+) you don't need and not allowed to change 
to a dedicated user.

Please take a look into this docs.
Due to the fact that I don't know if you use Openshift Enterprise (OSE) 
or Openshift origin I post the doc links from the origin ;-)

https://docs.openshift.org/latest/architecture/index.html
https://docs.openshift.org/latest/creating_images/guidelines.html
https://docs.openshift.org/latest/admin_guide/manage_scc.html#enable-images-to-run-with-user-in-the-dockerfile
https://docs.openshift.org/latest/using_images/docker_images/index.html
https://docs.openshift.org/latest/architecture/core_concepts/pods_and_services.html
https://docs.openshift.org/latest/architecture/additional_concepts/authorization.html#security-context-constraints

Please give you some time to learn the Openshift ecosystem it's not like 
a 'docker run ...' on any machine ;-)

BR Aleks



More information about the nginx mailing list