Fwd: openshift-nginx docker image running as non-root
Aleksandar Lazic
al-nginx at none.at
Wed Nov 11 20:10:44 UTC 2015
Dear Scott.
I think this is not a devel question so I answer primarly to nginx list.
Am 11-11-2015 19:23, schrieb Scott Creeley:
> ----- Forwarded Message -----
> From: "Scott Creeley" <screeley at redhat.com>
> To: nginx-devel at nginx.org
> Sent: Wednesday, November 11, 2015 12:13:49 PM
> Subject: openshift-nginx docker image running as non-root
>
> Hi,
> Been playing around with the
> https://github.com/nginxinc/openshift-nginx dockerfile and trying to
> find a way to run run nginx as non-root with openshift/k8/docker. Not
> having much luck, if I pass in a user or specify a user in the
> nginx.con or Dockerfile or via openshift/k8 runAsUser I always get
> some form permission errors. Is there a way to do this or am I
> wasting my time messing with this?
>
> nginx: [alert] could not open error log file: open()
> "/var/log/nginx/error.log" failed (13: Permission denied)
> 2015/11/10 14:40:40 [warn] 1#1: the "user" directive makes sense only
> if the master process runs with super-user privileges, ignored in
> /etc/nginx/nginx.conf:2
> 2015/11/10 14:40:40 [emerg] 1#1: mkdir()
> "/var/cache/nginx/client_temp" failed (13: Permission denied)
We had the same problem.
tl;dr
Add this to the dockerfile.
RUN ....
&& chmod -R 777 /var/log/nginx /var/cache/nginx/ \
&& chmod 644 /etc/nginx/*
Longer explanation.
Openshift v3 uses a randomly User inside the container.
This makes the user and group setting in the most Dockerfile and app not
very helpfully.
You can take a look into the node-js example container
oc exec nodejs-example-1-qerx1 -it bash
######
bash-4.2$ ps aafxu
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME
COMMAND
1000100+ 19 0.0 0.0 11740 1840 ? Ss 14:58 0:00 bash
1000100+ 34 0.0 0.0 19764 1204 ? R+ 14:58 0:00 \_ ps
aafxu
1000100+ 1 0.0 0.0 863264 26216 ? Ssl Nov09 0:00 npm
1000100+ 17 0.0 0.0 701120 25892 ? Sl Nov09 0:00 node
server.js
#######
The reason why the most of the programs have this user & group stuff is
a security reason.
Due to the fact that almost all Containers in Openshift v3 runs under a
dedicated user (e.g.: 1000100+) you don't need and not allowed to change
to a dedicated user.
Please take a look into this docs.
Due to the fact that I don't know if you use Openshift Enterprise (OSE)
or Openshift origin I post the doc links from the origin ;-)
https://docs.openshift.org/latest/architecture/index.html
https://docs.openshift.org/latest/creating_images/guidelines.html
https://docs.openshift.org/latest/admin_guide/manage_scc.html#enable-images-to-run-with-user-in-the-dockerfile
https://docs.openshift.org/latest/using_images/docker_images/index.html
https://docs.openshift.org/latest/architecture/core_concepts/pods_and_services.html
https://docs.openshift.org/latest/architecture/additional_concepts/authorization.html#security-context-constraints
Please give you some time to learn the Openshift ecosystem it's not like
a 'docker run ...' on any machine ;-)
BR Aleks
More information about the nginx
mailing list