openshift-nginx docker image running as non-root

Francis Daly francis at daoine.org
Wed May 4 21:50:42 UTC 2016 

On Wed, May 04, 2016 at 06:25:01PM -0300, Paulo Leal wrote:

Hi there,

Completely untested by me; and I've not used openshift or docker, but:

> I have been playing around with the
> https://github.com/nginxinc/openshift-nginx  dockerfile and trying to find
> a way to run run nginx as non-root with openshift/k8/docker.
> I am currently getting the error:
> nginx: [alert] could not open error log file: open()
> "/var/log/nginx/error.log" failed (13: Permission denied)

That says that the user you run as cannot open that file.

ls -ld / /var /var/log /var/log/nginx
ls -l /var/log/nginx/error.log

You may need a "-Z" in there too, if you have some extra security enabled.

Does your user have permission to write the current error.log file;
or to create a new one? If not, do whatever it takes to make that possible.

You do mention some "chmod" commands below, but none that refer to this
directory or file.

> 2016/05/04 20:51:09 [warn] 1#1: the "user" directive makes sense only if
> the master process runs with super-user privileges, ignored in
> /etc/nginx/nginx.conf:5

That is harmless; if you intend to run as non-root, you can remove that
directive from the config file.

> 2016/05/04 20:51:09 [emerg] 1#1: open() "/etc/nginx/conf.d/default.conf"
> failed (13: Permission denied) in /etc/nginx/nginx.conf:33

That suggests that your user can read /etc/nginx/nginx.conf, but cannot
read /etc/nginx/conf.d/default.conf

"ls -ld" or "ls -ldZ" every directory from the root to that one.

Perhaps there is something there that shows why you are blocked.

> I have alredy added to my Dockerfile:
> Run ...
>  && chmod 777 /etc/nginx/nginx.conf \
>  && chmod 777 /var/run \
>  && chmod 777 /etc/nginx/conf.d/default.conf

777 is possibly excessive; but if it works for you, it works. If you
don't have "x" permissions on /etc/nginx/conf.d, though, you probably
won't be able to read the default.conf file within.

> I also run bash on the container and was albe to "cat" the "default.conf"
> and the "nginx.conf" files.

Do you do that as the same user/group that you run nginx as?

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org

More information about the nginx mailing list