openshift-nginx docker image running as non-root

Aleksandar Lazic al-nginx at none.at
Thu May 5 15:57:07 UTC 2016


Hi.

Am 04-05-2016 23:50, schrieb Francis Daly:
> On Wed, May 04, 2016 at 06:25:01PM -0300, Paulo Leal wrote:
> 
> Hi there,
> 
> Completely untested by me; and I've not used openshift or docker, but:
> 
>> I have been playing around with the
>> https://github.com/nginxinc/openshift-nginx  dockerfile and trying to 
>> find
>> a way to run run nginx as non-root with openshift/k8/docker.
>> 
>> I am currently getting the error:
>> nginx: [alert] could not open error log file: open()
>> "/var/log/nginx/error.log" failed (13: Permission denied)
> 
> That says that the user you run as cannot open that file.
> 
> ls -ld / /var /var/log /var/log/nginx
> ls -l /var/log/nginx/error.log
> 
> You may need a "-Z" in there too, if you have some extra security 
> enabled.
> 
> Does your user have permission to write the current error.log file;
> or to create a new one? If not, do whatever it takes to make that 
> possible.
> 
> You do mention some "chmod" commands below, but none that refer to this
> directory or file.

In openshift you normally not know with which user your run.

https://docs.openshift.org/latest/architecture/additional_concepts/authorization.html#scc-strategies

I think the default is 'MustRunAsRange', this suggest this file.

https://github.com/openshift/openshift-ansible/blob/master/roles/openshift_master/templates/master.yaml.v1.j2#L177

There is a solution to run for a dedicated user id.

https://docs.openshift.org/latest/creating_images/guidelines.html#use-uid

You should change the location of the pid file and you can use a syslog 
server for the logs. I have created a more or less ready to use 
solution.

https://github.com/git001/nginx-osev3

Please tell me if the solution is helpful for you.

I can then make a pull request to the 
https://github.com/nginxinc/openshift-nginx .

>> I have alredy added to my Dockerfile:
>> Run ...
>>  && chmod 777 /etc/nginx/nginx.conf \
>>  && chmod 777 /var/run \
>>  && chmod 777 /etc/nginx/conf.d/default.conf
> 
> 777 is possibly excessive; but if it works for you, it works. If you
> don't have "x" permissions on /etc/nginx/conf.d, though, you probably
> won't be able to read the default.conf file within.
> 
>> I also run bash on the container and was albe to "cat" the 
>> "default.conf"
>> and the "nginx.conf" files.
> 
> Do you do that as the same user/group that you run nginx as?

To OP:
the output of ' id && ps axfu && ls -laR /etc/nginx/ ' would be 
interesting.

In general the Images in openshift are running with a random user id 
which it makes difficult to set proper file permissions :-/
You can define some service accounts to be able to run as root, this 
should be used very carefully as in non PaaS environments ;-).

Cheers
Aleks



More information about the nginx mailing list