openshift-nginx docker image running as non-root
Aleksandar Lazic
al-nginx at none.at
Thu May 5 15:57:07 UTC 2016
Hi.
Am 04-05-2016 23:50, schrieb Francis Daly:
> On Wed, May 04, 2016 at 06:25:01PM -0300, Paulo Leal wrote:
>
> Hi there,
>
> Completely untested by me; and I've not used openshift or docker, but:
>
>> I have been playing around with the
>> https://github.com/nginxinc/openshift-nginx dockerfile and trying to
>> find
>> a way to run run nginx as non-root with openshift/k8/docker.
>>
>> I am currently getting the error:
>> nginx: [alert] could not open error log file: open()
>> "/var/log/nginx/error.log" failed (13: Permission denied)
>
> That says that the user you run as cannot open that file.
>
> ls -ld / /var /var/log /var/log/nginx
> ls -l /var/log/nginx/error.log
>
> You may need a "-Z" in there too, if you have some extra security
> enabled.
>
> Does your user have permission to write the current error.log file;
> or to create a new one? If not, do whatever it takes to make that
> possible.
>
> You do mention some "chmod" commands below, but none that refer to this
> directory or file.
In openshift you normally not know with which user your run.
https://docs.openshift.org/latest/architecture/additional_concepts/authorization.html#scc-strategies
I think the default is 'MustRunAsRange', this suggest this file.
https://github.com/openshift/openshift-ansible/blob/master/roles/openshift_master/templates/master.yaml.v1.j2#L177
There is a solution to run for a dedicated user id.
https://docs.openshift.org/latest/creating_images/guidelines.html#use-uid
You should change the location of the pid file and you can use a syslog
server for the logs. I have created a more or less ready to use
solution.
https://github.com/git001/nginx-osev3
Please tell me if the solution is helpful for you.
I can then make a pull request to the
https://github.com/nginxinc/openshift-nginx .
>> I have alredy added to my Dockerfile:
>> Run ...
>> && chmod 777 /etc/nginx/nginx.conf \
>> && chmod 777 /var/run \
>> && chmod 777 /etc/nginx/conf.d/default.conf
>
> 777 is possibly excessive; but if it works for you, it works. If you
> don't have "x" permissions on /etc/nginx/conf.d, though, you probably
> won't be able to read the default.conf file within.
>
>> I also run bash on the container and was albe to "cat" the
>> "default.conf"
>> and the "nginx.conf" files.
>
> Do you do that as the same user/group that you run nginx as?
To OP:
the output of ' id && ps axfu && ls -laR /etc/nginx/ ' would be
interesting.
In general the Images in openshift are running with a random user id
which it makes difficult to set proper file permissions :-/
You can define some service accounts to be able to run as root, this
should be used very carefully as in non PaaS environments ;-).
Cheers
Aleks
More information about the nginx
mailing list