openshift-nginx docker image running as non-root

Paulo Leal paulo.leal at gmail.com
Thu May 5 17:14:05 UTC 2016 

Hi,

I added the lines to my dockerfile

Run ...
   && chmod 777 /var/log/nginx /
   && rm -rf /var/log/nginx/error.log /
  && rm -rf /var/log/nginx/access.log

It worked for me!

Thanks for your help.

Paulo Leal



On Thu, May 5, 2016 at 12:57 PM, Aleksandar Lazic <al-nginx at none.at> wrote:

> Hi.
>
> Am 04-05-2016 23:50, schrieb Francis Daly:
>
>> On Wed, May 04, 2016 at 06:25:01PM -0300, Paulo Leal wrote:
>>
>> Hi there,
>>
>> Completely untested by me; and I've not used openshift or docker, but:
>>
>> I have been playing around with the
>>> https://github.com/nginxinc/openshift-nginx  dockerfile and trying to
>>> find
>>> a way to run run nginx as non-root with openshift/k8/docker.
>>>
>>> I am currently getting the error:
>>> nginx: [alert] could not open error log file: open()
>>> "/var/log/nginx/error.log" failed (13: Permission denied)
>>>
>>
>> That says that the user you run as cannot open that file.
>>
>> ls -ld / /var /var/log /var/log/nginx
>> ls -l /var/log/nginx/error.log
>>
>> You may need a "-Z" in there too, if you have some extra security enabled.
>>
>> Does your user have permission to write the current error.log file;
>> or to create a new one? If not, do whatever it takes to make that
>> possible.
>>
>> You do mention some "chmod" commands below, but none that refer to this
>> directory or file.
>>
>
> In openshift you normally not know with which user your run.
>
>
> https://docs.openshift.org/latest/architecture/additional_concepts/authorization.html#scc-strategies
>
> I think the default is 'MustRunAsRange', this suggest this file.
>
>
> https://github.com/openshift/openshift-ansible/blob/master/roles/openshift_master/templates/master.yaml.v1.j2#L177
>
> There is a solution to run for a dedicated user id.
>
> https://docs.openshift.org/latest/creating_images/guidelines.html#use-uid
>
> You should change the location of the pid file and you can use a syslog
> server for the logs. I have created a more or less ready to use solution.
>
> https://github.com/git001/nginx-osev3
>
> Please tell me if the solution is helpful for you.
>
> I can then make a pull request to the
> https://github.com/nginxinc/openshift-nginx .
>
> I have alredy added to my Dockerfile:
>>> Run ...
>>>  && chmod 777 /etc/nginx/nginx.conf \
>>>  && chmod 777 /var/run \
>>>  && chmod 777 /etc/nginx/conf.d/default.conf
>>>
>>
>> 777 is possibly excessive; but if it works for you, it works. If you
>> don't have "x" permissions on /etc/nginx/conf.d, though, you probably
>> won't be able to read the default.conf file within.
>>
>> I also run bash on the container and was albe to "cat" the "default.conf"
>>> and the "nginx.conf" files.
>>>
>>
>> Do you do that as the same user/group that you run nginx as?
>>
>
> To OP:
> the output of ' id && ps axfu && ls -laR /etc/nginx/ ' would be
> interesting.
>
> In general the Images in openshift are running with a random user id which
> it makes difficult to set proper file permissions :-/
> You can define some service accounts to be able to run as root, this
> should be used very carefully as in non PaaS environments ;-).
>
> Cheers
> Aleks
>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20160505/3609d841/attachment.html>

More information about the nginx mailing list