Openshift-nginx docker image running as non-root

Hi,

I have been playing around with the
https://github.com/nginxinc/openshift-nginx dockerfile and trying to
find
a way to run run nginx as non-root with openshift/k8/docker.
I am currently getting the error:
nginx: [alert] could not open error log file: open()
“/var/log/nginx/error.log” failed (13: Permission denied)
2016/05/04 20:51:09 [warn] 1#1: the “user” directive makes sense only if
the master process runs with super-user privileges, ignored in
/etc/nginx/nginx.conf:5
2016/05/04 20:51:09 [emerg] 1#1: open() “/etc/nginx/conf.d/default.conf”
failed (13: Permission denied) in /etc/nginx/nginx.conf:33

I have alredy added to my Dockerfile:
Run …
&& chmod 777 /etc/nginx/nginx.conf
&& chmod 777 /var/run
&& chmod 777 /etc/nginx/conf.d/default.conf

I also run bash on the container and was albe to “cat” the
“default.conf”
and the “nginx.conf” files.

I am not sure if its the correct place to put this question, but I got
here
from
http://mailman.nginx.org/pipermail/nginx-devel/2015-November/007511.html
(as you can notice, I have copied the beginning of the email from
Scott´s
email. Hope you don´t mind!=o) )

Best regards,

Paulo Leal

On Wed, May 04, 2016 at 06:25:01PM -0300, Paulo Leal wrote:

Hi there,

Completely untested by me; and I’ve not used openshift or docker, but:

I have been playing around with the
https://github.com/nginxinc/openshift-nginx dockerfile and trying to find
a way to run run nginx as non-root with openshift/k8/docker.
I am currently getting the error:
nginx: [alert] could not open error log file: open()
“/var/log/nginx/error.log” failed (13: Permission denied)

That says that the user you run as cannot open that file.

ls -ld / /var /var/log /var/log/nginx
ls -l /var/log/nginx/error.log

You may need a “-Z” in there too, if you have some extra security
enabled.

Does your user have permission to write the current error.log file;
or to create a new one? If not, do whatever it takes to make that
possible.

You do mention some “chmod” commands below, but none that refer to this
directory or file.

2016/05/04 20:51:09 [warn] 1#1: the “user” directive makes sense only if
the master process runs with super-user privileges, ignored in
/etc/nginx/nginx.conf:5

That is harmless; if you intend to run as non-root, you can remove that
directive from the config file.

2016/05/04 20:51:09 [emerg] 1#1: open() “/etc/nginx/conf.d/default.conf”
failed (13: Permission denied) in /etc/nginx/nginx.conf:33

That suggests that your user can read /etc/nginx/nginx.conf, but cannot
read /etc/nginx/conf.d/default.conf

“ls -ld” or “ls -ldZ” every directory from the root to that one.

Perhaps there is something there that shows why you are blocked.

I have alredy added to my Dockerfile:
Run …
&& chmod 777 /etc/nginx/nginx.conf
&& chmod 777 /var/run
&& chmod 777 /etc/nginx/conf.d/default.conf

777 is possibly excessive; but if it works for you, it works. If you
don’t have “x” permissions on /etc/nginx/conf.d, though, you probably
won’t be able to read the default.conf file within.

I also run bash on the container and was albe to “cat” the “default.conf”
and the “nginx.conf” files.

Do you do that as the same user/group that you run nginx as?

Good luck with it,

f

Francis D. [email protected]

Hi.

Am 04-05-2016 23:50, schrieb Francis D.:

enabled.

Does your user have permission to write the current error.log file;
or to create a new one? If not, do whatever it takes to make that
possible.

You do mention some “chmod” commands below, but none that refer to this
directory or file.

In openshift you normally not know with which user your run.

https://docs.openshift.org/latest/architecture/additional_concepts/authorization.html#scc-strategies

I think the default is ‘MustRunAsRange’, this suggest this file.

https://github.com/openshift/openshift-ansible/blob/master/roles/openshift_master/templates/master.yaml.v1.j2#L177

There is a solution to run for a dedicated user id.

https://docs.openshift.org/latest/creating_images/guidelines.html#use-uid

You should change the location of the pid file and you can use a syslog
server for the logs. I have created a more or less ready to use
solution.

Please tell me if the solution is helpful for you.

I can then make a pull request to the
https://github.com/nginxinc/openshift-nginx .

I also run bash on the container and was albe to “cat” the
“default.conf”
and the “nginx.conf” files.

Do you do that as the same user/group that you run nginx as?

To OP:
the output of ’ id && ps axfu && ls -laR /etc/nginx/ ’ would be
interesting.

In general the Images in openshift are running with a random user id
which it makes difficult to set proper file permissions :-/
You can define some service accounts to be able to run as root, this
should be used very carefully as in non PaaS environments ;-).

Cheers
Aleks

Hi,

I added the lines to my dockerfile

Run …
&& chmod 777 /var/log/nginx /
&& rm -rf /var/log/nginx/error.log /
&& rm -rf /var/log/nginx/access.log

It worked for me!

Thanks for your help.

Paulo Leal

Am 05-05-2016 19:14, schrieb Paulo Leal:

It worked for me!
When you want to read the files you call

oc rsh
cat /var/log/nginx/error.log

or something similar, right.

Would it not be nicer to get it via

oc logs -f <ACCESS_LOGGING_POD>
oc logs -f <ERROR_LOGGING_POD>

I think for POC (Prove of concept) the local logs setup woks but when
you want more production readiness you should consider to log to a
syslog server. IMHO.

Maybe you can reuse the aggregating logs setup from openshift.

https://docs.openshift.org/latest/install_config/aggregate_logging.html

with

http://docs.fluentd.org/articles/in_syslog

or something similar.

Cheers Aleks