Hi.
Am 04-05-2016 23:50, schrieb Francis Daly:
On Wed, May 04, 2016 at 06:25:01PM -0300, Paulo Leal wrote:
Hi there,
Completely untested by me; and I've not used openshift or docker, but:
I have been playing around with the
https://github.com/nginxinc/openshift-nginx dockerfile and trying to
find
a way to run run nginx as non-root with openshift/k8/docker.
I am currently getting the error:
nginx: [alert] could not open error log file: open()
"/var/log/nginx/error.log" failed (13: Permission denied)
That says that the user you run as cannot open that file.
ls -ld / /var /var/log /var/log/nginx
ls -l /var/log/nginx/error.log
You may need a "-Z" in there too, if you have some extra security
enabled.
Does your user have permission to write the current error.log file;
or to create a new one? If not, do whatever it takes to make that
possible.
You do mention some "chmod" commands below, but none that refer to this
directory or file.
In openshift you normally not know with which user your run.
https://docs.openshift.org/latest/architecture/additional_concepts/authorization.html#scc-strategies
I think the default is 'MustRunAsRange', this suggest this file.
https://github.com/openshift/openshift-ansible/blob/master/roles/openshift_master/templates/master.yaml.v1.j2#L177
There is a solution to run for a dedicated user id.
https://docs.openshift.org/latest/creating_images/guidelines.html#use-uid
You should change the location of the pid file and you can use a syslog
server for the logs. I have created a more or less ready to use
solution.
https://github.com/git001/nginx-osev3
Please tell me if the solution is helpful for you.
I can then make a pull request to the
https://github.com/nginxinc/openshift-nginx .
I have alredy added to my Dockerfile:
Run ...
&& chmod 777 /etc/nginx/nginx.conf \
&& chmod 777 /var/run \
&& chmod 777 /etc/nginx/conf.d/default.conf
777 is possibly excessive; but if it works for you, it works. If you
don't have "x" permissions on /etc/nginx/conf.d, though, you probably
won't be able to read the default.conf file within.
I also run bash on the container and was albe to "cat" the
"default.conf"
and the "nginx.conf" files.
Do you do that as the same user/group that you run nginx as?
To OP:
the output of ' id && ps axfu && ls -laR /etc/nginx/ ' would be
interesting.
In general the Images in openshift are running with a random user id
which it makes difficult to set proper file permissions :-/
You can define some service accounts to be able to run as root, this
should be used very carefully as in non PaaS environments ;-).
Cheers
Aleks
_______________________________________________
nginx mailing list
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx
