Run nginx as unprevileged user #3167
Conversation
|
Created a staging project on OBS for Tumbleweed: home:pushman:BCI:Staging:Tumbleweed:Tumbleweed-3167 Build ResultsRepository
Repository
Repository
Repository
Build succeeded ✅ To run BCI-tests against this PR, use the following command: OS_VERSION=tumbleweed TARGET=custom BASEURL=registry.opensuse.org/home/pushman/bci/staging/tumbleweed/tumbleweed-3167/ tox -- -n autoThe following images can be pulled from the staging project:
|
|
Created a staging project on OBS for 7: home:pushman:BCI:Staging:SLE-15-SP7:7-3167 Build ResultsRepository
Repository
Repository
Repository
Repository
Repository
Repository
Repository
Build succeeded ✅ To run BCI-tests against this PR, use the following command: OS_VERSION=15.7 TARGET=custom BASEURL=registry.opensuse.org/home/pushman/bci/staging/sle-15-sp7/7-3167/ tox -- -n autoThe following images can be pulled from the staging project:
|
|
Created a staging project on OBS for 16.0: home:pushman:BCI:Staging:16.0:16.0-3167 Build ResultsRepository
Repository
Repository
Repository
Repository
Repository
Repository
Repository
Build succeeded ✅ To run BCI-tests against this PR, use the following command: OS_VERSION=16.0 TARGET=custom BASEURL=registry.opensuse.org/home/pushman/bci/staging/16.0/16.0-3167/ tox -- -n autoThe following images can be pulled from the staging project:
|
rcmadhankumar
force-pushed
the
unprevileged-nginx
branch
from
871cffd to
e43e062
Compare
rcmadhankumar
force-pushed
the
unprevileged-nginx
branch
from
e43e062 to
ca2996d
Compare
| entrypoint_log "$0: Removed 'user' directive for unprivileged worker." | ||
|
|
||
| # Ensure PID path is set to /tmp/nginx.pid | ||
| sed -i 's,^#\?\s*pid\s\+.*;$,pid /tmp/nginx.pid;,' /etc/nginx/nginx.conf |
There was a problem hiding this comment.
why are we setting it to /tmp rather than a safe location like /run/nginx or /run ?
There was a problem hiding this comment.
We are starting the nginx container as unprevileged user.
/run directory and /var/run directory is owned by root.
There was a problem hiding this comment.
But nothing prevents you from having /run/nginx/nginx.pid , you can create the folder with the nginx user, which it seems you already do with chown -R nginx:nginx /var/run/.
I would also move this to be a default location, not just in case it is a non-root user. Since it would not make any difference if it is owned by nginx anyway.
There was a problem hiding this comment.
pid path is set to /var/run/nginx/nginx.pid
|
@rcmadhankumar can you please also include the (adjusted) readme update from #3071 ? |
rcmadhankumar
force-pushed
the
unprevileged-nginx
branch
from
ca2996d to
77e787a
Compare
Added relevant readme update. |
rcmadhankumar
force-pushed
the
unprevileged-nginx
branch
from
77e787a to
74167bd
Compare
alexandrevicenzi
left a comment
alexandrevicenzi
left a comment
There was a problem hiding this comment.
Are we seding the user provided file as well (volume mount)? It does not make sense to change is such cases, only if it is the default config we ship, otherwise, we could potentially break the user config.
| entrypoint_log "$0: Removed 'user' directive for unprivileged worker." | ||
|
|
||
| # Ensure PID path is set to /tmp/nginx.pid | ||
| sed -i 's,^#\?\s*pid\s\+.*;$,pid /tmp/nginx.pid;,' /etc/nginx/nginx.conf |
There was a problem hiding this comment.
But nothing prevents you from having /run/nginx/nginx.pid , you can create the folder with the nginx user, which it seems you already do with chown -R nginx:nginx /var/run/.
I would also move this to be a default location, not just in case it is a non-root user. Since it would not make any difference if it is owned by nginx anyway.
rcmadhankumar
force-pushed
the
unprevileged-nginx
branch
2 times, most recently
from
7d44601 to
5c92bea
Compare
|
Created a staging project on OBS for 16.1: home:pushman:BCI:Staging:16.1:16.1-3167 |
| entrypoint_log "$0: Running as unprivileged user (UID: $CURRENT_UID). Configuring for unprivileged mode (Port 8080)." | ||
|
|
||
| # Remove the 'user' directive | ||
| sed -i '/^user/d' /etc/nginx/nginx.conf |
There was a problem hiding this comment.
This should replace only if the user is root I think, otherwise it can override a user provided in the custom config. However we could also use NGINX_USER and the build-in template engine.
There was a problem hiding this comment.
As an unprevileged user i can't use the command user. so, the line is removed from the config file.
Updated the #comment accordingly.
| fi | ||
|
|
||
| # modify temp paths | ||
| sed -i "/^http {/a \ proxy_temp_path /tmp/proxy_temp;\n client_body_temp_path /tmp/client_temp;\n fastcgi_temp_path /tmp/fastcgi_temp;\n uwsgi_temp_path /tmp/uwsgi_temp;\n scgi_temp_path /tmp/scgi_temp;\n" /etc/nginx/nginx.conf |
There was a problem hiding this comment.
We could use /tmp for all users, including root.
There was a problem hiding this comment.
this line is applicable to both non root and root users.
Just updated the comment and moved the code above if blocks.
| entrypoint_log "$0: Removed 'user' directive for unprivileged worker." | ||
|
|
||
| # Ensure PID path is set to /var/run/nginx.pid | ||
| sed -i 's,^#\?\s*pid\s\+.*;$,pid /var/run/nginx/nginx.pid;,' /etc/nginx/nginx.conf |
There was a problem hiding this comment.
We could use /var for all users, including root.
|
|
||
| # Ensure PID path is set to /var/run/nginx.pid | ||
| sed -i 's,^#\?\s*pid\s\+.*;$,pid /var/run/nginx/nginx.pid;,' /etc/nginx/nginx.conf | ||
| sed -i 's/listen \(.*\)80;/listen \18080;/' /etc/nginx/conf.d/default.conf 2>/dev/null || \ |
There was a problem hiding this comment.
We should probably use the built-in template functions to override the port. However the user would be required to set NGINX_PORT in case a non-root user is used.
There was a problem hiding this comment.
I think, for a smoother user experience we can keep it as it is! wdyt?
(user can always forward the port 8080 to the port no they wish anyways)
rcmadhankumar
force-pushed
the
unprevileged-nginx
branch
from
5c92bea to
c6f69b9
Compare
Made necessary changes to the nginx image so that it can be simply run as non root by passing
--user=nginxflag.