Thanks Aleks, I got it to work with a combo of what you provided and I also had to chmod /var/run or I would get a permission error on the /var/run/nginx.pid and it wouldn't start.
thanks, Scott ----- Original Message ----- From: "Aleksandar Lazic" <al-ng...@none.at> To: ng...@nginx.org Cc: "Scott Creeley" <scree...@redhat.com>, nginx-devel@nginx.org Sent: Wednesday, November 11, 2015 3:10:44 PM Subject: Re: Fwd: openshift-nginx docker image running as non-root Dear Scott. I think this is not a devel question so I answer primarly to nginx list. Am 11-11-2015 19:23, schrieb Scott Creeley: > ----- Forwarded Message ----- > From: "Scott Creeley" <scree...@redhat.com> > To: nginx-devel@nginx.org > Sent: Wednesday, November 11, 2015 12:13:49 PM > Subject: openshift-nginx docker image running as non-root > > Hi, > Been playing around with the > https://github.com/nginxinc/openshift-nginx dockerfile and trying to > find a way to run run nginx as non-root with openshift/k8/docker. Not > having much luck, if I pass in a user or specify a user in the > nginx.con or Dockerfile or via openshift/k8 runAsUser I always get > some form permission errors. Is there a way to do this or am I > wasting my time messing with this? > > nginx: [alert] could not open error log file: open() > "/var/log/nginx/error.log" failed (13: Permission denied) > 2015/11/10 14:40:40 [warn] 1#1: the "user" directive makes sense only > if the master process runs with super-user privileges, ignored in > /etc/nginx/nginx.conf:2 > 2015/11/10 14:40:40 [emerg] 1#1: mkdir() > "/var/cache/nginx/client_temp" failed (13: Permission denied) We had the same problem. tl;dr Add this to the dockerfile. RUN .... && chmod -R 777 /var/log/nginx /var/cache/nginx/ \ && chmod 644 /etc/nginx/* Longer explanation. Openshift v3 uses a randomly User inside the container. This makes the user and group setting in the most Dockerfile and app not very helpfully. You can take a look into the node-js example container oc exec nodejs-example-1-qerx1 -it bash ###### bash-4.2$ ps aafxu USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND 1000100+ 19 0.0 0.0 11740 1840 ? Ss 14:58 0:00 bash 1000100+ 34 0.0 0.0 19764 1204 ? R+ 14:58 0:00 \_ ps aafxu 1000100+ 1 0.0 0.0 863264 26216 ? Ssl Nov09 0:00 npm 1000100+ 17 0.0 0.0 701120 25892 ? Sl Nov09 0:00 node server.js ####### The reason why the most of the programs have this user & group stuff is a security reason. Due to the fact that almost all Containers in Openshift v3 runs under a dedicated user (e.g.: 1000100+) you don't need and not allowed to change to a dedicated user. Please take a look into this docs. Due to the fact that I don't know if you use Openshift Enterprise (OSE) or Openshift origin I post the doc links from the origin ;-) https://docs.openshift.org/latest/architecture/index.html https://docs.openshift.org/latest/creating_images/guidelines.html https://docs.openshift.org/latest/admin_guide/manage_scc.html#enable-images-to-run-with-user-in-the-dockerfile https://docs.openshift.org/latest/using_images/docker_images/index.html https://docs.openshift.org/latest/architecture/core_concepts/pods_and_services.html https://docs.openshift.org/latest/architecture/additional_concepts/authorization.html#security-context-constraints Please give you some time to learn the Openshift ecosystem it's not like a 'docker run ...' on any machine ;-) BR Aleks _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
