Menu
Hi I am getting the following errors as I try to implement a new user in my dockerfile rather than using the root user.
2020-10-16T09:28:04.554363522Z nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:5
2020-10-16T09:28:04.564383012Z nginx: [emerg] mkdir() "/var/lib/nginx/tmp/client_body" failed (13: Permission denied)
2020-10-16T09:28:06.882365055Z nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:5
2020-10-16T09:28:06.891084727Z nginx: [emerg] mkdir() "/var/lib/nginx/tmp/client_body" failed (13: Permission denied)
2020-10-16T09:28:09.331807870Z nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:5
2020-10-16T09:28:09.342560643Z nginx: [emerg] mkdir() "/var/lib/nginx/tmp/client_body" failed (13: Permission denied)
Below is the following dockerfile that I have created. I have created a new called api-gateway, however, when I build my docker image and run the container I get the above errors.
Any suggestions to what changes I need to implement to get the user working instead of root user?
USER root
RUN microdnf --setopt=tsflags=nodocs install -y nginx procps shadow-utils net-tools ca-certificates dirmngr gnupg wget vim\
&& microdnf clean all \
&& rpm -q procps-ng
ENV NGINX_USER="api-gatway" \
NGINXR_UID="8987" \
NGINX_GROUP="api-gatway" \
NGINX_GID="8987"
RUN set -ex; \
groupadd -r --gid "$NGINX_GID" "$NGINX_GROUP"; \
useradd -r --uid "$NGINXR_UID" --gid "$NGINX_GID" "$NGINX_USER"
#To start up NGINX
EXPOSE 80
RUN mkdir -p /var/lib/nginx/
RUN mkdir -p /var/log/nginx/
RUN mkdir -p /var/lib/nginx/tmp/
RUN chown api-gatway /var/lib/nginx/
RUN chownd api-gatway /var/log/nginx/
USER api-gatway
CMD ["nginx", "-g", "daemon off;"]
519
Run as an unprivileged user First, create a new user without sudo privileges. Then you can configure nginx to run as an unprivileged system user (e.g., not the root user or a user with sudo privileges). This is done via the user directive in the /etc/nginx/nginx. conf configuration file.
So yes, you should use a user besides root -- one that has the minimal privileges required to read the files it needs. Typically this involves creating a new nginx (or www or similar) user specifically for the task.
Per default, nginx runs as root user. Why? Only root processes can listen to ports below 1024. The default port for web applications is usually 80 or 443.
Please add the volume and volume mount section in your deployment yaml file :
volumes:
- name: nginx-dir
emptyDir: { }
- name: nginx-empty
emptyDir: { }
- name: nginx-run
emptyDir: { }
volumeMounts:
- mountPath: /etc/nginx/conf.d/
name: nginx-dir
- mountPath: /var/cache/nginx/client_temp
name: nginx-empty
- mountPath: /var/run/
name: nginx-run
This should allow you to access the particular dir without root user.
146
NGINX has now an official unpriviledged Docker image, with more fine-grained changes (below are only "notable" ones, there is more of them):
user directive in /etc/nginx/nginx.conf
/var/run/nginx.pid to /tmp/nginx.pid
*_temp_path variables to /tmp/*
To see all these changes, please check out the source at nginxinc/docker-nginx-unprivileged or simply pull one of the resulting unpriviledged Docker images from the Docker Hub (nginxinc/nginx-unprivileged), and I strongly recommend the one based on Alpine rather than on Debian to avoid frequent vulnerabilities:
docker pull nginxinc/nginx-unprivileged:stable-alpine
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
