search

nginx / unit

NGINX Unit - universal web app server - a lightweight and versatile open source server that simplifies the application stack by natively executing application code across eight different programming language runtimes.
https://unit.nginx.org
Apache License 2.0
5.37k stars 323 forks source link

docker: access log is owned by root #1422

Open 0x6f677548 opened 2 weeks ago

0x6f677548 commented 2 weeks ago

Hi; docker container image: unit:python3.12

my config includes:

  },
    "access_log": {
        "path": "/var/log/unit/unit-access.log",
        "format": "$remote_addr - [$time_local] $host \"$request_line\" $status $body_bytes_sent \"$header_referer\" \"$header_user_agent\" \"$remote_addr\""
    }

It seems that although unit is running as unit (uid:999), the log file is created as root:

# id
uid=0(root) gid=0(root) groups=0(root)
# ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0  10084  4324 ?        Ss   15:59   0:00 unit: main v1.32.1 [unitd --no-daemon --control unix:/var/run/control.unit.sock]
unit        74  0.0  0.0   9440  1520 ?        S    15:59   0:00 unit: controller
unit        75  0.0  0.0 1206808 13376 ?       Sl   15:59   0:00 unit: router
unit        76  0.0  0.0  16572  4640 ?        S    15:59   0:00 unit: "fastapi" prototype
unit        77  2.5  0.5 1792776 83396 ?       Sl   15:59   0:01 unit: "fastapi" application
root       117  0.0  0.0   2480   520 pts/0    Ss   16:00   0:00 /bin/sh
root       127  0.0  0.0   8648  3276 pts/0    R+   16:00   0:00 ps aux
# ls -l /var/log/unit
total 0
-rw------- 1 root root 0 Sep 13 15:59 unit-access.log

1) is there any way to run the container as non-root? I already tried to run it with the same user, but I get:

| /usr/local/bin/docker-entrypoint.sh: /var/lib/unit/ is not empty, skipping initial configuration...
| 2024/09/13 16:06:51 [warn] 1#1 Unit is running unprivileged, then it cannot use arbitrary user and group.
| 2024/09/13 16:06:51 [alert] 1#1 bind(6, unix:/var/run/control.unit.sock.tmp) failed (13: Permission denied)

2) Is there any way to create the log file as non-root?

This is somehow related with #193 as I am trying to overcome this limitation by sharing the log file with another otel-collector container that does not run as root. Any alternative suggestion would be welcome. thanks

ac000 commented 1 week ago

2024/09/13 16:06:51 [alert] 1#1 bind(6, unix:/var/run/control.unit.sock.tmp) failed (13: Permission denied)

You will need to specify --control to point to someplace your user has permissions to read/write. Probably the same for --pid, --log & --statedir

unitd --version will show you the default values for these things...

ac000 commented 1 week ago

It seems that although unit is running as unit (uid:999), the log file is created as root:

This is due to

root         1  0.0  0.0  10084  4324 ?        Ss   15:59   0:00 unit: main v1.32.1 [unitd --no-daemon --control unix:/var/run/control.unit.sock]