Open fabriziofiorucci opened 3 years ago
@brianehlert having unprivileged user dockerfiles which seems to be incomplete right now, might solve this issue? cc: @framer777
I gonna do another cycle on non-root changes (https://github.com/nginxinc/docker-nginx-controller/pull/51) in order to complete the work.
@framer777 thanks.
I gonna do another cycle on non-root changes (#51) in order to complete the work.
Hi, I'm sorry to push, is there an ETA for the unprivileged Dockerfile to be available? Thanks
Additionally, after manually patching the exposed nginx port, I'm getting:
starting nginx ... waiting for nginx workers ... nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2 updating /etc/controller-agent/agent.conf ...
---> using api_key = xxx ---> using controller api url = https://FQDN:8443/1.4/ ---> using instance_name = nginx-agent-5cb6df74d7-nd49x ---> using instance group = nginx-openshift starting controller-agent ... time="Jul 29 2021 10:13:00.867" level="info" msg="Starting Nginx Controller (Go) Agent. Version: 3.18.1-316464192.release-3-18..." feature="main" time="Jul 29 2021 10:13:00.874" level="info" msg="Discovered nginxs" count="1" feature="main" time="Jul 29 2021 10:13:00.975" level="fatal" msg="listen tcp 0.0.0.0:514: bind: permission denied" feature="main" waiting for nginx to stop... controller-agent process has stopped, exiting
is there a way to override port 514? Changing /etc/nginx-controller/agent.conf to set:
[listener_syslog-default] address =
to something like 0.0.0.0:10514
doesn't seem to work.
Any clue here?
Thank you!
I gonna do another cycle on non-root changes (#51) in order to complete the work.
Hi, I'm sorry to push, is there an ETA for the unprivileged Dockerfile to be available? Thanks
Will try to resolve it within the next two days.
Hi, is there any update on this? Thank you.
@fabriziofiorucci I was able to wrap up all changes in https://github.com/nginxinc/docker-nginx-controller/pull/51 Sorry for the delay, took more than expected.
is there a way to override port 514?
yes, please refer to the updated README in the PR: https://github.com/nginxinc/docker-nginx-controller/blob/55f04f3687c1edbe620d25e8ea3a93a2dd6ff396/README.md#52-new-build-arguments
The example Dockerfile
is provided as well.
Thank you! Would it be possible to get the diff for the unprivileged nap-enabled version as well?
sure @fabriziofiorucci, I'll add nap-enabled diff soon.
sure @fabriziofiorucci, I'll add nap-enabled diff soon.
thank you!
@fabriziofiorucci, here are the examples of unprivileged files (Dockerfile
& entrypoint.sh
):
https://github.com/nginxinc/docker-nginx-controller/blob/e6dc7ef8bab1626302fcb24f822012c0ec478cc2/unprivileged/examples/ubuntu-nap/Dockerfile
https://github.com/nginxinc/docker-nginx-controller/blob/e6dc7ef8bab1626302fcb24f822012c0ec478cc2/unprivileged/examples/ubuntu-nap/entrypoint.sh
@framer777 @brianehlert Where can i find un-privilege image based on centos/rhel for openshift?
Hello,
all Dockerfiles work fine with k8s but with OpenShift there is some issue on a permission denied when the agent starts, as it can't write anything in /etc/controller-agent. The dir is owned by root:root and openshift forces everything to run as non-root. Do we have some updated Dockerfile that can be used to build NGINX+agent for OpenShift as well?