mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)

[lbopp42]

Hello, I'm using the image nginx:alpine and sometime for the first docker-compose up -d I got this error spammed in logs and container restarting:

mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)

If I docker-compose up -d again my container will be fixed but why ?

Best regards, Lucas BOPP

[thresheek]

Hi @lbopp42, can you show the full configuration you're using? All the docker-compose configs, and nginx ones.

Thanks,

[lbopp42]

Hi thanks for your time. I'm using the default conf of nginx:alpine and this is a part of docker-compose

  my_service: (edit)
    cap_add:
    - CAP_CHOWN
    - CAP_NET_BIND_SERVICE
    - CAP_SETGID
    - CAP_SETUID
    cap_drop:
    - ALL
    depends_on:
    - app_back (edit)
    env_file:
    - .env
    image: myimage_name (edit)
    labels:
       some_labels_for_traefik (edit)
    networks:
    - default
    - traefik
    restart: always

Do this help you ?

[thresheek]

Not really, I cant reproduce with the following docker-compose.yml:

my_service:
  cap_add:
  - CAP_CHOWN
  - CAP_NET_BIND_SERVICE
  - CAP_SETGID
  - CAP_SETUID
  cap_drop:
  - ALL
  image: nginx:alpine
  restart: always

Are there any changes you're doing to nginx:alpine image? I notice you have myimage_name instead.

[lbopp42]

this is my Dockerfile:

FROM nginx:alpine
COPY application /usr/share/nginx/html
COPY ./entrypoint.sh /
CMD ./entrypoint.sh
EXPOSE 80

entrypoint.sh get only some sed (in my source) and run nginx -g 'daemon off;'

I can't reproduce it all time. That's strange and if I docker-compose up -d --force-recreate without any change, that work.

[thresheek]

Is that on a local Linux machine, or is that via some virtualbox or docker for mac or docker for windows, or similar setup where things are heavily virtualized and, maybe, volumes are used?

No idea otherwise, this seems like something unrelated to the image itself.

[lbopp42]

It's on an ubuntu server 16.04 and on 18.04 too. Il will let this issue open if someone have the same

[thresheek]

Any apparmor or similar permission denied errors in dmesg or messages or other system logs?

[kfkawalec]

I have the same problem on Azure AKS. In this case I don't know what to change.

P.S. There is also permission problem with nginx.pid, but I change path to /tmp/nginx.pid

[thresheek]

@kfkawalec Are you launching the containers as a specific user? What is the setup for a container in your case?

[kfkawalec]

yes, I'm run this as non root user

[thresheek]

@kfkawalec then https://github.com/nginxinc/docker-nginx-unprivileged might be relevant to your interests :-)

[pancudaniel7]

I have the same problem, deploying container to Openshift4 the startup will fail with:

mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)

The docker-nginx-unprivileged works but is too big (150mb vs 58mb)

[thresheek]

@pancudaniel7 you need to apply the same configuration fixes as in docker-nginx-unprivileged if you'd like to use this repo images on openshift. they're not compatible as is.

[pancudaniel7]

Thank you @thresheek I've fixed the problem by running the container with nginx user. This also allow you to increase security by using specific permissions on that nginx user.

Openshift in my case runs with a default user that did not have rights and thats why the nginx container failed at startup.

[namevic]

go to https://hub.docker.com/_/nginx and find section "Running nginx as a non-root user" you need to change some paths in your config

[Majid-cloud]

Can you show me the output of the following command cd /var/cache/nginx ls

my problem was solved by creating "client_temp" directory in /var/cache/nginx.

P.S: I am not using docker.

[bizmate]

FYI, i had the same if i run nginx with my host user id ie

nginx:
    user: $UID

[orgads]

Is there a reason the unprivileged image cannot replace the default one (except the different port)?

[dk03051996]

hi @Majid-cloud , if I create one directory then it ask for another directory and list keep going on. I have same problem with GKE cluster. If I go with unprivileged image then I face port binding error for port 80 Did anyone have any working solution?