rootless Docker image

[oupala]

What would you think about proposing a rootless docker image for niolesk?

Currently, the image cannot be executed in a rootless environment:

/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/ /docker-entrypoint.sh: Launching /docker-entrypoint.d/update-config.sh sed: can't create temp file '/usr/share/nginx/html/config.jsXXXXXX': Permission denied

One solution would be to make the file /usr/share/nginx/html/config.js writable by everyone, so that even non-root user can modify it. I think that the directory /usr/share/nginx/html/ should be wirtable by evryone also (as there is a permission denied error on a temporary file inside /usr/share/nginx/html/).

There might also be some other solutions.

[gissehel]

Hello, I haven't really though about that as I've used the default nginx:alpine image.

I'll make some tests...

[gissehel]

Hello, there was more than that problem (once nginx starts, the default docker nginx image doesn't support starting as non root).

The user:group must be 101:101 (nginx:nginx inside the image). The dockerfile specify to start the image as user 101:101, but you can specify it yourself also.

Now it seems to work. Do you confirm that the image ghcr.io/webgiss/niolesk:35-rootless-docker-image works as you except so I can merge it into main branch ?

[oupala]

In my case, it does not work as is:

/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/update-config.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: can not modify /etc/nginx/conf.d/default.conf (read-only file system?)
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2023/04/24 14:08:59 [warn] 1#1: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
2023/04/24 14:08:59 [emerg] 1#1: mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)

I'm using a platform that is running under kubernetes (k8s), the origin version from Red Hat. The user id is randomly set at startup by the platform, and the groupid is root. That's why this command is useless in that case:

chown -R nginx:nginx /var/cache/nginx

I think that the directory should belong to root:

chown -R nginx:root /var/cache/nginx

[gissehel]

Yes, if the user id is randomly set at startup, I do understand that this doesn't work. But I don't know how to make it works !

I mean, by removing all security (like everyone can access everything), it may works, but it totally destroy the purpose of running as user.

The problem is located in the default nginx container, that presuppose that nginx should be run as root, and then, it changes user as nginx after start. What I've done is to start the container directly as the user nginx. It generate a warning (as the user isn't root as expected in nginx, but still works).

As the problem is totally internal to nginx standard default container, is there a standard way to run it into your framework ?

[gissehel]

Ok, so because the remaining problem is not related to niolesk, but to the interaction between:

• standard nginx docker image
• kubernetes the way you use it

As they both seems pretty used, I supposed there was some "standard workaround" as they seems incompatible.

Found https://github.com/nginxinc/docker-nginx-unprivileged that provides image for that.

I still generate docker images based on standard nginx image, and I also generate images based on that nginxinc/docker-nginx-unprivileged image with docker tag prefix unprivileged

Can you try the image ghcr.io/webgiss/niolesk:unprivileged-35-rootless-docker-image and confirm that it solves your problem ? Note that unprivileged images don't use port 80 on the container but port 8080 (while standard images still use port 80).

Once merged and released, the unprivileged image will be ghcr.io/webgiss/niolesk:unprivileged.

[gissehel]

The branch has now been merged as it seems stable, and a release has been created.

Can you try the image ghcr.io/webgiss/niolesk:unprivileged and confirm that it solves your problem ?

[oupala]

I do confirm that this tag fixes the problem I had running the image on OpenShift from Red Hat. And yes, obviously, the webapp is served under port 8080.

Thanks a lot for the fix.

By the way, it took me some time to find out the "jeu de mot" between kroki and niolesk... But I had a "franche rigolade" when I realized it... :stuck_out_tongue_winking_eye:

[gissehel]

Glad that it works fine for you, and glad that you liked the « jeu de mot », the delay in realization is intended.

[oupala]

So you will keep both versions: standard (privileged) and unprivileged?

[gissehel]

Yes, as long as the standard the standard nginx image doesn't support it, I prefer having the "standard" niolesk docker image based on standard nginx image.

[oupala]

Ok, thanks for the answer.