-
Notifications
You must be signed in to change notification settings - Fork 533
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move default writable paths to a dedicated directory #119
Comments
I'm very supportive of this. Thanks for pointing out K8S aspects of it. We've talked about some aspects of this in #24. Things have evolved since then and Nginx now uses UID Nginx images also symlink logs to For the rest, I think we can put something like this in the
|
I haven't been running this in production yet but the _temp_path parameters you've specified work as expected. I ended up sending logs to stdout, which might be a good default -- it'd follow the principle of least surprise, to a degree. I think it'd be useful to include examples of methods for configuring external logging and logging to files within the container (or a sibling), however I don't have any, yet. What would be the next step? I don't know if I can volunteer yet -- maybe after a spec has been worked out. |
The logs would get written to Next step is to actually do the changes and test them (like you have just helped do). Which image flavor do you use? I can do a branch and work on that one and you can help test in your k8s environment. I don't have one handy for this purpose. |
I have released the new temporary paths in The log destinations and default user have not changed. |
Hi, I am using 1.15.8.2-4 and have similar issue :
so additionally to provided fix I should mount tmp dir in k8s (@dpkirchner ) pointing to |
@grzesuav did you figure out a solution? im having the same issue |
@dubcdr AFAIR I changed ownership of directory, will check tomorrow to be exact |
yeah, I needed to set :
in nginx.conf in order to overcome that |
and additionally (in k8s) I mounted tmp directory there:
where :
|
I'm getting same issue with Docker FROM openresty/openresty:bionic or any other latest versions. Error - 2023/08/14 16:27:26 [emerg] 7#7: mkdir() "/var/run/openresty/nginx-client-body" failed (13: Permission denied) |
Hello, can you try with a version-specific tag to prevent any ambiguity? |
Thank you for quick reply. One more thing to add we are using Lua as well. |
Tried with FROM openresty/openresty:1.21.4.2-0-bionic still same @neomantra |
OK, How are you running it, etc? |
docker.txt |
@neomantra I tried adding above things as well in nginx.config still issue is persisting. |
Hello, @neomantra or anyone else can help here? |
I also encountered this issue and (think I) fixed it by transferring ownership of the openresty related files to my non-root user
Here is the build output. Pay special attention to the $ docker build -t nonrootresty --no-cache --progress=plain .
#0 building with "default" instance using docker driver
#1 [internal] load .dockerignore
#1 transferring context:
#1 transferring context: 2B done
#1 DONE 0.3s
#2 [internal] load build definition from Dockerfile
#2 transferring dockerfile: 520B done
#2 DONE 0.4s
#3 [internal] load metadata for openresty:1.25.3.1-0-alpine
#3 DONE 1.1s
#4 [1/8] FROM openresty:1.25.3.1-0-alpine@sha256:87c89a5fa4aa52701656481c288337d7735b7470675b4cca33c6e33057655c30
#4 CACHED
#5 [2/8] RUN ls -lh /var/run/
#5 0.884 total 4K
#5 0.885 drwxr-xr-x 2 root root 4.0K Jan 10 03:32 openresty
#5 DONE 1.4s
#6 [3/8] RUN ls -lh /usr/local/
#6 1.226 total 16K
#6 1.226 drwxr-xr-x 2 root root 4.0K Dec 7 09:43 bin
#6 1.226 drwxr-xr-x 1 root root 4.0K Jan 10 03:32 lib
#6 1.226 drwxr-xr-x 1 root root 4.0K Jan 10 03:32 openresty
#6 1.226 drwxr-xr-x 1 root root 4.0K Jan 10 03:32 share
#6 DONE 2.2s
#7 [4/8] RUN addgroup -S 1000 && adduser -S -s /bin/sh user -u 1000 -G 1000 && chown 1000 /etc/nginx/conf.d/default.conf
#7 DONE 2.7s
#8 [5/8] RUN chown user /var/run/openresty
#8 DONE 2.0s
#9 [6/8] RUN chown -R user /usr/local/openresty
#9 DONE 47.2s
#10 [7/8] RUN ls -lh /var/run/
#10 1.278 total 4K
#10 1.278 drwxr-xr-x 1 user root 4.0K Jan 10 03:32 openresty
#10 DONE 2.0s
#11 [8/8] RUN ls -lh /usr/local/openresty
#11 1.424 total 324K
#11 1.424 -rw-r--r-- 1 user root 22.4K Jan 10 03:32 COPYRIGHT
#11 1.424 drwxr-xr-x 1 user root 4.0K Jan 10 03:32 bin
#11 1.424 drwxr-xr-x 1 user root 4.0K Jan 10 03:32 luajit
#11 1.424 drwxr-xr-x 1 user root 4.0K Jan 10 03:32 lualib
#11 1.424 drwxr-xr-x 1 user root 4.0K Jan 10 03:32 nginx
#11 1.424 drwxr-xr-x 1 user root 4.0K Jan 10 03:27 openssl
#11 1.424 drwxr-xr-x 1 user root 4.0K Jan 10 03:28 pcre
#11 1.424 drwxr-xr-x 1 user root 4.0K Jan 10 03:32 pod
#11 1.424 -rw-r--r-- 1 user root 235.0K Jan 10 03:32 resty.index
#11 1.424 drwxr-xr-x 1 user root 4.0K Jan 10 03:32 site
#11 DONE 1.9s
#12 exporting to image
#12 exporting layers
#12 exporting layers 3.6s done
#12 writing image sha256:cf695052d7571efc3507848673b832aef336d3464a7113ba3c9d5031db4164d4
#12 writing image sha256:cf695052d7571efc3507848673b832aef336d3464a7113ba3c9d5031db4164d4 0.1s done
#12 naming to docker.io/library/nonrootresty 0.1s done
#12 DONE 3.7s If there is a better solution, or I am doing something wrong, I'd appreciate comments. |
Currently, if you try to run openresty in a K8S cluster that is configured for higher security[0], perhaps
runAsUser
and/orreadOnlyRootFilesystem
, you'll get startup errors when openresty attempts to create/usr/local/openresty/nginx/client_body_temp
(and etc). To start, you'd need to mount a read-write partition into/usr/local/openresty/nginx
, which would override everything there, including the binaries. Even if you were to copy the existing files into the RW mount, you'd open yourself up to bad actors modifying files that they shouldn't.Ideally, all writable files would be in a dedicated directory, something like
/var/run/openresty
. That'd include all of the*_temp
directories,pid
, and possibly logs. Then we can ensure that nobody can replace/usr/local/openresty/nginx/**
at runtime.[0] https://kubernetes.io/blog/2018/07/18/11-ways-not-to-get-hacked/#8-run-containers-as-a-non-root-user
The text was updated successfully, but these errors were encountered: