Skip to content

Commit

Permalink
Ensure /var/log/nginx is writeable by GID 0
Browse files Browse the repository at this point in the history 
In a standard deployment, error log is written to `/dev/stderr` and
access log is written to `/dev/stdout`. Furthermore, `error.log` and
`access.log` in `/var/log/nginx` are mapped to the respective stdio.
However, a deployment may override configuration, and remove the
symbolic links, to write to the container storage directly.

OpenShift tries to impose various restrictions by default. One of these
is for UID/GID used by the container process. If these restrictions are
supported in future, adjustments to file system permissions need to be
done so that /var/log/nginx remains writeable. Specifically, OpenShift
adds GID 0 as supplemental to container process for file system
operations.

This PR ensures the nginx user (UID `101`) and root group (GID `0`) owns
the log directory, and that owner group permissions match the owner user
permissions (`g=u`). This ensures that OpenShift deployments retain
write permissions in future.
  • Loading branch information
@sigv
sigv committed Sep 20, 2023
1 parent cb5aef3 commit e98cc72
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions build/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -220,8 +220,8 @@ RUN --mount=type=bind,target=/tmp [ -n "${BUILD_OS##*plus*}" ] && exit 0; mkdir

# run only on nap waf build
RUN --mount=type=bind,target=/tmp [ -n "${NAP_MODULES##*waf*}" ] && exit 0; mkdir -p /etc/nginx/waf/nac-policies /etc/nginx/waf/nac-logconfs /etc/nginx/waf/nac-usersigs /var/log/app_protect /opt/app_protect \
&& chown -R 101:0 /etc/app_protect /usr/share/ts /var/log/app_protect/ /opt/app_protect/ /var/log/nginx/ \
&& chmod -R g=u /etc/app_protect /usr/share/ts /var/log/app_protect/ /opt/app_protect/ /var/log/nginx/ \
&& chown -R 101:0 /etc/app_protect /usr/share/ts /var/log/app_protect/ /opt/app_protect/ \
&& chmod -R g=u /etc/app_protect /usr/share/ts /var/log/app_protect/ /opt/app_protect/ \
&& touch /etc/nginx/waf/nac-usersigs/index.conf \
&& cp -a /tmp/build/log-default.json /etc/nginx

Expand All @@ -234,8 +234,8 @@ RUN --mount=type=bind,target=/tmp mkdir -p /var/lib/nginx /etc/nginx/secrets /et
&& setcap -v 'cap_net_bind_service=+eip' /usr/sbin/nginx 'cap_net_bind_service=+eip' /usr/sbin/nginx-debug \
&& [ -z "${BUILD_OS##*plus*}" ] && PLUS=-plus; cp -a /tmp/internal/configs/version1/nginx$PLUS.ingress.tmpl /tmp/internal/configs/version1/nginx$PLUS.tmpl \
/tmp/internal/configs/version2/nginx$PLUS.virtualserver.tmpl /tmp/internal/configs/version2/nginx$PLUS.transportserver.tmpl / \
&& chown -R 101:0 /etc/nginx /var/cache/nginx /var/lib/nginx /*.tmpl \
&& chmod -R g=u /etc/nginx /var/cache/nginx /var/lib/nginx /*.tmpl \
&& chown -R 101:0 /etc/nginx /var/cache/nginx /var/lib/nginx /var/log/nginx /*.tmpl \
&& chmod -R g=u /etc/nginx /var/cache/nginx /var/lib/nginx /var/log/nginx /*.tmpl \
&& rm -f /etc/nginx/conf.d/* /etc/apt/apt.conf.d/90pkgs-nginx /etc/apt/sources.list.d/nginx-plus.list

# Uncomment the line below if you would like to add the default.pem to the image
Expand Down

0 comments on commit e98cc72

Please sign in to comment.