Ensure /var/log/nginx is writeable by GID 0

[sigv]

Proposed changes

In a standard deployment, error log is written to /dev/stderr and access log is written to /dev/stdout. Furthermore, error.log and access.log in /var/log/nginx are mapped to the respective stdio. However, a deployment may override configuration, and remove the symbolic links, to write to the container storage directly.

OpenShift tries to impose various restrictions by default. One of these is for UID/GID used by the container process. If these restrictions are supported in future, adjustments to file system permissions need to be done so that /var/log/nginx remains writeable. Specifically, OpenShift adds GID 0 as supplemental to container process for file system operations.

This PR ensures the nginx user (UID 101) and root group (GID 0) owns the log directory, and that owner group permissions match the owner user permissions (g=u). This ensures that OpenShift deployments retain write permissions in future.

This permissions change was already being applied to App Protect builds, where I presume writing to disk is enabled by default. Now with the PR, the permissions are ensured for all customers (not only App Protect variant).

Closes #4279.

Checklist

Before creating a PR, run through this checklist and mark each as complete.

• I have read the CONTRIBUTING doc
• I have added tests that prove my fix is effective or that my feature works
• I have checked that all unit tests pass after adding my changes
• I have updated necessary documentation
• I have rebased my branch onto main
• I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

[vepatel]

Hi @sigv can you please open an issue for this PR: https://github.com/nginxinc/kubernetes-ingress/blob/main/CONTRIBUTING.md#open-a-pull-request thanks!

[sigv]

@vepatel, opened and referenced #4279.

[codecov]

Codecov Report

Merging #4269 (4c5f307) into main (9a52e02) will decrease coverage by 0.02%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             main    #4269      +/-   ##
==========================================
- Coverage   52.00%   51.99%   -0.02%     
==========================================
  Files          59       59              
  Lines       16960    16960              
==========================================
- Hits         8820     8818       -2     
- Misses       7845     7847       +2     
  Partials      295      295              

see 1 file with indirect coverage changes

📣 Codecov offers a browser extension for seamless coverage viewing on GitHub. Try it in Chrome or Firefox today!

[lucacome]

Sorry for the long wait again @sigv

I guess it doesn't cost us anything to set the permissions for /var/log/nginx and be on the safe side.

[sigv]

Sorry for the long wait again

No worries! I fully understand things sometimes take time 🙂

0c8462d shuffled lines around and there's now a merge conflict to resolve.
I will squeeze this in around end of day (Europe), so the blocker doesn't stick around over the weekend. 🤞🏻

[sigv]

Tests are failing as they want to re-build the Nginx Plus components for which my repo doesn't have the certificate. 😞

[shaun-nx]

Thanks again for being patient with us @sigv !

[sigv]

I'm not sure how the Alpine error could be triggered by this change (Error getting Endpoints for Upstream backend1: error retrieving endpoints for the service backend1-svc: no endpointslices for target port 8080 in service backend1-svc)

[shaun-nx]

@sigv That particular log message happens when we're enumerating pods before they are ready. From the logs its looks like the pods for that test took too long to become ready.

[shaun-nx]

@sigv I've re-run the failed test and everything is green now. Just waiting on images to be built and we should be good 😄

[shaun-nx]

🚀