-
Notifications
You must be signed in to change notification settings - Fork 534
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add nginx (or openresty user) to run nginx #24
Comments
I'm on the fence with this. I see the convenience for your config file. I was wondering if it is bad security practice to add a user that is not needed by the image itself? But, it's in a container and running as It certainly is easy to add. You can also easily derive your own image, with whatever other plugins and libraries you want. I also know it is great to just pull from Docker Hub. |
Hi @neomantra, do you if this issue can be resolve now ? |
@agentzh Do you have an opinion on this? Is there a reason the RPMs don't do it? Will the DEBs do it? It is easy enough for me to add and maintain. If I do add it, should the user be |
@neomantra Because the |
Introducing a dedicated |
OpenResty's upcoming official deb packages will follow the rpm packages strictly. |
So I did a little more investigation... something that is annoying is that the nginx Docker images do not specify the UID when they create their users. So the Docker uses the UID, not the name. So you won't easily be able to share files between the host and the container, unless they are sync'ed. If I were to do this, I would probably make a user But I respect @dol's desire to have a common nginx file. But could you use user |
I'm not going add a user to the image because the upstream packages do not do so. If users want this, it is easy to include and control it in a derived image. I'm labeling this a documentation bug -- we can show how to do this. |
I am revisiting this because of some HackerNews discussion about
|
Hello. Just for the record,
|
Any plans to revisit an unprivileged user like with |
I don't have specific plans, but since you pinged and 'tis the season, I just re-visited it. As a first step, I'll create a Like docker-nginx-unprivileged, we'd default to user I think that will work -- any feedback? |
How can I add non-root user to Dockerfile for image/version "FROM openresty/openresty:stretch"? |
@shyam-prajapat I don't plan on adding the support in this ticket to
|
To follow up on the documentation: Could you provide a link to where running openresty as non-root is described? |
Hello,
(edit) you can remove the ENTRYPOINT. My entrypoint analyze environments variables to update some configuration file, and then launch :
|
Thank you very much! |
I am doubtful about its security implications, if we run as a non-root user then both nginx master / worker processes run with that same user. This means that the worker processes also have the access to things that only master needs access to. This becomes worse when for instance you mount ssl certs/keys, these must be readable to the master nginx process, and in this case even the worker processes will be able to see those keys/certs If instead we run master process as root and specify a non-root user in nginx conf, we can grant that user absolutely minimal permission. I am using rootless docker with the second approach btw. Don't know if its more secure, but definitely do not like the idea of having worker processes with read access to SSL keys.. |
Who stops you from specifying a non-root user in nginx conf when master was not started using root? |
Similar to the official nginx docker container it would be ideal to run the openresty nginx server as a non root user. https://github.com/nginxinc/docker-nginx/blob/25a3fc7343c6916fce1fba32caa1e8de8409d79f/stable/alpine/Dockerfile#L52
This would simplify the handling of nginx.conf quite a bit. Because the nginx user is not present in the openresty container the nginx.conf can't contain a line like
user nginx;
. For a non container deployment it's recommended to use a non root user. For this reason I run openresty under nginx with the nginx.conf directive ofuser nginx;
. I need to maintain two different nginx.conf file for a container runtime and a non container runtime.The text was updated successfully, but these errors were encountered: