From 7210518f80fee2091951ea577da7b17f79d2b203 Mon Sep 17 00:00:00 2001 From: Manuel de Brito Fontes Date: Mon, 16 Jul 2018 14:20:59 -0400 Subject: [PATCH] Remove setcap and use authbind instead --- Makefile | 2 +- rootfs/Dockerfile | 31 +--------- rootfs/entrypoint.sh | 57 +++++++++++++++++++ .../ingress-controller/mandatory.yaml | 8 --- 4 files changed, 59 insertions(+), 39 deletions(-) create mode 100755 rootfs/entrypoint.sh diff --git a/Makefile b/Makefile index 598b2dce98..18deb15f9f 100644 --- a/Makefile +++ b/Makefile @@ -57,7 +57,7 @@ IMAGE = $(REGISTRY)/$(IMGNAME) MULTI_ARCH_IMG = $(IMAGE)-$(ARCH) # Set default base image dynamically for each arch -BASEIMAGE?=quay.io/kubernetes-ingress-controller/nginx-$(ARCH):0.54 +BASEIMAGE?=quay.io/kubernetes-ingress-controller/nginx-$(ARCH):0.55 ifeq ($(ARCH),arm) QEMUARCH=arm diff --git a/rootfs/Dockerfile b/rootfs/Dockerfile index 8944db61f0..947f3fe373 100644 --- a/rootfs/Dockerfile +++ b/rootfs/Dockerfile @@ -25,35 +25,6 @@ RUN clean-install \ COPY . / -# Create symlinks to redirect nginx logs to stdout and stderr docker log collector -# This only works if nginx is started with CMD or ENTRYPOINT -# Required because clean-install removes /var/log content -# We cannot chown /etc/nginx recursively because that adds 100MB to the image -RUN mkdir -p /var/log/nginx \ - && ln -sf /dev/stdout /var/log/nginx/access.log \ - && ln -sf /dev/stderr /var/log/nginx/error.log \ - && bash -eux -c ' \ - writeDirs=( \ - /etc/nginx/template \ - /etc/ingress-controller/ssl \ - /etc/ingress-controller/auth \ - /var/log \ - /var/log/nginx \ - ); \ - for dir in "${writeDirs[@]}"; do \ - mkdir -p ${dir}; \ - chown -R www-data.www-data ${dir}; \ - done \ - ' \ - && chown www-data.www-data /etc/nginx/nginx.conf \ - && chown www-data.www-data /etc/nginx/opentracing.json - -RUN setcap cap_net_bind_service=+ep /nginx-ingress-controller \ - && setcap -v cap_net_bind_service=+ep /nginx-ingress-controller - -USER www-data - -ENTRYPOINT ["/usr/bin/dumb-init"] +ENTRYPOINT ["/entrypoint.sh"] CMD ["/nginx-ingress-controller"] - diff --git a/rootfs/entrypoint.sh b/rootfs/entrypoint.sh new file mode 100755 index 0000000000..f617f51c9d --- /dev/null +++ b/rootfs/entrypoint.sh @@ -0,0 +1,57 @@ +#!/usr/bin/dumb-init /bin/bash + +# Copyright 2017 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e + +mkdir -p /var/log/nginx +echo 0 > /tmp/nginx.pid +writeDirs=( \ + /etc/nginx/template \ + /etc/ingress-controller/ssl \ + /etc/ingress-controller/auth \ + /var/log \ + /var/log/nginx \ + /tmp \ +); + +for dir in "${writeDirs[@]}"; do + mkdir -p ${dir}; + chown -R www-data.www-data ${dir}; +done + +ln -sf /dev/stdout /var/log/nginx/access.log +ln -sf /dev/stderr /var/log/nginx/error.log + +chown www-data.www-data /var/log/nginx/* +chown www-data.www-data /etc/nginx/nginx.conf +chown www-data.www-data /etc/nginx/opentracing.json +chown www-data.www-data /etc/nginx + +echo "Testing if setcap is supported..." +if test 'setcap cap_net_bind_service=+ep /usr/sbin/nginx'; then + echo "setcap is supported. Setting cap_net_bind_service=+ep to allow binding port lower than 1024 as non-root" + setcap cap_net_bind_service=+ep /usr/sbin/nginx + setcap -v cap_net_bind_service=+ep /usr/sbin/nginx + setcap cap_net_bind_service=+ep /nginx-ingress-controller + setcap -v cap_net_bind_service=+ep /nginx-ingress-controller + + echo "Droping root privileges and running as user..." + su-exec www-data:www-data "$@" +else + echo "WARNING!!!: setcap is not supported. Running as root" + echo "Please check https://github.com/moby/moby/issues/1070" + "$@" +fi diff --git a/test/manifests/ingress-controller/mandatory.yaml b/test/manifests/ingress-controller/mandatory.yaml index b349f9f674..51bfdfafb2 100644 --- a/test/manifests/ingress-controller/mandatory.yaml +++ b/test/manifests/ingress-controller/mandatory.yaml @@ -251,14 +251,6 @@ spec: - --publish-service=$(POD_NAMESPACE)/ingress-nginx - --annotations-prefix=nginx.ingress.kubernetes.io - --watch-namespace=${NAMESPACE} - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - # www-data -> 33 - runAsUser: 33 env: - name: POD_NAME valueFrom: