From 4c5f307c69ff5a337fd26a40481173b215369d36 Mon Sep 17 00:00:00 2001 From: Valters Jansons Date: Fri, 18 Aug 2023 23:05:07 +0300 Subject: [PATCH] Ensure `/var/log/nginx` is writeable by GID 0 In a standard deployment, error log is written to `/dev/stderr` and access log is written to `/dev/stdout`. Furthermore, `error.log` and `access.log` in `/var/log/nginx` are mapped to the respective stdio. However, a deployment may override configuration, and remove the symbolic links, to write to the container storage directly. OpenShift tries to impose various restrictions by default. One of these is for UID/GID used by the container process. If these restrictions are supported in future, adjustments to file system permissions need to be done so that /var/log/nginx remains writeable. Specifically, OpenShift adds GID 0 as supplemental to container process for file system operations. This PR ensures the nginx user (UID `101`) and root group (GID `0`) owns the log directory, and that owner group permissions match the owner user permissions (`g=u`). This ensures that OpenShift deployments retain write permissions in future. --- build/Dockerfile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index 54abbc6dab..1a7b0110b6 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -237,8 +237,8 @@ RUN --mount=type=bind,target=/tmp [ -n "${BUILD_OS##*plus*}" ] && exit 0; mkdir # run only on nap waf build RUN --mount=type=bind,target=/tmp [ -n "${NAP_MODULES##*waf*}" ] && exit 0; mkdir -p /etc/nginx/waf/nac-policies /etc/nginx/waf/nac-logconfs /etc/nginx/waf/nac-usersigs /var/log/app_protect /opt/app_protect \ - && chown -R 101:0 /etc/app_protect /usr/share/ts /var/log/app_protect/ /opt/app_protect/ /var/log/nginx/ \ - && chmod -R g=u /etc/app_protect /usr/share/ts /var/log/app_protect/ /opt/app_protect/ /var/log/nginx/ \ + && chown -R 101:0 /etc/app_protect /usr/share/ts /var/log/app_protect/ /opt/app_protect/ \ + && chmod -R g=u /etc/app_protect /usr/share/ts /var/log/app_protect/ /opt/app_protect/ \ && touch /etc/nginx/waf/nac-usersigs/index.conf \ && cp -a /tmp/build/log-default.json /etc/nginx @@ -251,8 +251,8 @@ RUN --mount=type=bind,target=/tmp mkdir -p /var/lib/nginx /etc/nginx/secrets /et && setcap -v 'cap_net_bind_service=+eip' /usr/sbin/nginx 'cap_net_bind_service=+eip' /usr/sbin/nginx-debug \ && [ -z "${BUILD_OS##*plus*}" ] && PLUS=-plus; cp -a /tmp/internal/configs/version1/nginx$PLUS.ingress.tmpl /tmp/internal/configs/version1/nginx$PLUS.tmpl \ /tmp/internal/configs/version2/nginx$PLUS.virtualserver.tmpl /tmp/internal/configs/version2/nginx$PLUS.transportserver.tmpl / \ - && chown -R 101:0 /etc/nginx /var/cache/nginx /var/lib/nginx /*.tmpl \ - && chmod -R g=u /etc/nginx /var/cache/nginx /var/lib/nginx /*.tmpl \ + && chown -R 101:0 /etc/nginx /var/cache/nginx /var/lib/nginx /var/log/nginx /*.tmpl \ + && chmod -R g=u /etc/nginx /var/cache/nginx /var/lib/nginx /var/log/nginx /*.tmpl \ && rm -f /etc/nginx/conf.d/* # Uncomment the line below if you would like to add the default.pem to the image