From 6b6ca410cd1e1bd4a24f0607cab1ffb0f7869ad3 Mon Sep 17 00:00:00 2001 From: LorcanMcVeigh Date: Wed, 21 Aug 2019 11:57:42 +0100 Subject: [PATCH] Run IC as non-root --- build/Dockerfile | 20 ++++++++++++---- build/DockerfileForAlpine | 19 +++++++++++---- build/DockerfileForPlus | 19 ++++++++++----- build/DockerfileWithOpentracing | 23 +++++++++++++++---- build/DockerfileWithOpentracingForPlus | 22 +++++++++++------- cmd/nginx-ingress/main.go | 9 ++++---- deployments/daemon-set/nginx-ingress.yaml | 8 +++++++ .../daemon-set/nginx-plus-ingress.yaml | 8 +++++++ deployments/deployment/nginx-ingress.yaml | 8 +++++++ .../deployment/nginx-plus-ingress.yaml | 8 +++++++ .../templates/controller-daemonset.yaml | 8 +++++++ .../templates/controller-deployment.yaml | 8 +++++++ internal/configs/version1/nginx-plus.tmpl | 7 +++--- internal/configs/version1/nginx.tmpl | 9 ++++---- internal/configs/virtualserver.go | 2 +- internal/nginx/manager.go | 2 +- internal/nginx/verify.go | 4 ++-- 17 files changed, 137 insertions(+), 47 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index 380f6000f6..7bd520e1ed 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -6,14 +6,24 @@ RUN ln -sf /proc/1/fd/1 /var/log/nginx/access.log \ && ln -sf /proc/1/fd/1 /var/log/nginx/stream-access.log \ && ln -sf /proc/1/fd/2 /var/log/nginx/error.log -COPY nginx-ingress internal/configs/version1/nginx.ingress.tmpl internal/configs/version1/nginx.tmpl internal/configs/version2/nginx.virtualserver.tmpl / - -RUN rm /etc/nginx/conf.d/* +RUN mkdir -p /var/lib/nginx \ + && mkdir -p /etc/nginx/secrets \ + && apt-get update \ + && apt-get install -y libcap2-bin \ + && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \ + && chown -R nginx:0 /etc/nginx \ + && chown -R nginx:0 /var/cache/nginx \ + && chown -R nginx:0 /var/lib/nginx \ + && apt-get remove --purge -y libcap2-bin \ + && rm /etc/nginx/conf.d/* \ + && rm -rf /var/lib/apt/lists/* -RUN mkdir -p /etc/nginx/secrets +COPY nginx-ingress internal/configs/version1/nginx.ingress.tmpl internal/configs/version1/nginx.tmpl internal/configs/version2/nginx.virtualserver.tmpl / # Uncomment the line below if you would like to add the default.pem to the image # and use it as a certificate and key for the default server # ADD default.pem /etc/nginx/secrets/default -ENTRYPOINT ["/nginx-ingress"] +USER nginx + +ENTRYPOINT ["/nginx-ingress"] \ No newline at end of file diff --git a/build/DockerfileForAlpine b/build/DockerfileForAlpine index 5b15929995..edcd60a252 100644 --- a/build/DockerfileForAlpine +++ b/build/DockerfileForAlpine @@ -6,14 +6,23 @@ RUN ln -sf /proc/1/fd/1 /var/log/nginx/access.log \ && ln -sf /proc/1/fd/1 /var/log/nginx/stream-access.log \ && ln -sf /proc/1/fd/2 /var/log/nginx/error.log -COPY nginx-ingress internal/configs/version1/nginx.ingress.tmpl internal/configs/version1/nginx.tmpl internal/configs/version2/nginx.virtualserver.tmpl / - -RUN rm /etc/nginx/conf.d/* +RUN mkdir -p /etc/nginx/secrets \ + && mkdir -p /var/lib/nginx \ + && apk add --no-cache libcap \ + && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \ + && chown -R nginx:0 /etc/nginx \ + && chown -R nginx:0 /var/cache/nginx \ + && chown -R nginx:0 /var/lib/nginx \ + && apk del libcap \ + && rm /etc/nginx/conf.d/* \ + && rm -rf /var/cache/apk/* -RUN mkdir -p /etc/nginx/secrets +COPY nginx-ingress internal/configs/version1/nginx.ingress.tmpl internal/configs/version1/nginx.tmpl internal/configs/version2/nginx.virtualserver.tmpl / # Uncomment the line below if you would like to add the default.pem to the image # and use it as a certificate and key for the default server # ADD default.pem /etc/nginx/secrets/default -ENTRYPOINT ["/nginx-ingress"] +USER nginx + +ENTRYPOINT ["/nginx-ingress"] \ No newline at end of file diff --git a/build/DockerfileForPlus b/build/DockerfileForPlus index 555084bbd5..e23ab1b6b3 100644 --- a/build/DockerfileForPlus +++ b/build/DockerfileForPlus @@ -16,7 +16,7 @@ RUN chmod 644 /etc/ssl/nginx/* # Install NGINX Plus RUN set -x \ && apt-get update \ - && apt-get install --no-install-recommends --no-install-suggests -y apt-transport-https ca-certificates gnupg1 \ + && apt-get install --no-install-recommends --no-install-suggests -y apt-transport-https ca-certificates gnupg1 libcap2-bin \ && \ NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \ found=''; \ @@ -37,6 +37,7 @@ RUN set -x \ && echo "Acquire::https::plus-pkgs.nginx.com::User-Agent \"k8s-ic-$IC_VERSION-apt\";" >> /etc/apt/apt.conf.d/90nginx \ && printf "deb https://plus-pkgs.nginx.com/debian stretch nginx-plus\n" > /etc/apt/sources.list.d/nginx-plus.list \ && apt-get update && apt-get install -y nginx-plus=${NGINX_PLUS_VERSION} \ + && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \ && apt-get remove --purge --auto-remove -y gnupg1 \ && rm -rf /var/lib/apt/lists/* \ && rm -rf /etc/ssl/nginx \ @@ -46,19 +47,25 @@ RUN set -x \ # forward nginx access and error logs to stdout and stderr of the ingress # controller process RUN ln -sf /proc/1/fd/1 /var/log/nginx/access.log \ - && ln -sf /proc/1/fd/1 /var/log/nginx/stream-access.log \ - && ln -sf /proc/1/fd/2 /var/log/nginx/error.log + && ln -sf /proc/1/fd/1 /var/log/nginx/stream-access.log \ + && ln -sf /proc/1/fd/2 /var/log/nginx/error.log +RUN mkdir -p /var/lib/nginx \ + && mkdir -p /etc/nginx/secrets \ + && chown -R nginx:0 /etc/nginx \ + && chown -R nginx:0 /var/cache/nginx \ + && chown -R nginx:0 /var/lib/nginx/ \ + && apt-get remove --purge -y libcap2-bin \ + && rm /etc/nginx/conf.d/* EXPOSE 80 443 COPY nginx-ingress internal/configs/version1/nginx-plus.ingress.tmpl internal/configs/version1/nginx-plus.tmpl internal/configs/version2/nginx-plus.virtualserver.tmpl / -RUN rm /etc/nginx/conf.d/* \ - && mkdir -p /etc/nginx/secrets - # Uncomment the line below if you would like to add the default.pem to the image # and use it as a certificate and key for the default server # ADD default.pem /etc/nginx/secrets/default +USER nginx + ENTRYPOINT ["/nginx-ingress"] \ No newline at end of file diff --git a/build/DockerfileWithOpentracing b/build/DockerfileWithOpentracing index 4f4e1d6e1e..a0a8069a1c 100644 --- a/build/DockerfileWithOpentracing +++ b/build/DockerfileWithOpentracing @@ -33,7 +33,8 @@ RUN set -x \ && make && make install \ && cd "$tempDir" \ && NGINX_VERSION_BUILD=`nginx -v 2>&1` && NGINX_VERSION_BUILD=${NGINX_VERSION_BUILD#*nginx/} \ - && echo "deb-src http://nginx.org/packages/mainline/debian/ stretch nginx" >> /etc/apt/sources.list \ + && DEBIAN_VERSION="$(cat /etc/os-release | grep CODENAME | cut -f2 -d '=')" \ + && echo "deb-src http://nginx.org/packages/mainline/debian/ $DEBIAN_VERSION nginx" >> /etc/apt/sources.list \ && apt-get update \ && apt-get build-dep -y nginx=${NGINX_VERSION_BUILD} \ && wget -O nginx-release-${NGINX_VERSION_BUILD}.tar.gz https://github.com/nginx/nginx/archive/release-${NGINX_VERSION_BUILD}.tar.gz \ @@ -58,26 +59,38 @@ RUN set -x \ # Final Image FROM nginx:${NGINX_VERSION} ARG OPENTRACING_CPP_VERSION + # forward nginx access and error logs to stdout and stderr of the ingress # controller process RUN ln -sf /proc/1/fd/1 /var/log/nginx/access.log \ && ln -sf /proc/1/fd/1 /var/log/nginx/stream-access.log \ && ln -sf /proc/1/fd/2 /var/log/nginx/error.log -COPY nginx-ingress internal/configs/version1/nginx.ingress.tmpl internal/configs/version1/nginx.tmpl internal/configs/version2/nginx.virtualserver.tmpl / - COPY --from=opentracing-builder /ngx_http_opentracing_module.so /usr/lib/nginx/modules/ngx_http_opentracing_module.so COPY --from=opentracing-builder /usr/local/lib/libopentracing.so.${OPENTRACING_CPP_VERSION} /usr/local/lib/libopentracing.so.1 # Edit the line below to use a different tracer COPY --from=tracer-downloader /usr/local/lib/libjaegertracing_plugin.so /usr/local/lib/libjaegertracing_plugin.so + RUN ldconfig -RUN rm /etc/nginx/conf.d/* +RUN mkdir -p /var/lib/nginx \ + && mkdir -p /etc/nginx/secrets \ + && apt-get update \ + && apt-get install -y libcap2-bin \ + && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \ + && chown -R nginx:0 /etc/nginx \ + && chown -R nginx:0 /var/cache/nginx \ + && chown -R nginx:0 /var/lib/nginx \ + && apt-get remove --purge -y libcap2-bin \ + && rm /etc/nginx/conf.d/* \ + && rm -rf /var/lib/apt/lists/* -RUN mkdir -p /etc/nginx/secrets +COPY nginx-ingress internal/configs/version1/nginx.ingress.tmpl internal/configs/version1/nginx.tmpl internal/configs/version2/nginx.virtualserver.tmpl / # Uncomment the line below if you would like to add the default.pem to the image # and use it as a certificate and key for the default server # ADD default.pem /etc/nginx/secrets/default +USER nginx + ENTRYPOINT ["/nginx-ingress"] \ No newline at end of file diff --git a/build/DockerfileWithOpentracingForPlus b/build/DockerfileWithOpentracingForPlus index 1dfee5c777..65509251de 100644 --- a/build/DockerfileWithOpentracingForPlus +++ b/build/DockerfileWithOpentracingForPlus @@ -4,8 +4,7 @@ ARG JAEGER_VERSION=v0.4.2 RUN set -x \ && apt-get update \ && apt-get install --no-install-recommends --no-install-suggests -y ca-certificates apt-transport-https wget \ - && wget https://github.com/jaegertracing/jaeger-client-cpp/releases/download/${JAEGER_VERSION}/libjaegertracing_plugin.linux_amd64.so -O /usr/local/lib/libjaegertracing_plugin.so - + && wget https://github.com/jaegertracing/jaeger-client-cpp/releases/download/${JAEGER_VERSION}/libjaegertracing_plugin.linux_amd64.so -O /usr/local/lib/libjaegertracing_plugin.so # Final Image FROM debian:stretch-slim @@ -27,7 +26,7 @@ RUN chmod 644 /etc/ssl/nginx/* # Install NGINX Plus RUN set -x \ && apt-get update \ - && apt-get install --no-install-recommends --no-install-suggests -y apt-transport-https ca-certificates gnupg1 \ + && apt-get install --no-install-recommends --no-install-suggests -y apt-transport-https ca-certificates gnupg1 libcap2-bin \ && \ NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \ found=''; \ @@ -51,6 +50,7 @@ RUN set -x \ nginx-plus=${NGINX_PLUS_VERSION} \ # Install OpenTracing module nginx-plus-module-opentracing=${NGINX_OPENTRACING_MODULE_VERSION} \ + && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \ && apt-get remove --purge --auto-remove -y gnupg1 \ && rm -rf /var/lib/apt/lists/* \ && rm -rf /etc/ssl/nginx \ @@ -63,19 +63,25 @@ RUN ln -sf /proc/1/fd/1 /var/log/nginx/access.log \ && ln -sf /proc/1/fd/1 /var/log/nginx/stream-access.log \ && ln -sf /proc/1/fd/2 /var/log/nginx/error.log - # Edit the line below to use a different tracer COPY --from=tracer-downloader /usr/local/lib/libjaegertracing_plugin.so /usr/local/lib/libjaegertracing_plugin.so +RUN mkdir -p /var/lib/nginx \ + && mkdir -p /etc/nginx/secrets \ + && chown -R nginx:0 /etc/nginx \ + && chown -R nginx:0 /var/cache/nginx \ + && chown -R nginx:0 /var/lib/nginx/ \ + && apt-get remove --purge -y libcap2-bin \ + && rm /etc/nginx/conf.d/* + EXPOSE 80 443 COPY nginx-ingress internal/configs/version1/nginx-plus.ingress.tmpl internal/configs/version1/nginx-plus.tmpl internal/configs/version2/nginx-plus.virtualserver.tmpl / -RUN rm /etc/nginx/conf.d/* \ - && mkdir -p /etc/nginx/secrets - # Uncomment the line below if you would like to add the default.pem to the image # and use it as a certificate and key for the default server # ADD default.pem /etc/nginx/secrets/default -ENTRYPOINT ["/nginx-ingress"] +USER nginx + +ENTRYPOINT ["/nginx-ingress"] \ No newline at end of file diff --git a/cmd/nginx-ingress/main.go b/cmd/nginx-ingress/main.go index 2062914a68..e7e4661a6b 100644 --- a/cmd/nginx-ingress/main.go +++ b/cmd/nginx-ingress/main.go @@ -12,14 +12,13 @@ import ( "syscall" "time" - "github.com/nginxinc/kubernetes-ingress/internal/configs/version2" - "github.com/nginxinc/kubernetes-ingress/internal/metrics/collectors" - "github.com/golang/glog" "github.com/nginxinc/kubernetes-ingress/internal/configs" "github.com/nginxinc/kubernetes-ingress/internal/configs/version1" + "github.com/nginxinc/kubernetes-ingress/internal/configs/version2" "github.com/nginxinc/kubernetes-ingress/internal/k8s" "github.com/nginxinc/kubernetes-ingress/internal/metrics" + "github.com/nginxinc/kubernetes-ingress/internal/metrics/collectors" "github.com/nginxinc/kubernetes-ingress/internal/nginx" k8s_nginx "github.com/nginxinc/kubernetes-ingress/pkg/client/clientset/versioned" conf_scheme "github.com/nginxinc/kubernetes-ingress/pkg/client/clientset/versioned/scheme" @@ -350,7 +349,7 @@ func main() { var plusClient *client.NginxClient if *nginxPlus && !useFakeNginxManager { - httpClient := getSocketClient("/var/run/nginx-plus-api.sock") + httpClient := getSocketClient("/var/lib/nginx/nginx-plus-api.sock") plusClient, err = client.NewNginxClient(httpClient, "http://nginx-plus-api/api") if err != nil { glog.Fatalf("Failed to create NginxClient for Plus: %v", err) @@ -362,7 +361,7 @@ func main() { if *nginxPlus { go metrics.RunPrometheusListenerForNginxPlus(*prometheusMetricsListenPort, plusClient, registry) } else { - httpClient := getSocketClient("/var/run/nginx-status.sock") + httpClient := getSocketClient("/var/lib/nginx/nginx-status.sock") client, err := metrics.NewNginxMetricsClient(httpClient) if err != nil { glog.Fatalf("Error creating the Nginx client for Prometheus metrics: %v", err) diff --git a/deployments/daemon-set/nginx-ingress.yaml b/deployments/daemon-set/nginx-ingress.yaml index 6e7b1cea1a..6bef5c9ca3 100644 --- a/deployments/daemon-set/nginx-ingress.yaml +++ b/deployments/daemon-set/nginx-ingress.yaml @@ -29,6 +29,14 @@ spec: hostPort: 443 #- name: prometheus #containerPort: 9113 + securityContext: + allowPrivilegeEscalation: true + runAsUser: 101 #nginx + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE env: - name: POD_NAMESPACE valueFrom: diff --git a/deployments/daemon-set/nginx-plus-ingress.yaml b/deployments/daemon-set/nginx-plus-ingress.yaml index 39208c3c07..2086ae3ea1 100644 --- a/deployments/daemon-set/nginx-plus-ingress.yaml +++ b/deployments/daemon-set/nginx-plus-ingress.yaml @@ -29,6 +29,14 @@ spec: hostPort: 443 #- name: prometheus #containerPort: 9113 + securityContext: + allowPrivilegeEscalation: true + runAsUser: 101 #nginx + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE env: - name: POD_NAMESPACE valueFrom: diff --git a/deployments/deployment/nginx-ingress.yaml b/deployments/deployment/nginx-ingress.yaml index a684aa8038..bcf712d64f 100644 --- a/deployments/deployment/nginx-ingress.yaml +++ b/deployments/deployment/nginx-ingress.yaml @@ -28,6 +28,14 @@ spec: containerPort: 443 #- name: prometheus #containerPort: 9113 + securityContext: + allowPrivilegeEscalation: true + runAsUser: 101 #nginx + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE env: - name: POD_NAMESPACE valueFrom: diff --git a/deployments/deployment/nginx-plus-ingress.yaml b/deployments/deployment/nginx-plus-ingress.yaml index 128b1ec0eb..51d2ba6a19 100644 --- a/deployments/deployment/nginx-plus-ingress.yaml +++ b/deployments/deployment/nginx-plus-ingress.yaml @@ -28,6 +28,14 @@ spec: containerPort: 443 #- name: prometheus #containerPort: 9113 + securityContext: + allowPrivilegeEscalation: true + runAsUser: 101 #nginx + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE env: - name: POD_NAMESPACE valueFrom: diff --git a/deployments/helm-chart/templates/controller-daemonset.yaml b/deployments/helm-chart/templates/controller-daemonset.yaml index afdc2e2e8e..e9f1b8e999 100644 --- a/deployments/helm-chart/templates/controller-daemonset.yaml +++ b/deployments/helm-chart/templates/controller-daemonset.yaml @@ -58,6 +58,14 @@ spec: - name: prometheus containerPort: {{ .Values.prometheus.port }} {{- end }} + securityContext: + allowPrivilegeEscalation: true + runAsUser: 101 #nginx + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE env: - name: POD_NAMESPACE valueFrom: diff --git a/deployments/helm-chart/templates/controller-deployment.yaml b/deployments/helm-chart/templates/controller-deployment.yaml index 892b3cbb4a..d5ec53be2d 100644 --- a/deployments/helm-chart/templates/controller-deployment.yaml +++ b/deployments/helm-chart/templates/controller-deployment.yaml @@ -58,6 +58,14 @@ spec: {{- end }} resources: {{ toYaml .Values.controller.resources | indent 10 }} + securityContext: + allowPrivilegeEscalation: true + runAsUser: 101 #nginx + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE env: - name: POD_NAMESPACE valueFrom: diff --git a/internal/configs/version1/nginx-plus.tmpl b/internal/configs/version1/nginx-plus.tmpl index e2f7b0b72b..3b6014107a 100644 --- a/internal/configs/version1/nginx-plus.tmpl +++ b/internal/configs/version1/nginx-plus.tmpl @@ -1,5 +1,4 @@ -user nginx; worker_processes {{.WorkerProcesses}}; {{- if .WorkerRlimitNofile}} worker_rlimit_nofile {{.WorkerRlimitNofile}};{{end}} @@ -11,7 +10,7 @@ worker_shutdown_timeout {{.WorkerShutdownTimeout}};{{end}} daemon off; error_log /var/log/nginx/error.log {{.ErrorLogLevel}}; -pid /var/run/nginx.pid; +pid /var/lib/nginx/nginx.pid; {{- if .OpenTracingLoadModule}} load_module modules/ngx_http_opentracing_module.so; @@ -80,7 +79,7 @@ http { opentracing on; {{end}} {{if .OpenTracingLoadModule}} - opentracing_load_tracer {{ .OpenTracingTracer }} /etc/tracer-config.json; + opentracing_load_tracer {{ .OpenTracingTracer }} /var/lib/nginx/tracer-config.json; {{end}} {{if .ResolverAddresses}} @@ -145,7 +144,7 @@ http { # NGINX Plus API over unix socket server { - listen unix:/var/run/nginx-plus-api.sock; + listen unix:/var/lib/nginx/nginx-plus-api.sock; access_log off; {{if .OpenTracingEnabled}} diff --git a/internal/configs/version1/nginx.tmpl b/internal/configs/version1/nginx.tmpl index 99382cf2a6..b9f8759cca 100644 --- a/internal/configs/version1/nginx.tmpl +++ b/internal/configs/version1/nginx.tmpl @@ -1,5 +1,4 @@ -user nginx; worker_processes {{.WorkerProcesses}}; {{- if .WorkerRlimitNofile}} worker_rlimit_nofile {{.WorkerRlimitNofile}};{{end}} @@ -10,7 +9,7 @@ worker_shutdown_timeout {{.WorkerShutdownTimeout}};{{end}} daemon off; error_log /var/log/nginx/error.log {{.ErrorLogLevel}}; -pid /var/run/nginx.pid; +pid /var/lib/nginx/nginx.pid; {{- if .OpenTracingLoadModule}} load_module modules/ngx_http_opentracing_module.so; @@ -79,7 +78,7 @@ http { opentracing on; {{end}} {{if .OpenTracingLoadModule}} - opentracing_load_tracer {{ .OpenTracingTracer }} /etc/tracer-config.json; + opentracing_load_tracer {{ .OpenTracingTracer }} /var/lib/nginx/tracer-config.json; {{end}} server { @@ -130,7 +129,7 @@ http { {{- if .StubStatusOverUnixSocketForOSS }} server { - listen unix:/var/run/nginx-status.sock; + listen unix:/var/lib/nginx/nginx-status.sock; access_log off; {{if .OpenTracingEnabled}} @@ -147,7 +146,7 @@ http { include /etc/nginx/conf.d/*.conf; server { - listen unix:/var/run/nginx-502-server.sock; + listen unix:/var/lib/nginx/nginx-502-server.sock; access_log off; {{if .OpenTracingEnabled}} diff --git a/internal/configs/virtualserver.go b/internal/configs/virtualserver.go index 7c2eec57c9..897dfd4ff4 100644 --- a/internal/configs/virtualserver.go +++ b/internal/configs/virtualserver.go @@ -13,7 +13,7 @@ import ( conf_v1alpha1 "github.com/nginxinc/kubernetes-ingress/pkg/apis/configuration/v1alpha1" ) -const nginx502Server = "unix:/var/run/nginx-502-server.sock" +const nginx502Server = "unix:/var/lib/nginx-502-server.sock" var incompatibleLBMethodsForSlowStart = map[string]bool{ "random": true, diff --git a/internal/nginx/manager.go b/internal/nginx/manager.go index bbfda37b9c..1a58725d5b 100644 --- a/internal/nginx/manager.go +++ b/internal/nginx/manager.go @@ -21,7 +21,7 @@ const TLSSecretFileMode = 0600 const JWKSecretFileMode = 0644 const configFileMode = 0644 -const jsonFileForOpenTracingTracer = "/etc/tracer-config.json" +const jsonFileForOpenTracingTracer = "/var/lib/nginx/tracer-config.json" // ServerConfig holds the config data for an upstream server in NGINX Plus. type ServerConfig struct { diff --git a/internal/nginx/verify.go b/internal/nginx/verify.go index bbaca8ec0e..9d6e6250e9 100644 --- a/internal/nginx/verify.go +++ b/internal/nginx/verify.go @@ -26,7 +26,7 @@ func newVerifyClient() *verifyClient { client: &http.Client{ Transport: &http.Transport{ DialContext: func(_ context.Context, _, _ string) (net.Conn, error) { - return net.Dial("unix", "/var/run/nginx-config-version.sock") + return net.Dial("unix", "/var/lib/nginx/nginx-config-version.sock") }, }, }, @@ -79,7 +79,7 @@ func (c *verifyClient) WaitForCorrectVersion(expectedVersion int) error { } const configVersionTemplateString = `server { - listen unix:/var/run/nginx-config-version.sock; + listen unix:/var/lib/nginx/nginx-config-version.sock; access_log off; {{if .OpenTracingLoadModule}}