Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow writing to default log directory for nginx:root #4279

Closed
sigv opened this issue Aug 22, 2023 · 1 comment · Fixed by #4269
Closed

Allow writing to default log directory for nginx:root #4279

sigv opened this issue Aug 22, 2023 · 1 comment · Fixed by #4269
Assignees
@lucacome
Labels
backlog Pull requests/issues that are backlog items proposal An issue that proposes a feature request
Milestone
v3.4.0

Comments

@sigv
Copy link
Contributor

sigv commented Aug 22, 2023
edited
Loading

Is your feature request related to a problem? Please describe.

Currently, build/Dockerfile ensures that the default log directory /var/log/nginx can be written to by UID 101 (nginx) and GID 0 (root) in App Protect image variant. However, in other image variants, this is not being ensured as part of build process.

UID 101 is used for the container image, and should be allowed.
Proposed changes in #3665 (randomization of UID/GID by OpenShift security policies) require GID 0 to be also allowed.

Describe the solution you'd like

All image variants ensure 101:0 (nginx:root) can write to /var/log/nginx directory.

Describe alternatives you've considered

Either:

  • Specifying a policy that writing to the default log directory is not supported.
  • Not moving forward with random UID/GID assignment by OpenShift.

Additional context

This is a pre-requisite for smooth implementation of #3544.

In current context (until OpenShift UID/GID change), this change is essentially a no-op.
@sigv sigv added the proposal An issue that proposes a feature request label Aug 22, 2023
@github-actions
Copy link

Hi @sigv thanks for reporting!

Be sure to check out the docs and the Contributing Guidelines while you wait for a human to take a look at this 🙂

Cheers!

@sigv sigv mentioned this issue Aug 22, 2023
Merged
6 tasks
@vepatel vepatel added the backlog Pull requests/issues that are backlog items label Sep 27, 2023
@brianehlert brianehlert added this to the v3.4.0 milestone Oct 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lucacome lucacome

Labels
backlog Pull requests/issues that are backlog items proposal An issue that proposes a feature request
Projects
None yet
Milestone
v3.4.0
Development

Successfully merging a pull request may close this issue.

Ensure /var/log/nginx is writeable by GID 0 sigv/kubernetes-ingress
4 participants
@lucacome @sigv @brianehlert @vepatel