Since commit 0501f0b73fd7fbfb139d1e98a7fd3b63426b16a1 it's not possible to run containers as an unprivileged user anymore because following lines have been removed:
&& addgroup -S nginx \
&& adduser -D -S -h /var/cache/nginx -s /sbin/nologin -G nginx nginx \
Run on k8s with:
securityContext:
runAsUser: 100
allowPrivilegeEscalation: false
Result in:
2019/05/14 15:28:10 [emerg] 1#1: mkdir() "/var/cache/nginx/proxy_temp" failed (13: Permission denied)
nginx: [emerg] mkdir() "/var/cache/nginx/proxy_temp" failed (13: Permission denied)
+1
Indeed, the packages are creating nginx user now, and are using a different home directory. I'm going to fix that in the alpine packaging, and tag a new image once there is a new stable package available. Meanwhile you can change the /var/cache/nginx ownership manually.
Also, it seems it's also a deviation in the ownership rights from alpine variant to debian-based one, since /var/cache/nginx was created with a g+s bit on on alpine, and is 755 root:root on debian.
I'm not sure whether supporting such a deviation further is a good idea, since I'd like to have the behaviour consistent between the images. Any ideas?
I've made some changes in the current master to run nginx as an unprivileged user a bit easier, but this particular issue is I think best solved by providing a specific nginx.conf as a part of a container, e.g. with the following:
...
pid /tmp/nginx.pid;
http {
client_body_temp_path /tmp/client_temp;
proxy_temp_path /tmp/proxy_temp_path;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
}
...
Or any other directory for which the user has write rights.
Most helpful comment
https://github.com/nginxinc/docker-nginx-unprivileged