From 78d7bca7699dc9feac17d59cb98d68c18bd64ddd Mon Sep 17 00:00:00 2001 From: Maciej Brencz Date: Fri, 2 Dec 2022 14:14:01 +0000 Subject: [PATCH 1/8] Dockerfile: create a user and a group with provided IDs And run as the "nginx" user. https://wiki.alpinelinux.org/wiki/Setting_up_a_new_user#Options --- Dockerfile | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 144fa40..c8322d5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -218,8 +218,8 @@ COPY --from=base /usr/sbin/njs /usr/sbin/njs # hadolint ignore=SC2046 RUN \ - addgroup -S nginx \ - && adduser -D -S -h /var/cache/nginx -s /sbin/nologin -G nginx nginx \ + addgroup --gid 101 -S nginx \ + && adduser --uid 100 -D -S -h /var/cache/nginx -s /sbin/nologin -G nginx nginx \ && apk add --no-cache --virtual .nginx-rundeps tzdata $(cat /tmp/runDeps.txt) \ && rm /tmp/runDeps.txt \ && ln -s /usr/lib/nginx/modules /etc/nginx/modules \ @@ -241,8 +241,9 @@ RUN njs -v # test the configuration RUN nginx -V; nginx -t -EXPOSE 80 443 +EXPOSE 8080 8443 STOPSIGNAL SIGTERM +USER nginx CMD ["nginx", "-g", "daemon off;"] From b89ad9ca061ca9098bd7247095cce9255cefdc89 Mon Sep 17 00:00:00 2001 From: Maciej Brencz Date: Fri, 2 Dec 2022 14:18:29 +0000 Subject: [PATCH 2/8] Update file permissions, now nginx owns the files --- Dockerfile | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Dockerfile b/Dockerfile index c8322d5..d4af226 100644 --- a/Dockerfile +++ b/Dockerfile @@ -245,5 +245,10 @@ EXPOSE 8080 8443 STOPSIGNAL SIGTERM +# prepare to switching to non-root - update file permissions +RUN chown --verbose \ + /var/run/nginx.pid \ + nginx:nginx + USER nginx CMD ["nginx", "-g", "daemon off;"] From 01b210b639a85324cd5742fd7ab3bc63fa3b26e1 Mon Sep 17 00:00:00 2001 From: Maciej Brencz Date: Fri, 2 Dec 2022 14:19:22 +0000 Subject: [PATCH 3/8] nginx.conf: the remove "user" directive nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:9 --- nginx.conf | 2 -- 1 file changed, 2 deletions(-) diff --git a/nginx.conf b/nginx.conf index 0d8babb..f6fa046 100644 --- a/nginx.conf +++ b/nginx.conf @@ -5,8 +5,6 @@ # http://nginx.org/en/docs/ngx_core_module.html#load_module include /etc/nginx/main.d/*.conf; - -user nginx; worker_processes 1; error_log /var/log/nginx/error.log warn; From fd353dd153761edff994e8bb42c5d39c74e9429d Mon Sep 17 00:00:00 2001 From: Maciej Brencz Date: Fri, 2 Dec 2022 14:22:09 +0000 Subject: [PATCH 4/8] Fix chown invocation --- Dockerfile | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index d4af226..38b741c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -246,9 +246,8 @@ EXPOSE 8080 8443 STOPSIGNAL SIGTERM # prepare to switching to non-root - update file permissions -RUN chown --verbose \ - /var/run/nginx.pid \ - nginx:nginx +RUN chown --verbose nginx:nginx \ + /var/run/nginx.pid USER nginx CMD ["nginx", "-g", "daemon off;"] From 830433e4e4ac24a68c7f7c85e92a2be254412558 Mon Sep 17 00:00:00 2001 From: Maciej Brencz Date: Fri, 2 Dec 2022 14:26:23 +0000 Subject: [PATCH 5/8] CI: are we running as non-root? --- .github/workflows/dockerimage.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/dockerimage.yml b/.github/workflows/dockerimage.yml index 9bf9ba5..7646018 100644 --- a/.github/workflows/dockerimage.yml +++ b/.github/workflows/dockerimage.yml @@ -50,6 +50,10 @@ jobs: run: | docker images | head -n3 + - name: Are we running as non-root? + run: | + docker exec nginx whoami | grep nginx + - name: Run nginx -V and njs -v run: | docker run -t macbre/nginx nginx -V | sed 's/\-\-/\n\t--/g' | tee From 541d977436c114126e1b0f56ec0707490214c8ab Mon Sep 17 00:00:00 2001 From: Maciej Brencz Date: Fri, 2 Dec 2022 14:31:06 +0000 Subject: [PATCH 6/8] Update dockerimage.yml --- .github/workflows/dockerimage.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dockerimage.yml b/.github/workflows/dockerimage.yml index 7646018..8585944 100644 --- a/.github/workflows/dockerimage.yml +++ b/.github/workflows/dockerimage.yml @@ -52,11 +52,11 @@ jobs: - name: Are we running as non-root? run: | - docker exec nginx whoami | grep nginx + docker run --rm nginx whoami | grep nginx - name: Run nginx -V and njs -v run: | - docker run -t macbre/nginx nginx -V | sed 's/\-\-/\n\t--/g' | tee + docker run --rm -t macbre/nginx nginx -V | sed 's/\-\-/\n\t--/g' | tee echo "njs v$(docker run -t macbre/nginx njs -v)" - name: Serve a static asset From a24e691dfbdbb71aa096a9f92161fb4fdd0428a1 Mon Sep 17 00:00:00 2001 From: Maciej Brencz Date: Fri, 2 Dec 2022 14:31:51 +0000 Subject: [PATCH 7/8] Update dockerimage.yml --- .github/workflows/dockerimage.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dockerimage.yml b/.github/workflows/dockerimage.yml index 8585944..7483afb 100644 --- a/.github/workflows/dockerimage.yml +++ b/.github/workflows/dockerimage.yml @@ -52,7 +52,7 @@ jobs: - name: Are we running as non-root? run: | - docker run --rm nginx whoami | grep nginx + docker run --rm -t macbre/nginx nginx whoami | grep nginx - name: Run nginx -V and njs -v run: | From 3bb43e8b417d18838de79b0997a5ebe37670b07e Mon Sep 17 00:00:00 2001 From: Maciej Brencz Date: Fri, 2 Dec 2022 14:35:06 +0000 Subject: [PATCH 8/8] Update dockerimage.yml --- .github/workflows/dockerimage.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dockerimage.yml b/.github/workflows/dockerimage.yml index 7483afb..ea20463 100644 --- a/.github/workflows/dockerimage.yml +++ b/.github/workflows/dockerimage.yml @@ -52,7 +52,7 @@ jobs: - name: Are we running as non-root? run: | - docker run --rm -t macbre/nginx nginx whoami | grep nginx + docker run --rm -t macbre/nginx whoami | grep nginx - name: Run nginx -V and njs -v run: |