I am trying to run container from nginx-alpine as a non root user and getting the below error.
[emerg] 1#1: bind() to 0.0.0.0:80 failed (13: Permission denied)
nginx: [emerg] bind() to 0.0.0.0:80 failed (13: Permission denied)
Question: Do I need to add different port inside the dockerfile for the non-root user along with USER instruction?
2
Answers
From the following article,
https://medium.com/@callback.insanity/forwarding-nginx-logs-to-docker-3bb6283a207
The user
nobody
which is a non root user, does not have access to thetty
group so it can write to/dev/stdout
and/dev/stderr
.In order for Docker logs to capture output from Nginx, you have to tell Nginx to write to
/dev/stdout
and/dev/stderr
.In my nginx.conf I have:
/proc/self/fd/0,1,2
file descriptors are accessible by the Docker container, regardless if using vanilla Docker or Docker Compose.For example,
/dev/stdout
points to filedescriptor/proc/self/fd/1
, which in turn points to device/dev/pts/0
or similar.If you don’t tell Docker to allocate the pts device using the tty flag in Docker Compose or
-t
in Docker, then writing to/dev/stdout
when running the container as non-root fails.You have the correct intuition.
Ports in the range
1-1024
need privileged permission to be bound. As you are starting nginx as a non-root user, you cannot bind nginx to listen on port 80.Only way to fix this is to make Nginx listen on a non-privilege port >1024. To do this, you will need to feed a custom nginx.conf file. This should solve your immediate problem.
But there will be other permission issues down the line as nginx starts trying to access
/var/log
to write logs,/var/tmp/
for temp files etc.The best option is to use the non-root nginx docker image itself. https://hub.docker.com/r/nginxinc/nginx-unprivileged