skip to Main Content

I am trying to run container from nginx-alpine as a non root user and getting the below error.

[emerg] 1#1: bind() to 0.0.0.0:80 failed (13: Permission denied)
nginx: [emerg] bind() to 0.0.0.0:80 failed (13: Permission denied)

Question: Do I need to add different port inside the dockerfile for the non-root user along with USER instruction?

2

Answers


  1. From the following article,
    https://medium.com/@callback.insanity/forwarding-nginx-logs-to-docker-3bb6283a207

    1. The user nobody which is a non root user, does not have access to the tty group so it can write to /dev/stdout and /dev/stderr.

    2. In order for Docker logs to capture output from Nginx, you have to tell Nginx to write to /dev/stdout and /dev/stderr.

    In my nginx.conf I have:

    # nginx.conf
    error_log  stderr warn;
    access_log  /dev/stdout main;
    
    1. The final step is to ensure that /proc/self/fd/0,1,2 file descriptors are accessible by the Docker container, regardless if using vanilla Docker or Docker Compose.
      For example, /dev/stdout points to file descriptor/proc/self/fd/1 , which in turn points to device /dev/pts/0 or similar.
      If you don’t tell Docker to allocate the pts device using the tty flag in Docker Compose or -t in Docker, then writing to /dev/stdout when running the container as non-root fails.
    Login or Signup to reply.
  2. You have the correct intuition.

    Ports in the range 1-1024 need privileged permission to be bound. As you are starting nginx as a non-root user, you cannot bind nginx to listen on port 80.

    Only way to fix this is to make Nginx listen on a non-privilege port >1024. To do this, you will need to feed a custom nginx.conf file. This should solve your immediate problem.

    But there will be other permission issues down the line as nginx starts trying to access /var/log to write logs, /var/tmp/ for temp files etc.

    The best option is to use the non-root nginx docker image itself. https://hub.docker.com/r/nginxinc/nginx-unprivileged

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search