skip to Main Content

I am trying to view portal that build with angular uses netcore backend runs on docker swarm fluently. When I try to deploy angular image on openshift, I get following error;

[emerg] 1#1: bind() to 0.0.0.0:80 failed (13: Permission denied)
nginx: [emerg] bind() to 0.0.0.0:80 failed (13: Permission denied)

First I created nginx deployment as root user using "nginx:1.19.6-alpine" and defined service account(anyuid), it works fine. Then I try to create openshift deployment with "nginxinc/nginx-unprivileged" image to run as non-root user. I had change nginx.conf according to "nginxinc/nginx-unprivileged" image. I defined service account again but it throws "bind() to 0.0.0.0:80 failed (13: Permission denied)" error.

Container 80 port open. There was no ingress. Service uses 80 port to expose route. What could be the solution ?

Here is my Dockerfile;

### STAGE 1: Build ###
FROM node:12.18-alpine as build-env
ENV TZ=Europe/Istanbul

RUN export NG_CLI_ANALYTICS=false

COPY ng/package.json ng/package-lock.json  ng/.npmrc ./
COPY ng/projects/package.json ./projects/package.json

RUN npm install && pwd && ls -ltra

COPY ./ng/ ./

RUN time node --max_old_space_size=12000 node_modules/@angular/cli/bin/ng build project --configuration production
WORKDIR /usr/src/app/dist/

COPY ng/.npmrc ./

RUN npm publish

WORKDIR /usr/src/app/

RUN time node --max_old_space_size=12000 node_modules/@angular/cli/bin/ng build portal --configuration production

### STAGE 2: Run ###

FROM nginxinc/nginx-unprivileged:1.23-alpine as runtime-env
ENV TZ=Europe/Istanbul

COPY ng/nginx.conf /etc/nginx/nginx.conf
COPY ng/nginx.template.conf /etc/nginx/nginx.template.conf
COPY --from=build-env /usr/src/app/dist/portal/ /usr/share/nginx/html/

CMD ["/bin/sh",  "-c",  "envsubst < /usr/share/nginx/html/assets/env.template.js > /usr/share/nginx/html/assets/env.js && envsubst '$API_URL' < /etc/nginx/nginx.template.conf > /etc/nginx/conf.d/default.conf && exec nginx -g 'daemon off;'"]

nginx.conf file :



worker_processes  auto;   # nginx.conf file taken from nginxinc_nginx-unprivileged image

error_log  /var/log/nginx/error.log notice;
pid        /tmp/nginx.pid;


events {
    worker_connections  1024;
}


http {
    proxy_temp_path /tmp/proxy_temp;
    client_body_temp_path /tmp/client_temp;
    fastcgi_temp_path /tmp/fastcgi_temp;
    uwsgi_temp_path /tmp/uwsgi_temp;
    scgi_temp_path /tmp/scgi_temp;

    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}

nginx.template.conf

server {
    listen       80;
    server_name  localhost;

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        try_files $uri $uri/ /index.html;
        index  index.html index.htm;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    location /api {
        proxy_pass ${API_URL};
        proxy_pass_request_headers on;
        #rewrite /api/(.*) /$1  break;
    }
}

I have used all service accounts on deployment such as nonroot, hostaccess, hostmount-anyuid, priviledged, restricted and anyuid.

Also I tried to add following command to dockerfile:

"RUN chgrp -R root /var/cache/nginx /var/run /var/log/nginx && 
chmod -R 770 /var/cache/nginx /var/run /var/log/nginx"

Gets it from here.

2

Answers


  1. Chosen as BEST ANSWER

    I have found the mistake. I had change the nginx.template.conf 80 to 8080. But openshift did not renew deployment. So I recreate deployment with new image it fixes the problem.


  2. OpenShift will not run your container as root, so it cannot listen on port 80. Choose a port >1024, e.g. port 8080 instead, and it should work.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search