Nginx Question posted in
The official documentation can be found here.

Kubernetes command and args syntax question – Nginx

I am trying to run an nginx image as unprivileged, and found the following command stanza required to make this happen. I am NOT concerned with running the official nginx-unprivileged image, as that would defeat the purpose of the exercise (don’t ask why…please).

Intended commands to convert from linux terminal style to Kubernetes YAML Pod manifest init-container section…

RUN sed -i 's,listen       80;,listen       8080;,' /etc/nginx/conf.d/default.conf 
    && sed -i '/user  nginx;/d' /etc/nginx/nginx.conf 
    && sed -i 's,/var/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf 
    && sed -i "/^http {/a     proxy_temp_path /tmp/proxy_temp;n    client_body_temp_path /tmp/client_temp;n    fastcgi_temp_path /tmp/fastcgi_temp;n    uwsgi_temp_path /tmp/uwsgi_temp;n    scgi_temp_path /tmp/scgi_temp;n" /etc/nginx/nginx.conf 
    && chown -R 101:0 /var/cache/nginx 
    && chmod -R g+w /var/cache/nginx 
    && chown -R 101:0 /etc/nginx 
    && chmod -R g+w /etc/nginx

I have tried the following using block scalars to no avail…

...
command: ["/bin/sh", "-c"]
args: 
- >
  sed -i 's,listen       80;,listen       8080;,' /etc/nginx/conf.d/default.conf 
  && sed -i '/user  nginx;/d' /etc/nginx/nginx.conf 
  && sed -i 's,/var/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf 
  && sed -i "/^http {/a     proxy_temp_path /tmp/proxy_temp;n    client_body_temp_path /tmp/client_temp;n    fastcgi_temp_path /tmp/fastcgi_temp;n    uwsgi_temp_path /tmp/uwsgi_temp;n    scgi_temp_path /tmp/scgi_temp;n" /etc/nginx/nginx.conf 
  && chown -R 101:0 /var/cache/nginx 
  && chmod -R g+w /var/cache/nginx 
  && chown -R 101:0 /etc/nginx 
  && chmod -R g+w /etc/nginx
...


...
command: ["/bin/sh", "-c"]
args: 
- |
  sed -i 's,listen       80;,listen       8080;,' /etc/nginx/conf.d/default.conf 
  && sed -i '/user  nginx;/d' /etc/nginx/nginx.conf 
  && sed -i 's,/var/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf 
  && sed -i "/^http {/a     proxy_temp_path /tmp/proxy_temp;n    client_body_temp_path /tmp/client_temp;n    fastcgi_temp_path /tmp/fastcgi_temp;n    uwsgi_temp_path /tmp/uwsgi_temp;n    scgi_temp_path /tmp/scgi_temp;n" /etc/nginx/nginx.conf 
  && chown -R 101:0 /var/cache/nginx 
  && chmod -R g+w /var/cache/nginx 
  && chown -R 101:0 /etc/nginx 
  && chmod -R g+w /etc/nginx
...

Also using a single line…

...
    command: ["/bin/sh"]
    args: ["-c", "sed -i 's,listen       80;,listen       8080;,' /etc/nginx/conf.d/default.conf && sed -i '/user  nginx;/d' /etc/nginx/nginx.conf && sed -i 's,/var/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf && sed -i "/^http {/a     proxy_temp_path /tmp/proxy_temp;n    client_body_temp_path /tmp/client_temp;n    fastcgi_temp_path /tmp/fastcgi_temp;n    uwsgi_temp_path /tmp/uwsgi_temp;n    scgi_temp_path /tmp/scgi_temp;n" /etc/nginx/nginx.conf && chown -R 101:0 /var/cache/nginx && chmod -R g+w /var/cache/nginx && chown -R 101:0 /etc/nginx && chmod -R g+w /etc/nginx"]
...

None of these worked…the init-container never starts.

Here is another attempt…but the initContainer remains in a crashloopbackoff state…

apiVersion: v1
kind: Pod
metadata:
  name: securityreview
spec:
  securityContext:
    runAsUser: 101
    runAsNonRoot: True
  initContainers:
  - name: permission-fix
    image: nginx
    command:
    - /bin/sh
    - -c
    - sed -i 's,listen       80;,listen       8080;,' /etc/nginx/conf.d/default.conf
      && sed -i '/user  nginx;/d' /etc/nginx/nginx.conf
      && sed -i 's,/var/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf
      && sed -i "/^http {/a     proxy_temp_path /tmp/proxy_temp;n    client_body_temp_path /tmp/client_temp;n    
      fastcgi_temp_path /tmp/fastcgi_temp;n    uwsgi_temp_path /tmp/uwsgi_temp;n    
      scgi_temp_path /tmp/scgi_temp;n" /etc/nginx/nginx.conf
      && chown -R 101:0 /var/cache/nginx && chmod -R g+w /var/cache/nginx
      && chown -R 101:0 /etc/nginx && chmod -R g+w /etc/nginx
  containers:
  - name: webguy
    image: nginx
    securityContext:
      runAsUser: 101
      runAsGroup: 101
      allowPrivilegeEscalation: false
Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    The following file will run..but user 'nginx' still lacks the permissions; also the "&&" is not recognized by kubernetes.

    apiVersion: v1
kind: Pod
metadata:
  name: securityreview
spec:
  securityContext:
    runAsUser: 101
    runAsNonRoot: True
  containers:
  - name: webguy
    image: nginx
    command:
        - "/bin/sh"
    args:
        - "-c"
        - |
          sed -i 's,listen       80;,listen       8080;,' /etc/nginx/conf.d/default.conf
          && sed -i '/user  nginx;/d' /etc/nginx/nginx.conf
          && sed -i 's,/var/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf
          && sed -i "/^http {/a     proxy_temp_path /tmp/proxy_temp;n    client_body_temp_path /tmp/client_temp;n    fastcgi_temp_path /tmp/fastcgi_temp;n    uwsgi_temp_path /tmp/uwsgi_temp;n    scgi_temp_path /tmp/scgi_temp;n" /etc/nginx/nginx.conf
          && chown -R 101:0 /var/cache/nginx
          && chmod -R g+w /var/cache/nginx
          && chown -R 101:0 /etc/nginx
          && chmod -R g+w /etc/nginx
    securityContext:
      runAsUser: 101
      runAsGroup: 101
      allowPrivilegeEscalation: false

  2. 0

    I like to use the following approach to separating multiple commands in a readable way:

    command: ["/bin/sh", "-c"]
args:
  - >
    command1 &&
    command2 &&
    ...
    commandN

    However, your case is more complicated, as running sed, chown and chmod commands without root privileges will result in a Permission denied error.

    You can use an init container that shares a Volume with the nginx container.
    The init container will run the sed,chown and chmod commands as root and then copy the modified files to the shared Volume that will be mounted and used by the nginx container. In this approach, you need a volume that init and application containers can use.
    A similar use case can be found in the Configure Pod Initialization documentation.

    I will create an example to illustrate how it works.

    As you can see in the code snippet below, I created the permission-fix init container that runs required commands and then copies modified files to the shared volume (cp -Rp /etc/nginx/* /mnt/nginx-fix/). The webguy container then mounts these files to /etc/nginx:

    $ cat nginx-unpriv.yml
apiVersion: v1
kind: Pod
metadata:
  name: securityreview
spec:
  initContainers:
  - name: permission-fix
    image: nginx
    command: ["/bin/sh", "-c"]
    args:
      - >
        sed -i 's,listen       80;,listen       8080;,' /etc/nginx/conf.d/default.conf &&
        sed -i '/user  nginx;/d' /etc/nginx/nginx.conf &&
        sed -i 's,/var/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf &&
        sed -i "/^http {/a     proxy_temp_path /tmp/proxy_temp;n    client_body_temp_path /tmp/client_temp;n    fastcgi_temp_path /tmp/fastcgi_temp;n    uwsgi_temp_path /tmp/uwsgi_temp;n    scgi_temp_path /tmp/scgi_temp;n" /etc/nginx/nginx.conf &&
        chown -R 101:0 /var/cache/nginx &&
        chmod -R g+w /var/cache/nginx &&
        chown -R 101:0 /etc/nginx &&
        chmod -R g+w /etc/nginx &&
        cp -Rp /etc/nginx/* /mnt/nginx-fix/
    volumeMounts:    
    - name: nginx-fix
      mountPath: "/mnt/nginx-fix"
  containers:
  - name: webguy
    image: nginx
    volumeMounts:
    - name: nginx-fix
      mountPath: "/etc/nginx"
    securityContext:
      runAsUser: 101
      runAsGroup: 101
      allowPrivilegeEscalation: false
  volumes:
    - name: nginx-fix
      persistentVolumeClaim:
        claimName: myclaim

    We can check if it works as expected:

    $ kubectl apply -f nginx-unpriv.yml
pod/securityreview created

$ kubectl get pods
NAME             READY   STATUS    RESTARTS   AGE
securityreview   1/1     Running   0          12s

$ kubectl exec -it securityreview  -c webguy -- bash
nginx@securityreview:/$ id
uid=101(nginx) gid=101(nginx) groups=101(nginx)

nginx@securityreview:/$ ls -l /etc/nginx
total 44
drwxrwxr-x 2 nginx root  4096 Jun 10 13:18 conf.d
-rw-rw-r-- 1 nginx root  1007 May 25 12:28 fastcgi_params
drwx------ 2 root  root 16384 Jun 10 13:18 lost+found
-rw-rw-r-- 1 nginx root  5290 May 25 12:28 mime.types
lrwxrwxrwx 1 nginx root    22 May 25 13:01 modules -> /usr/lib/nginx/modules
-rw-rw-r-- 1 nginx root   826 Jun 10 13:18 nginx.conf
-rw-rw-r-- 1 nginx root   636 May 25 12:28 scgi_params
-rw-rw-r-- 1 nginx root   664 May 25 12:28 uwsgi_params

    If this response does not answer your question, please provide more details on what you want to achieve.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search