NGINX-root-nonroot-unprivileged
Hi everyone, I will show you how to run NGINX for root and non-root user.
NGINX is an open-source web server. There are too many benefits using NGINX like reverse proxy server for HTTP, HTTPs; load balancer; mail proxy and HTTP cache. NGINX can be installed on the server as well as Docker&Kubernetes. Let’s talk about NGINX Docker images.
How to run NGINX as root user?
First of all, we have to choose “NGINX base image” which version we want to use when creating Dockerfile for our applications.
FROM nginx:1.20
Then we can define
- our configuration files that we will send to this image and,
- the working directory.
COPY ./nginx.conf /etc/nginx/nginx.conf
COPY ./index.html /etc/nginx/html/index.html
WORKDIR /app
If the application needs to be run on a different port, “EXPOSE” can be added, otherwise, it will run on the default port.
EXPOSE <PORT_NUMBER>
We can use the below command, to run in foreground:
CMD [“nginx”, “-g”, “daemon off;”]
Now let’s create this image and push it to Docker Hub.
FROM nginx:1.20 COPY ./nginx.conf /etc/nginx/nginx.conf COPY ./index.html /etc/nginx/html/index.html WORKDIR /app#EXPOSE <PORT_NUMBER>CMD ["nginx", "-g", "daemon off;"]
Let’s run it with these following commands.
docker build -t cidokimi/nginx:1.20-root . docker push cidokimi/nginx:1.20-root docker run -it cidokimi/nginx:1.20-root bash #docker run -p 80:80 -d cidokimi/nginx:1.20-root
Our container ran as root user.
What if we want to run NGINX as non-root user?
We sometimes don’t want to use “root” user for security reasons. By default, NGINX image use “root” user but there is an “nginx” user in the same base image. So we need to specify this user with “USER” and give a permission some files for non-root nginx user. These are:
- our configuration files that we will send to this image and,
- the working directory.
We have to change owner and mod using these commands:
RUN chown -R nginx:nginx /app && chmod -R 755 /app && \
chown -R nginx:nginx /var/cache/nginx && \
chown -R nginx:nginx /var/log/nginx && \
chown -R nginx:nginx /etc/nginx/conf.d
RUN touch /var/run/nginx.pid && \
chown -R nginx:nginx /var/run/nginx.pid
To switch from root user to nginx user:
USER nginx
Now let’s create this image and push it to Docker Hub.
FROM nginx:1.20 COPY ./nginx.conf /etc/nginx/nginx.conf COPY ./index.html /etc/nginx/html/index.html WORKDIR /app RUN chown -R nginx:nginx /app && chmod -R 755 /app && \ chown -R nginx:nginx /var/cache/nginx && \ chown -R nginx:nginx /var/log/nginx && \ chown -R nginx:nginx /etc/nginx/conf.d RUN touch /var/run/nginx.pid && \ chown -R nginx:nginx /var/run/nginx.pid USER nginx #EXPOSE <PORT_NUMBER> CMD ["nginx", "-g", "daemon off;"]
Let’s run it with these following commands.
docker build -t cidokimi/nginx:1.20-nonroot . docker push cidokimi/nginx:1.20-nonroot docker run -it cidokimi/nginx:1.20-nonroot bash #docker run -p 80:80 -d cidokimi/nginx:1.20-nonroot
Our container ran as non-root nginx user. We can use these images in Kubernetes environments.
What if we want to run NGINX as non-root user for OpenShift?
We have to use a different base image when using non root user for Openshift. Because, you may get permission errors.
First of all, we have to choose “NGINX unprivileged base image” which version we want to use when creating Dockerfile for our applications. With this image, the default NGINX listen port is 8080 instead of 80.
FROM nginxinc/nginx-unprivileged:1.20
Then we can define
- our configuration files that we will send to this image and,
- the working directory.
COPY ./nginx.conf /etc/nginx/nginx.conf
RUN rm -rf /etc/nginx/html/*
COPY ./html /etc/nginx/html
WORKDIR /app
We don’t need to change owner or mod the configuration and log folders. Because this image is configured for “nginx” user.
Now let’s create this image and push it to Docker Hub.
FROM nginxinc/nginx-unprivileged:1.20 #COPY ./nginx.conf /etc/nginx/nginx.conf #RUN rm -rf /etc/nginx/html/* #COPY ./html /etc/nginx/html #WORKDIR /app#EXPOSE <PORT_NUMBER> CMD ["nginx", "-g", "daemon off;"]
Let’s run it with these following commands.
docker build -t cidokimi/nginx:1.20-unprivileged-nonroot . docker push cidokimi/nginx:1.20-unprivileged-nonroot docker run -it cidokimi/nginx:1.20-unprivileged-nonroot bash #docker run -p 8080:8080 -d cidokimi/nginx:1.20-unprivileged-nonroot
Our container ran as non-root nginx user. We can use these images in OpenShift Kubernetes environments.
Đăng ký liền tay Nhận Ngay Bài Mới
Subscribe ngay
Cám ơn bạn đã đăng ký !
Lỗi đăng ký !
Add Comment