Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dockerfile: use unprivileged nginx #1657

Open
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

cfelder
Copy link
Contributor

@cfelder cfelder commented Nov 12, 2024

This allows running this container w/ arbitrary uid support

Description

Short description of the pull request

Motivation

running SciCat in an OpenShift environment w/ arbitrary uids

Fixes:

  • nginx unprivileged

Changes:

  • unprivileged port 8080

Summary by Sourcery

Use the unprivileged nginx image to support running the container with arbitrary user IDs, and update the exposed port to 8080.

Build:

  • Switch to using the nginxinc/nginx-unprivileged base image in the Dockerfile.

CI:

  • Update the docker-compose configuration to expose port 8080 instead of 80.

Copy link

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @cfelder - I've reviewed your changes - here's some feedback:

Overall Comments:

  • Could you explain how the default nginx configuration from nginx-unprivileged meets your application's needs? The removal of the custom nginx.conf might affect routing or other specific settings.
Here's what I looked at during the review
  • 🟢 General issues: all looks good
  • 🟢 Security: all looks good
  • 🟢 Testing: all looks good
  • 🟢 Complexity: all looks good
  • 🟢 Documentation: all looks good

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@bpedersen2 bpedersen2 self-requested a review November 12, 2024 16:22
@bpedersen2
Copy link
Contributor

the e2e tests require the nginx.conf file, don't delete it

Copy link
Contributor

@bpedersen2 bpedersen2 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the e2e tests require the nginx.conf file, don't delete it

@@ -8,8 +8,6 @@ RUN npm ci
COPY . /frontend/
RUN npx ng build

FROM nginx:1.25-alpine
RUN rm -rf /usr/share/nginx/html/*
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this cleanup line should probably also stay

@bpedersen2
Copy link
Contributor

The mapping change in docker-compose was correct. But preserve the nginx.conf file and the cleanups in the docker file.

Note that this Dockerfile not meant for direct production use, as it contains lots of default passwords.

@cfelder cfelder force-pushed the unpriviliged branch 2 times, most recently from 7d3902e to ef7cffa Compare November 15, 2024 14:11
Copy link
Contributor

@bpedersen2 bpedersen2 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You missed the correct e2e docker compose file:
github uses CI/ESS/e2e/docker-compose.e2e.yaml

note the ESS in path.

Corresponding changes for the backend tests are probably needed.

@bpedersen2
Copy link
Contributor

needs a rebase to get the restructred e2e tests ( the docker composefiel touched is then correct

@bpedersen2 bpedersen2 self-requested a review December 27, 2024 11:53
Copy link
Contributor

@bpedersen2 bpedersen2 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be finalized in of sciat online meeting .

( i added this review to block merging until then, otherwise the code changes are OK for me.)

@bpedersen2
Copy link
Contributor

I added a few more reviewers, as this also requires all downstream consumers of the image to adjust the port mapping.

Probably needs updates in the docs and in scicatlive.

BE e2e tests should work automatically, as the frontend container only exposes one port, so that traefik will pick it up correctly (https://doc.traefik.io/traefik/providers/docker/#port-detection).

@bpedersen2
Copy link
Contributor

Probably needs updates in the docs and in scicatlive.

Scicatlive is also fine as it also uses traefik

cfelder and others added 2 commits January 6, 2025 20:27
This allows running this container w/ arbitrary uid support
Change-Id: Ia245afd6a832889bd057ae3e6755f30910f96edf
Change-Id: I5f4e45ab694e7aa8fdefaf66911b49e74deb1403
@@ -8,8 +8,10 @@ RUN npm ci
COPY . /frontend/
RUN npx ng build

FROM nginx:1.25-alpine
FROM nginxinc/nginx-unprivileged
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we pin to a version here? nginxinc/nginx-unprivileged:1.27?

COPY scripts/nginx.conf /etc/nginx/nginx.conf
EXPOSE 80
USER 101
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested in both podman and docker, both give the warning:

nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:5

This is because the nginx.conf file we mount in adds user nginx;. Is there a particular reason this USER 101 was added here?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants