Replies: 5 comments
-
Did you explicitly change ownership of the SSL directory to the $ namei -mov /var/cache/nginx
f: /var/cache/nginx
drwxr-xr-x root root /
drwxr-xr-x root root var
drwxr-xr-x root root cache
drwxrwxr-x nginx root nginx You might want to extend the Docker image and do something similar to https://github.com/nginxinc/docker-nginx-unprivileged/blob/main/mainline/debian/Dockerfile#L112-L121 to ensure the directories you are trying to use are usable by the non-root |
Beta Was this translation helpful? Give feedback.
-
As you can see both mounted volumes (path/nginx/html and path/nginx/ssl) have uid:gid 1000:1000. Path/nginx directory has root:root. It most likely is being set by docker container because it doesn't reflect host permissions. I haven't set any users for docker container. Documentation states it is not needed anymore. Without SSL unprivilged container runs for about 2 years without any problems. No nginx user set in host.
Do you mean within docker container mounted volumes owner should be nginx:root? My setup set it to 1000:1000. Docker config;
|
Beta Was this translation helpful? Give feedback.
-
The I know some environments will assign an arbitrary UID that replaces the default value (e.g. OpenShift), so maybe that's related to your issue? It could also be an issue with the certs and not the directory, in which case this thread seems like it might be able to help https://serverfault.com/a/1115048. |
Beta Was this translation helpful? Give feedback.
-
I cannot execute "ps aux | grep nginx" within container because command ps is unknown (as is top and htop). So I don't know how to verify. I use docker by the way. I've been playing with permissions. When setting all certificates to 444 on host and directory to 555 nginx container starts. Does it mean I need to create user 'nginx' in host? |
Beta Was this translation helpful? Give feedback.
-
Right, what I meant with environments was host environments. Some Docker implementation details do change depending on where you are running Docker from. There are a few threads out there that you might want to check such as this one https://stackoverflow.com/questions/69596606/ssl-certificate-fails-to-load-with-nginx-in-docker -- like I said, you probably need to change the permissions of the SSL certs. Looks like extending the Docker image, copying the certs, and doing something similar to what I shared in my initial reply is the way to go. Mounting a volume is going to cause a permissions mismatch for just about anything that's not read-only (on this image). |
Beta Was this translation helpful? Give feedback.
-
Somehow I can't get this docker container working with SSL certificates. In container CLI I can list according PEM-files with UID:GID 1000:1000. So mounting folder is working. permissions of mounted certificates And HTML-directory are the same.
Docker Container CLI output;
As you can see shared parent permissions;
Host CLI output;
Logs keep throwing these errors no matter what I try;
Ignore the warning for now. I don't get why it states a permission problem while permissions of both root folder and ssl folder are the same. I would expect when permissions are not okay container can't serve HTML-root as well. That's not the case. What's going on?
Beta Was this translation helpful? Give feedback.
All reactions