[fix:1.16.1] 解决非root用户访问权限问题
- 增加gosu功能 - 解决启用gosu后80端口无法访问问题 - 解决启用gosu后ip地址无法bind问题(非root用户) - 解决启用gosu后目录访问权限问题 - 默认配置文件增加daemon off
This commit is contained in:
+22
-12
@@ -24,9 +24,9 @@ LABEL \
|
||||
|
||||
RUN set -eux; \
|
||||
groupadd -r ${APP_GROUP}; \
|
||||
useradd -r -g ${APP_GROUP} -s /usr/sbin/nologin ${APP_USER}; \
|
||||
useradd -r -g ${APP_GROUP} -s /usr/sbin/nologin -d /usr/cache/nginx ${APP_USER}; \
|
||||
\
|
||||
mkdir -p /etc/nginx /srv/conf/nginx /var/log/nginx /var/cache/nginx; \
|
||||
mkdir -p /etc/nginx /srv/conf/nginx /var/log/nginx /var/run/nginx /var/cache/nginx; \
|
||||
\
|
||||
NGINX_CONFIG=" \
|
||||
--prefix=/etc/nginx \
|
||||
@@ -86,16 +86,27 @@ RUN set -eux; \
|
||||
zlib1g-dev \
|
||||
libxml2-dev \
|
||||
libxslt-dev \
|
||||
libgd-dev \
|
||||
libc6-dev \
|
||||
libgeoip-dev \
|
||||
libterm-readkey-perl \
|
||||
"; \
|
||||
apt update; \
|
||||
apt install -y --no-install-recommends ${fetchDeps}; \
|
||||
apt-get update; \
|
||||
apt-get install -y ${fetchDeps}; \
|
||||
\
|
||||
apt install -y --no-install-recommends zlib1g; \
|
||||
apt install -y --no-install-recommends \
|
||||
zlib1g \
|
||||
libxml2 \
|
||||
libxslt1.1 \
|
||||
geoip-bin \
|
||||
geoip-database \
|
||||
libgd3 \
|
||||
libc6 \
|
||||
; \
|
||||
\
|
||||
wget -O nginx.tar.gz "http://nginx.org/download/nginx-$APP_MAJOR.tar.gz"; \
|
||||
wget -O nginx.tar.gz.asc "http://nginx.org/download/nginx-$APP_MAJOR.tar.gz.asc"; \
|
||||
wget -O nginx_signing.key "https://nginx.org/keys/nginx_signing.key"; \
|
||||
# wget -O nginx_signing.key "https://nginx.org/keys/nginx_signing.key"; \
|
||||
\
|
||||
wget -O openssl.tar.gz --no-check-certificate "https://www.openssl.org/source/old/1.1.1/openssl-${OPENSSL_VERSION}.tar.gz"; \
|
||||
wget -O openssl.tar.gz.asc --no-check-certificate "https://www.openssl.org/source/old/1.1.1/openssl-${OPENSSL_VERSION}.tar.gz.asc"; \
|
||||
@@ -140,12 +151,10 @@ RUN set -eux; \
|
||||
\
|
||||
cd /; \
|
||||
rm -rf /nginx-$APP_MAJOR; \
|
||||
ln -sf /dev/stdout /var/log/nginx/access.log; \
|
||||
ln -sf /dev/stderr /var/log/nginx/error.log; \
|
||||
ln -sf /etc/nginx/nginx.conf /srv/conf/nginx/nginx.conf; \
|
||||
chown -Rf nginx:nginx /etc/nginx /srv/conf/nginx /var/log/nginx /var/cache/nginx; \
|
||||
ln -sf /srv/conf/nginx/nginx.conf /etc/nginx/nginx.conf; \
|
||||
chown -Rf nginx:nginx /etc/nginx /srv/conf/nginx /var/log/nginx /var/run/nginx /var/cache/nginx; \
|
||||
# this 777 will be replaced by 700 or 755 at runtime (allows semi-arbitrary "--user" values)
|
||||
chmod 777 /etc/nginx /srv/conf/nginx /var/log/nginx /var/cache/nginx; \
|
||||
chmod 777 /etc/nginx /srv/conf/nginx /var/log/nginx /var/run/nginx /var/cache/nginx; \
|
||||
\
|
||||
apt purge -y --auto-remove ${fetchDeps}; \
|
||||
apt autoclean -y; \
|
||||
@@ -157,7 +166,8 @@ COPY ./nginx /etc/nginx
|
||||
|
||||
VOLUME ["/srv/www", "/srv/conf", "/srv/cert", "/var/log", "/var/run"]
|
||||
|
||||
EXPOSE 80 443
|
||||
# 解决使用gosu后,nginx: [emerg] bind() to 0.0.0.0:80 failed (13: Permission denied)
|
||||
EXPOSE 8080 8443
|
||||
|
||||
STOPSIGNAL SIGTERM
|
||||
|
||||
|
||||
+5
-5
@@ -6,8 +6,8 @@
|
||||
|
||||
## 基本信息
|
||||
|
||||
* 镜像地址:endial/nginx-ubuntu:v1.16.1
|
||||
* 依赖镜像:endial/ubuntu:v18.04
|
||||
* 镜像地址:endial/nginx:v1.16.1
|
||||
* 依赖镜像:endial/ubuntu:v18.04
|
||||
|
||||
|
||||
|
||||
@@ -41,7 +41,7 @@ export DOCKER_VOLUME_BASE=</volumes/path>
|
||||
|
||||
```bash
|
||||
docker run -d --name nginx \
|
||||
-p 80:80 \
|
||||
-p 80:8080 \
|
||||
-v $DOCKER_VOLUME_BASE/srv/www:/srv/www:ro \
|
||||
-v $DOCKER_VOLUME_BASE/var/log:/var/log \
|
||||
-v $DOCKER_VOLUME_BASE/srv/conf:/srv/conf \
|
||||
@@ -53,7 +53,7 @@ docker run -d --name nginx \
|
||||
```shell
|
||||
docker run -d --name nginx \
|
||||
--user www-data \
|
||||
-p 80:80 \
|
||||
-p 80:8080 \
|
||||
-v $DOCKER_VOLUME_BASE/srv/www:/srv/www:ro \
|
||||
-v $DOCKER_VOLUME_BASE/var/log:/var/log \
|
||||
-v $DOCKER_VOLUME_BASE/srv/conf:/srv/conf \
|
||||
@@ -69,7 +69,7 @@ docker run -d --name nginx \
|
||||
|
||||
```bash
|
||||
docker run -d --name nginx \
|
||||
-p 80:80 \
|
||||
-p 80:8080 \
|
||||
--volumes-from dvc \
|
||||
endial/nginx-ubuntu:v1.16.1
|
||||
```
|
||||
|
||||
+14
-8
@@ -44,6 +44,7 @@ docker_create_user_directories() {
|
||||
LOG_I "Check directories used by ${APP_NAME}"
|
||||
mkdir -p "/var/log/${APP_NAME}"
|
||||
mkdir -p "/var/run/${APP_NAME}"
|
||||
mkdir -p "/var/cache/${APP_NAME}"
|
||||
|
||||
mkdir -p "/srv/conf/${APP_NAME}/conf.d"
|
||||
[ ! -e /srv/conf/nginx/nginx.conf ] && cp /etc/nginx/nginx.conf.default /srv/conf/nginx/nginx.conf
|
||||
@@ -52,22 +53,27 @@ docker_create_user_directories() {
|
||||
|
||||
# 允许容器使用`--user`参数启动,修改相应目录的所属用户信息
|
||||
if [ "$user_id" = '0' ]; then
|
||||
LOG_I "Chang owner of resources to: ${APP_USER}"
|
||||
LOG_I "Chang owner of resources to: ${APP_USER} by root"
|
||||
find /var/run/${APP_NAME} \! -user ${APP_USER} -exec chown ${APP_USER} '{}' +
|
||||
find /var/log/${APP_NAME} \! -user ${APP_USER} -exec chown ${APP_USER} '{}' +
|
||||
find /var/cache/${APP_NAME} \! -user ${APP_USER} -exec chown ${APP_USER} '{}' +
|
||||
find /srv/conf/${APP_NAME} \! -user ${APP_USER} -exec chown ${APP_USER} '{}' +
|
||||
find /etc/nginx \! -user ${APP_USER} -exec chown ${APP_USER} '{}' +
|
||||
elif [ ! "$user_id" = "$(id -u ${APP_USER})"]; then
|
||||
chown "$user_id" /etc/nginx /srv/conf/nginx /var/log/nginx /var/run/nginx
|
||||
# 解决使用gosu后,nginx: [emerg] open() "/dev/stdout" failed (13: Permission denied)
|
||||
chmod 0622 /dev/stdout /dev/stderr
|
||||
else
|
||||
LOG_I "Chang owner of resources to: $user_id by $user_id"
|
||||
find /var/run/${APP_NAME} \! -user ${user_id} -exec chown ${user_id} '{}' +
|
||||
find /var/log/${APP_NAME} \! -user ${user_id} -exec chown ${user_id} '{}' +
|
||||
find /var/cache/${APP_NAME} \! -user ${user_id} -exec chown ${user_id} '{}' +
|
||||
find /srv/conf/${APP_NAME} \! -user ${user_id} -exec chown ${user_id} '{}' +
|
||||
fi
|
||||
|
||||
chmod 755 /etc/nginx /srv/conf/nginx /var/log/nginx /var/run/nginx
|
||||
chmod 755 /etc/nginx /var/log/nginx /var/cache/nginx /var/run/nginx /srv/conf/nginx || :
|
||||
|
||||
}
|
||||
|
||||
# 检测可能导致容器执行后直接退出的命令,如"--help";如果存在,直接返回 0
|
||||
docker_app_want_help() {
|
||||
LOG_I "Check command type"
|
||||
local arg
|
||||
for arg; do
|
||||
case "$arg" in
|
||||
@@ -92,13 +98,13 @@ _main() {
|
||||
# 以root用户运行时,设置数据存储目录与权限;设置完成后,会使用gosu重新以"postgres"用户运行当前脚本
|
||||
docker_create_user_directories
|
||||
if [ "$(id -u)" = '0' ]; then
|
||||
LOG_I "Restart container with default user: ${APP_USER}'"
|
||||
LOG_I "Restart container with default user: ${APP_USER}"
|
||||
LOG_I ""
|
||||
exec gosu ${APP_USER} "$0" "$@"
|
||||
fi
|
||||
fi
|
||||
|
||||
LOG_I "Start application ${APP_NAME}: $@"
|
||||
LOG_I "Start container with: $@"
|
||||
|
||||
# 执行命令行
|
||||
exec "$@"
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
server {
|
||||
listen 80;
|
||||
listen 8080;
|
||||
server_name localhost;
|
||||
|
||||
# charset utf-8; ## DON'T need, set in nginx.conf
|
||||
# charset utf-8; ## DO NOT need, set in nginx.conf
|
||||
access_log /var/log/nginx/default.access.log main;
|
||||
|
||||
location / {
|
||||
@@ -43,3 +43,38 @@ server {
|
||||
# deny all;
|
||||
#}
|
||||
}
|
||||
|
||||
# another virtual host using mix of IP-, name-, and port-based configuration
|
||||
#
|
||||
#server {
|
||||
# listen 8000;
|
||||
# listen somename:8080;
|
||||
# server_name somename alias another.alias;
|
||||
|
||||
# location / {
|
||||
# root html;
|
||||
# index index.html index.htm;
|
||||
# }
|
||||
#}
|
||||
|
||||
|
||||
# HTTPS server
|
||||
#
|
||||
#server {
|
||||
# listen 8443 ssl;
|
||||
# server_name localhost;
|
||||
|
||||
# ssl_certificate /srv/cert/nginx/cert.pem;
|
||||
# ssl_certificate_key /srv/cert/nginx/cert.key;
|
||||
|
||||
# ssl_session_cache shared:SSL:1m;
|
||||
# ssl_session_timeout 5m;
|
||||
|
||||
# ssl_ciphers HIGH:!aNULL:!MD5;
|
||||
# ssl_prefer_server_ciphers on;
|
||||
|
||||
# location / {
|
||||
# root html;
|
||||
# index index.html index.htm;
|
||||
# }
|
||||
#}
|
||||
@@ -2,7 +2,9 @@
|
||||
|
||||
# 针对Docker镜像使用,请不要修改为其他用户
|
||||
user nginx;
|
||||
group nginx;
|
||||
|
||||
# 关闭后台模式,防止默认设置为后台模式时导致容器直接退出
|
||||
daemon off;
|
||||
|
||||
# Set number of worker processes automatically based on number of CPU cores.
|
||||
worker_processes auto;
|
||||
@@ -11,12 +13,14 @@ worker_processes auto;
|
||||
pcre_jit on;
|
||||
|
||||
# Configures default error logger.
|
||||
error_log /var/log/nginx/error.log warn;
|
||||
# error_log /var/log/nginx/error.log warn;
|
||||
#error_log /dev/stdout warn;
|
||||
|
||||
# Includes files with directives to load dynamic modules.
|
||||
include /etc/nginx/modules/*.conf;
|
||||
|
||||
pid /var/run/nginx.pid;
|
||||
# 设置PID文件路径为对应的子目录
|
||||
pid /var/run/nginx/nginx.pid;
|
||||
|
||||
worker_rlimit_nofile 32767;
|
||||
|
||||
@@ -103,11 +107,14 @@ http {
|
||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||
|
||||
# Sets the path, format, and configuration for a buffered log write.
|
||||
access_log /var/log/nginx/access.log main;
|
||||
error_log /var/log/nginx/error.log warn;
|
||||
|
||||
#access_log off;
|
||||
#error_log /dev/null;
|
||||
# access_log /var/log/nginx/access.log main;
|
||||
# error_log /var/log/nginx/error.log warn;
|
||||
access_log /dev/stdout main;
|
||||
error_log /dev/stdout warn;
|
||||
|
||||
# Turn off log output
|
||||
# access_log /dev/null;
|
||||
# error_log /dev/null;
|
||||
|
||||
# Includes virtual hosts configs.
|
||||
include /srv/conf/nginx/conf.d/*.conf;
|
||||
|
||||
Reference in New Issue
Block a user