Dockerfiles for OpenShift?

[fabriziofiorucci]

Hello,

all Dockerfiles work fine with k8s but with OpenShift there is some issue on a permission denied when the agent starts, as it can't write anything in /etc/controller-agent.
The dir is owned by root:root and openshift forces everything to run as non-root. Do we have some updated Dockerfile that can be used to build NGINX+agent for OpenShift as well?

[1996sajal]

@brianehlert having unprivileged user dockerfiles which seems to be incomplete right now, might solve this issue?
cc: @framer777

[framer777]

I gonna do another cycle on non-root changes (#51) in order to complete the work.

[1996sajal]

@framer777 thanks.

[fabriziofiorucci]

I gonna do another cycle on non-root changes (#51) in order to complete the work.

Hi, I'm sorry to push, is there an ETA for the unprivileged Dockerfile to be available?
Thanks

[fabriziofiorucci]

Additionally, after manually patching the exposed nginx port, I'm getting:

starting nginx ...
waiting for nginx workers ...
nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
updating /etc/controller-agent/agent.conf ...

---> using api_key = xxx
---> using controller api url = https://FQDN:8443/1.4/
---> using instance_name = nginx-agent-5cb6df74d7-nd49x
---> using instance group = nginx-openshift
starting controller-agent ...
time="Jul 29 2021 10:13:00.867" level="info" msg="Starting Nginx Controller (Go) Agent. Version: 3.18.1-316464192.release-3-18..." feature="main"
time="Jul 29 2021 10:13:00.874" level="info" msg="Discovered nginxs" count="1" feature="main"
time="Jul 29 2021 10:13:00.975" level="fatal" msg="listen tcp 0.0.0.0:514: bind: permission denied" feature="main"
waiting for nginx to stop...
controller-agent process has stopped, exiting

is there a way to override port 514? Changing /etc/nginx-controller/agent.conf to set:

[listener_syslog-default]
address =

to something like 0.0.0.0:10514

doesn't seem to work.

Any clue here?

Thank you!

[framer777]

I gonna do another cycle on non-root changes (#51) in order to complete the work.

Hi, I'm sorry to push, is there an ETA for the unprivileged Dockerfile to be available?
Thanks

Will try to resolve it within the next two days.

[fabriziofiorucci]

Hi, is there any update on this? Thank you.

[framer777]

@fabriziofiorucci I was able to wrap up all changes in #51
Sorry for the delay, took more than expected.

is there a way to override port 514?

yes, please refer to the updated README in the PR:
https://github.com/nginxinc/docker-nginx-controller/blob/55f04f3687c1edbe620d25e8ea3a93a2dd6ff396/README.md#52-new-build-arguments

The example Dockerfile is provided as well.

[fabriziofiorucci]

Thank you! Would it be possible to get the diff for the unprivileged nap-enabled version as well?

[framer777]

sure @fabriziofiorucci, I'll add nap-enabled diff soon.

[fabriziofiorucci]

sure @fabriziofiorucci, I'll add nap-enabled diff soon.

thank you!

[framer777]

@fabriziofiorucci, here are the examples of unprivileged files (Dockerfile & entrypoint.sh):
https://github.com/nginxinc/docker-nginx-controller/blob/e6dc7ef8bab1626302fcb24f822012c0ec478cc2/unprivileged/examples/ubuntu-nap/Dockerfile
https://github.com/nginxinc/docker-nginx-controller/blob/e6dc7ef8bab1626302fcb24f822012c0ec478cc2/unprivileged/examples/ubuntu-nap/entrypoint.sh

[RGanor]

@framer777 @brianehlert Where can i find un-privilege image based on centos/rhel for openshift?