25

I am currently running into a problem trying to set up nginx:alpine in Openshift.

My build runs just fine but I am not able to deploy with permission being denied with the following error

2019/01/25 06:30:54 [emerg] 1#1: mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)

nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)

Now I know Openshift is a bit tricky when it comes to permissions as the container is running without root privilidges and the UID is gerenated on runetime which means it's not available in /etc/passwd. But the user is part of the group root. Now how this is supposed to be handled is being described here

https://docs.openshift.com/container-platform/3.3/creating_images/guidelines.html#openshift-container-platform-specific-guidelines

I even went further and made the whole /var completely accessible (777) for testing purposes but I still get the error. This is what my Dockerfile looks like

Dockerfile

FROM nginx:alpine

#Configure proxy settings
ENV HTTP_PROXY=http://my.proxy:port
ENV HTTPS_PROXY=http://my.proxy:port
ENV HTTP_PROXY_AUTH=basic:*:username:password

WORKDIR /app
COPY . .

# Install node.js
RUN apk update && \
    apk add nodejs npm python make curl g++


# Build Application
RUN npm install
RUN ./node_modules/@angular/cli/bin/ng build
COPY ./dist/my-app /usr/share/nginx/html

# Configure NGINX
COPY ./openshift/nginx/nginx.conf /etc/nginx/nginx.conf
COPY ./openshift/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf

RUN chgrp -R root /var/cache/nginx /var/run /var/log/nginx && \
    chmod -R 777 /var
RUN sed -i.bak 's/^user/#user/' /etc/nginx/nginx.conf

EXPOSE 8080

It's funny that this approach just seems to effekt the alpine version of nginx. nginx:latest (based on debian I think) has no issues and the way to set it up described here

https://torstenwalter.de/openshift/nginx/2017/08/04/nginx-on-openshift.html

works. (but i am having some other issues with that build so I switched to alpine)

Any ideas why this is still not working?

Community
  • 1
  • 1
relief.melone
  • 3,042
  • 1
  • 28
  • 57
  • I guess that you have set up a `user` in your `docker-compose.yml` file somewhere and that is what's causing the problem, because the user is a non-root user. The nginx service needs to bind ports and has to be root for that. – thexpand Mar 26 '19 at 00:18
  • were you able to solve the issue, all errors removed after following `torstenwalter.de` link but still `nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)` remains. Though usnig `nginx:latest` instead of `nginx:alpine` fixed the issue – garg10may May 30 '19 at 14:11

7 Answers7

18

I was using openshift, with limited permissions, so I fixed this problem by using the following nginx image (rather than nginx:latest) 

FROM nginxinc/nginx-unprivileged
quasipolynomial
  • 670
  • 6
  • 12
  • For anyone who are running a secure nginx in Openshift without root or the ability to edit the build, an option would be to follow https://stackoverflow.com/questions/70446840/issue-nginx-emerg-mkdir-var-cache-nginx-client-temp-failed-13-permiss to set required parameters in the nginx configuration – SamwellTarly Jul 01 '22 at 18:30
8

To resolve this. I think the Problem in this Dockerfile was that I used the COPY command to move my build and that did not exist. So here is my working

Dockerfile

FROM nginx:alpine

LABEL maintainer="ReliefMelone"

WORKDIR /app
COPY . .

# Install node.js
RUN apk update && \
    apk add nodejs npm python make curl g++


# Build Application
RUN npm install
RUN ./node_modules/@angular/cli/bin/ng build --configuration=${BUILD_CONFIG}
RUN cp -r ./dist/. /usr/share/nginx/html

# Configure NGINX
COPY ./openshift/nginx/nginx.conf /etc/nginx/nginx.conf
COPY ./openshift/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf

RUN chgrp -R root /var/cache/nginx /var/run /var/log/nginx && \
    chmod -R 770 /var/cache/nginx /var/run /var/log/nginx

EXPOSE 8080

CMD ["nginx", "-g", "daemon off;"]

Note that under the Build Application section I now do

RUN cp -r ./dist/. /usr/share/nginx/html

instead of

COPY ./dist/my-app /usr/share/nginx/html

The copy will not work as I previously ran the ng build inside of the container the dist will only exist in the container as well, so I need to execute the copy command inside of that container

relief.melone
  • 3,042
  • 1
  • 28
  • 57
4

Had the same error on my nginx:alpine Dockerfile

There is already a user called nginx in the nginx:alpine image. My guess is that it's cleaner to use it to run nginx.

Here is how I resolved it:

  • Set the owner of /var/cache/nginx to nginx (user 101, group 101)
  • Create a /var/run/nginx.pid and set the owner to nginx as well
  • Copy all the files to the image using --chown=nginx:nginx
FROM nginx:alpine
RUN  touch /var/run/nginx.pid && \
     chown -R nginx:nginx /var/cache/nginx /var/run/nginx.pid
USER nginx
COPY --chown=nginx:nginx my/html/files /usr/share/nginx/html
COPY --chown=nginx:nginx config/myapp/default.conf /etc/nginx/conf.d/default.conf
...
Ludovic C
  • 2,855
  • 20
  • 40
1

If you're here because you failed to deploy an example helm chart (e.g: helm create mychart), do just like @quasipolynomial suggested but instead change your deployment file pull the right image.

i.e

containters: 
    - image: nginxinc/nginx-unprivileged

more info on the official unprivileged image: https://github.com/nginxinc/docker-nginx-unprivileged

pixelsoccupied
  • 111
  • 1
  • 3
1

May or may not be a step in the right direction (especially helpful for those who came here looking for general help on the [emerg] mkdir() ... failed error).

This solution counts from Builing nginx from source.

It took me about seven hours to realize the solution is directly related to the prefix path set in compiling nginx.

This is where my configuration throws off nginx (as a very brief example), compiled from this nginx source:

sudo ./auto/configure \
--prefix=/usr/local/nginx \
--http-client-body-temp-path=/tmp/nginx/client-body-temp \
--http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp

Without realizing it, I was setting the prefix to /usr/local/nginx but setting the client body temp path & fastcgi temp path to a directory inside /tmp/nginx.

It's basically breaking nginx's ability to access the correct files, because the temp paths are not correlated to the prefix path.

So I fixed it by (again, super simple configure as an example):

sudo ./auto/configure \
--prefix=/usr/local/nginx \
--http-client-body-temp-path=/usr/local/nginx/client_body_temp \
--http-fastcgi-temp-path=/usr/local/nginx/fastcgi_temp \

Further simplified:

sudo ./auto/configure \
--prefix=/usr/local/nginx \
--http-client-body-temp-path=/client_body_temp \
--http-fastcgi-temp-path=/fastcgi_temp \

Again, not guaranteed to work, but definitely a step in the right direction.

DrewPlots
  • 21
  • 2
0

You may change the folder using the nginx.conf file. You can read more information in the section Running nginx as a non-root user.

Vadzim Marchanka
  • 143
  • 7
-3

run the below command to fix the above issue. The anyuid security context constraint required.

oc adm policy add-scc-to-user anyuid system:serviceaccount:<NAMESPACE>:default
Damodar Singh
  • 59
  • 1
  • 1
  • 6