0

I am trying to view portal that build with angular uses netcore backend runs on docker swarm fluently. When I try to deploy angular image on openshift, I get following error;

[emerg] 1#1: bind() to 0.0.0.0:80 failed (13: Permission denied)
nginx: [emerg] bind() to 0.0.0.0:80 failed (13: Permission denied)

First I created nginx deployment as root user using "nginx:1.19.6-alpine" and defined service account(anyuid), it works fine. Then I try to create openshift deployment with "nginxinc/nginx-unprivileged" image to run as non-root user. I had change nginx.conf according to "nginxinc/nginx-unprivileged" image. I defined service account again but it throws "bind() to 0.0.0.0:80 failed (13: Permission denied)" error.

Container 80 port open. There was no ingress. Service uses 80 port to expose route. What could be the solution ?

Here is my Dockerfile;

### STAGE 1: Build ###
FROM node:12.18-alpine as build-env
ENV TZ=Europe/Istanbul

RUN export NG_CLI_ANALYTICS=false

COPY ng/package.json ng/package-lock.json  ng/.npmrc ./
COPY ng/projects/package.json ./projects/package.json

RUN npm install && pwd && ls -ltra

COPY ./ng/ ./

RUN time node --max_old_space_size=12000 node_modules/@angular/cli/bin/ng build project --configuration production
WORKDIR /usr/src/app/dist/

COPY ng/.npmrc ./

RUN npm publish

WORKDIR /usr/src/app/

RUN time node --max_old_space_size=12000 node_modules/@angular/cli/bin/ng build portal --configuration production

### STAGE 2: Run ###

FROM nginxinc/nginx-unprivileged:1.23-alpine as runtime-env
ENV TZ=Europe/Istanbul

COPY ng/nginx.conf /etc/nginx/nginx.conf
COPY ng/nginx.template.conf /etc/nginx/nginx.template.conf
COPY --from=build-env /usr/src/app/dist/portal/ /usr/share/nginx/html/

CMD ["/bin/sh",  "-c",  "envsubst < /usr/share/nginx/html/assets/env.template.js > /usr/share/nginx/html/assets/env.js && envsubst '$API_URL' < /etc/nginx/nginx.template.conf > /etc/nginx/conf.d/default.conf && exec nginx -g 'daemon off;'"]

nginx.conf file :



worker_processes  auto;   # nginx.conf file taken from nginxinc_nginx-unprivileged image

error_log  /var/log/nginx/error.log notice;
pid        /tmp/nginx.pid;


events {
    worker_connections  1024;
}


http {
    proxy_temp_path /tmp/proxy_temp;
    client_body_temp_path /tmp/client_temp;
    fastcgi_temp_path /tmp/fastcgi_temp;
    uwsgi_temp_path /tmp/uwsgi_temp;
    scgi_temp_path /tmp/scgi_temp;

    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}

nginx.template.conf

server {
    listen       80;
    server_name  localhost;

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        try_files $uri $uri/ /index.html;
        index  index.html index.htm;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    location /api {
        proxy_pass ${API_URL};
        proxy_pass_request_headers on;
        #rewrite /api/(.*) /$1  break;
    }
}

I have used all service accounts on deployment such as nonroot, hostaccess, hostmount-anyuid, priviledged, restricted and anyuid.

Also I tried to add following command to dockerfile:

"RUN chgrp -R root /var/cache/nginx /var/run /var/log/nginx && \
chmod -R 770 /var/cache/nginx /var/run /var/log/nginx"

Gets it from here.

  • I've only worked very little with OpenShift, but I remember that I couldn't use priviledged ports inside the container, i.e. ports < 1024. Try listening on unprivileged ports in Nginx – Hans Kilian Apr 18 '23 at 13:05
  • I tried to listen 8080 port on nginx.templete.conf. It's still the same. – ahmet budak Apr 18 '23 at 13:46
  • The unprivileged user can not bind to port 80, change the port to [>1024](https://www.w3.org/Daemon/User/Installation/PrivilegedPorts.html). – masseyb Apr 19 '23 at 09:00

2 Answers2

1

OpenShift will not run your container as root, so it cannot listen on port 80. Choose a port >1024, e.g. port 8080 instead, and it should work.

Jonas
  • 121,568
  • 97
  • 310
  • 388
  • When I have use "nginx:1.19.6-alpine" image, there was no problem. I can reach the page. Also I tried to expose port 8080, still, not working. – ahmet budak Apr 25 '23 at 15:43
  • @ahmetbudak can you show logs that you get error message `13: Permission denied` with port 8080? There might be multiple problems, but port 80 for nginx is known to not work on OpenShift. – Jonas Apr 25 '23 at 15:47
  • 1
    I found the mistake thanks for help @jonas – ahmet budak Apr 26 '23 at 08:15
1

I have found the mistake. I had to change the nginx.template.conf from 80 to 8080. But openshift did not renew deployment. So I deployed a new image which fixes the problem.

cconsta1
  • 737
  • 1
  • 6
  • 20