dockerize icon indicating copy to clipboard operation
dockerize copied to clipboard
verified publisher icon jwilder

Dockerize fails in OpenShift environment

Open zalintyre opened this issue 7 years ago • 5 comments

Dockerize fails when run under an OpenShift environment. In OpenShift, every container is run with a randomly assigned User-Id that belongs to the root group. All files that are necessary to run the application also belong to the root group, but are owned by root itself. Dockerize attempts to execute a chmod operation without checking the existing permissions first. This causes any container to crash.

Edit: See the log output:

2018/01/02 12:56:58 unable to chmod temp file: chmod /app/config.json: operation not permitted
2018/01/02 12:56:58 [warn] 12#12: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
2018/01/02 12:56:58 [emerg] 12#12: bind() to 0.0.0.0:80 failed (13: Permission denied)
nginx: [emerg] bind() to 0.0.0.0:80 failed (13: Permission denied)

zalintyre avatar Jan 02 '18 12:01 zalintyre

I have same issue. Dockerize could be great use for OpenShift users if it can check files has permissions before trying to chmod. we have files already have 777, but failing due to this issue.

xmlking avatar Mar 12 '18 23:03 xmlking

Created fork and build files are available @ https://github.com/xmlking/dockerize/releases Here is how I am using:

xmlking/openshift-nginx:1.13.9-alpine is based on nginx:1.13.9-alpine with dockerize

FROM nginx:1.13.9-alpine

LABEL maintainer="NGINX for non-root platform: OpenShift"

RUN set -x \
	&& chmod go+w /var/cache/nginx \
	&& sed -i -e '/listen/!b' -e '/80;/!b' -e 's/80;/8080;/' /etc/nginx/conf.d/default.conf \
	&& sed -i -e '/user/!b' -e '/nginx/!b' -e '/nginx/d' /etc/nginx/nginx.conf \
	&& sed -i 's!/var/run/nginx.pid!/var/cache/nginx/nginx.pid!g' /etc/nginx/nginx.conf

ENV DOCKERIZE_VERSION v0.6.1
RUN wget https://github.com/xmlking/dockerize/releases/download/$DOCKERIZE_VERSION/dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz \
    && tar -C /usr/local/bin -xzvf dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz \
    && rm dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz

EXPOSE 8080

CMD ["nginx", "-g", "daemon off;"]

My Angular Build :

### STAGE 1: Build ###

# We label our stage as 'builder'
FROM node:9 as builder
#FROM node:9-alpine as builder

COPY package.json package-lock.json ./

RUN npm set progress=false && npm config set depth 0 && npm cache clean --force

## Storing node modules on a separate layer will prevent unnecessary npm installs at each build
RUN npm i && mkdir /ng-app && cp -R ./node_modules ./ng-app

WORKDIR /ng-app

COPY . .

## Build the angular app in production mode and store the artifacts in dist folder
RUN $(npm bin)/ng build --app=default --prod -oh=media

### STAGE 2: Setup ###

FROM xmlking/openshift-nginx:1.13.9-alpine

## Copy our nginx config template
COPY .docker/nginx.conf.tmpl /etc/nginx/conf.d/nginx.conf.tmpl

## Remove default nginx website, make default.conf writable by OpenShift's user
RUN set -x \
	&& rm -rf /usr/share/nginx/html/* \
	&& chmod go+w /etc/nginx/conf.d/default.conf

## From 'builder' stage copy over the artifacts in dist folder to default nginx public folder
COPY --from=builder /ng-app/dist/apps/default  /usr/share/nginx/html

EXPOSE 8080

#HEALTHCHECK --interval=5m --timeout=3s CMD curl --fail localhost:8080 -O /dev/null || exit 1
CMD ["dockerize", "-template", "/etc/nginx/conf.d/nginx.conf.tmpl:/etc/nginx/conf.d/default.conf", "nginx", "-g", "daemon off;"]

nginx.conf.tmpl

map $http_upgrade $connection_upgrade {
  default upgrade;
  ''      close;
}

server {
  listen {{ default .Env.NGINX_PORT "8080"}};

  server_name {{ default .Env.NGINX_HOST "localhost"}};

  location / {
    root /usr/share/nginx/html;
    try_files $uri $uri/ /index.html =404;
    index index.html;
    gzip on;
    gzip_types text/css text/javascript application/x-javascript application/json;
  }

  location /auth/realms {
    proxy_pass {{ .Env.AUTH_BASE_URL }};
    proxy_redirect off;
  }
}

xmlking avatar Mar 13 '18 20:03 xmlking

Dockerize tries to change the permissions on the destination file to match the permissions of the template. In the case where this is failing, what is permission of the template?

jwilder avatar Mar 17 '18 21:03 jwilder

Might be related to #62 as well.

jwilder avatar Mar 17 '18 21:03 jwilder

https://github.com/jwilder/dockerize/blob/137d5c85b34312f136721a75a08d20eba86b194a/template.go#L164

030 avatar Jun 23 '20 12:06 030