docker-nginx-http3
docker-nginx-http3 copied to clipboard
Published
20 hours ago •
macbre
macbre
unlink() "/var/run/nginx.pid" failed (13: Permission denied)
trafficstars
I get this message in log when the container starts
2023-01-19 03:13:49 | 2023/01/19 00:13:49 [alert] 1#1: unlink() "/var/run/nginx.pid" failed (13: Permission denied)
Here is config
proxy:
image: macbre/nginx-http3:latest
environment:
user: nginx
networks:
- local_net_overlay
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
- target: 443
published: 443
protocol: udp
mode: host
volumes:
- ./certs:/etc/nginx/certs:ro
- ./config/docker/nginx/config:/etc/nginx/config:ro
- ./config/docker/nginx/template:/etc/nginx/main-config:ro
command: ['nginx', '-c', '/etc/nginx/main-config/nginx.conf', '-g', 'daemon off;']
healthcheck:
test:
[
'CMD-SHELL',
'wget --quiet --tries=1 --spider http://localhost/health-check --no-check-certificate || exit 1',
]
Can you provide the nginx config files that you use as well?
Please also note that the latest version of the nginx image from this repository is running using a non-root user.
as you can see - I use nginx user role in config of nginx service in docker.compose
include /etc/nginx/config/system/processes.conf;
events {
include /etc/nginx/config/system/connections.conf;
}
http {
root /var/www;
include /etc/nginx/config/system/http.conf;
include /etc/nginx/config/enable/access_logs.conf;
include /etc/nginx/config/system/mime_types.conf;
include /etc/nginx/config/enable/error_logs.conf;
include /etc/nginx/config/upstreams/docker-resolver.conf;
include /etc/nginx/config/maps/upstreams.conf;
map $https $proto {
"on" "https";
default "http";
}
upstream web_app_upstream {
least_conn;
keepalive 5;
server 10.0.1.5:3000;
}
upstream web_service_upstream {
least_conn;
keepalive 5;
server 10.0.1.8:3000;
}
server {
listen 80;
server_name localhost;
access_log /dev/stdout json_analytics;
include /etc/nginx/config/limits/methods.conf;
include /etc/nginx/config/locations/health-check.conf;
location / {
return 301 https://$server_name$request_uri;
}
location = /robots.txt {
etag on;
root /var/www;
add_header Cache-Control "public";
include /etc/nginx/config/disable/access_logs.conf;
}
}
geo $geo {
default index.global.html;
192.168.1.0/24 index.internal.html;
172.19.0.0/24 index.internal.html; # providers network
}
server {
listen 443 http3 reuseport default_server;
listen 443 ssl http2;
server_name localhost;
root /var/www;
set $domain 'localhost';
access_log /dev/stdout json_analytics;
include /etc/nginx/config/enable/ssl_dev.conf;
include /etc/nginx/config/system/security.conf;
include /etc/nginx/config/limits/methods.conf;
include /etc/nginx/config/enable/error_logs.conf;
include /etc/nginx/config/locations/errors.conf;
include /etc/nginx/config/locations/static_dev.conf;
location / {
index $geo;
}
location = /index-global.html {
internal;
}
location = /index-internal.html {
internal;
}
}
server {
listen 443 http3;
listen 443 ssl http2;
server_name web_app.localhost;
root /var/www/web_app;
access_log /dev/stdout json_analytics;
set $domain 'web_app.localhost';
set $local 'host.docker.internal';
chunked_transfer_encoding on;
include /etc/nginx/config/system/errors.conf;
include /etc/nginx/config/system/security.conf;
include /etc/nginx/config/enable/ssl_dev.conf;
include /etc/nginx/config/limits/methods.conf;
include /etc/nginx/config/enable/error_logs.conf;
include /etc/nginx/config/limits/open_files_cache.conf;
include /etc/nginx/config/locations/static_dev.conf;
location /status {
return 404;
}
location /metrics {
return 404;
}
location /api/ {
limit_except POST {
deny all;
}
proxy_intercept_errors off;
proxy_pass http://web_service_upstream/;
set $x_request_id $http_x_request_id;
include /etc/nginx/config/upstreams/proxy.conf;
include /etc/nginx/config/enable/brotli.conf;
include /etc/nginx/config/enable/gzip.conf;
include /etc/nginx/config/upstreams/security.conf;
add_header cache-control "no-cache, proxy-revalidate";
add_header vary "Sec-Fetch-Site, Sec-Fetch-Mode";
}
location /log {
limit_except POST {
deny all;
}
client_max_body_size 150K;
client_body_buffer_size 10k;
proxy_intercept_errors off;
proxy_pass http://web_app_upstream;
set $x_request_id $http_x_request_id;
set $x_client_session_id $http_x_client_session_id;
include /etc/nginx/config/upstreams/proxy.conf;
include /etc/nginx/config/upstreams/security.conf;
add_header cache-control "no-cache, proxy-revalidate";
}
location /client-metrics {
limit_except POST {
deny all;
}
client_max_body_size 150K;
client_body_buffer_size 10k;
proxy_intercept_errors off;
proxy_pass http://web_app_upstream;
set $x_request_id $http_x_request_id;
set $x_client_session_id $http_x_client_session_id;
include /etc/nginx/config/upstreams/proxy.conf;
include /etc/nginx/config/upstreams/security.conf;
add_header cache-control "no-cache, proxy-revalidate";
}
location /csp-report {
limit_except POST {
deny all;
}
client_max_body_size 3k;
proxy_intercept_errors off;
proxy_pass http://web_app_upstream;
include /etc/nginx/config/upstreams/proxy.conf;
include /etc/nginx/config/upstreams/security.conf;
add_header cache-control "no-cache, proxy-revalidate";
}
location /download {
limit_except GET {
deny all;
}
proxy_pass http://web_app_upstream;
include /etc/nginx/config/upstreams/proxy.conf;
include /etc/nginx/config/upstreams/security.conf;
add_header cache-control "no-cache, proxy-revalidate";
}
location /files {
root /var/upload;
add_header Content-type application/octet-stream;
internal;
}
location /upload {
limit_except POST {
deny all;
}
proxy_pass http://web_app_upstream;
set $x_request_id $http_x_request_id;
set $x_client_session_id $http_x_client_session_id;
include /etc/nginx/config/enable/uploads.conf;
include /etc/nginx/config/upstreams/proxy.conf;
include /etc/nginx/config/upstreams/security.conf;
add_header cache-control "no-cache, proxy-revalidate";
}
location / {
limit_except GET {
deny all;
}
proxy_pass http://web_app_upstream;
set $x_request_id $http_x_request_id;
set $x_client_session_id $http_x_client_session_id;
add_header cache-control "no-cache, proxy-revalidate";
include /etc/nginx/config/upstreams/proxy.conf;
include /etc/nginx/config/system/security.conf;
proxy_intercept_errors on;
include /etc/nginx/config/locations/errors.conf;
}
}
}
I assumed this is some kind of permission error, caused by deleting and recreating the file, thus losing the owner set by chown in the Dockerfile. I tried to circumvent this, by placing the files in a non-root subdirectory.
I changed the pid and lock paths in the config argument:
--pid-path=/var/run/nginx/nginx.pid \
--lock-path=/var/run/nginx/nginx.lock \
created the directory before building:
RUN \
echo "Building nginx ..." \
&& mkdir -p /var/run/nginx/ \
COPY --from=base /var/run/nginx/ /var/run/nginx/
..and changed the permissions at the end:
RUN \
chown -R --verbose nginx:nginx \
/var/run/nginx/
The build runs successfully but the container crashes with a new:
[emerg] 1#1: open() "/var/run/nginx.pid" failed (13: Permission denied)
It seems the paths set in the config don't get applied for some reason. Maybe the cause for this is also linked to the unlink() error?
Turns out in a big brain move, I forgot to change the pid config in the nginx.conf, which caused the crash.