docker-nginx-fpm-alpine
docker-nginx-fpm-alpine copied to clipboard
PrivateBin
Feature Request: Offer simple way to disable IPv6
Thank for your work to provide this great docker.
I would like to propose to add a feature that would allow users to simply disable IPv6 while running docker as read-only (like you recommand in your README) by passing an argument like:
docker run -d --restart="always" --read-only -e DISABLE_IPv6=true -p 8080:8080 -v $PWD/privatebin-data:/srv/data privatebin/nginx-fpm-alpine
We could imagine modifying the Dockerfile like:
FROM alpine:3.16.2
ARG ALPINE_PACKAGES="php8-pdo_mysql php8-pdo_pgsql php8-openssl"
ARG COMPOSER_PACKAGES=google/cloud-storage
ARG PBURL=https://github.com/PrivateBin/PrivateBin/
ARG RELEASE=1.4.0
ARG DISABLE_IPv6=false
ARG UID=65534
ARG GID=82
RUN \
...
if DISABLE_IPv6; then sed -i 's/listen \[::\]:8080 default_server;/# listen \[::\]:8080 default_server;/' /etc/nginx/http.d/site.conf; fi;
...
What is your opinion on this proposal? Is this a feature you can consider?
The ARG parameters are resolved at docker build time, so the image would need to be re-built for either case to work.
What issue do you encounter when the container attempts grabbing an IPv6 socket? Does this cause an issue starting up, if IPv6 is disabled (non-default) in your host's Linux kernel?
For now, you would need to attach your customized /etc/nginx/http.d/site.conf as volume into the read-only container.
Yes, I have explicitly disable IPv6 stack at boot. So, the container run, but I get error from nginx due to the config.
For the moment, I attach my custom site.conf whiteout IPv6. But I would have preferred to be able to patch the config without having to copy, modify and attach a file from my host. A "simpler"solution for lazy guy will be amazing š
@elrido
2023/05/03 20:33:15 [emerg] 133#133: socket() [::]:8080 failed (97: Address family not supported by protocol)
nginx: [emerg] socket() [::]:8080 failed (97: Address family not supported by protocol)
[03-May-2023 20:33:16] NOTICE: Terminating ...
[03-May-2023 20:33:16] NOTICE: exiting, bye-bye!
@klamas1 That means you have a (Linux) kernel with the IPv6 stack disabled or explicitly compiled without any ipv6 stack. You can solve the problem in the same way as outlined above, by attaching your custom site.conf with the "listen [::]:8080" line commented out.
As explained in other issues, the runtime environment variable based changes only work if the root filesystem isn't mounted read-only and we want to support that usage.
Yes, I have explicitly disable IPv6 stack at boot. So, the container run, but I get error from nginx due to the config.
For the moment, I attach my custom
site.confwhiteout IPv6. But I would have preferred to be able to patch the config without having to copy, modify and attach a file from my host. A "simpler"solution for lazy guy will be amazing š
Like you said, adding a simple fix would avoid unwanted edits. Can this be prioritized?
Tried adding site-config as a volume and now I see the below error,
nginx: [emerg] open() "/var/lib/nginx/logs/access.log" failed (30: Read-only file system)
I believe its nothing to do with the volume I have added for site-config. I see the securityContext is set to fsGroup: 82 is this correct?
Also tried setting the securityContext group and user to 0 buts it's failing with ALERT: [pool www] user has not been defined
@govindkailas You need to provide more details about your setup, are you using this with docker, podman or something else? What does your site.conf look like? The logging error indicates that it contains a log directive, while our nginx config redirects logging to standard out. You can find the file to edit below and for IPv6 changes it is these two lines you want to edit: https://github.com/PrivateBin/docker-nginx-fpm-alpine/blob/f093145c2beadb68d0036f98b12d8e972ae6aecc/etc/nginx/http.d/site.conf#L2-L3
The issue was with my configMap volume mount. For those who come here searching for a fix, this is what worked for me,
In your deployment, under the volumeMounts add the below
- name: site-config
mountPath: /etc/nginx/http.d/site.conf
subPath: site.conf
Under volumes add,
- name: site-config
configMap:
name: disable-ipv6
And finally here is the configMap
apiVersion: v1
kind: ConfigMap
metadata:
name: disable-ipv6
data:
site.conf: |
server {
listen 8080 default_server; ## Only ipv4
root /var/www;
index index.php index.html index.htm;
location / {
# no-transform tells Cloudflare and others to not change the content of
# the file and thus breaking SRI.
# https://developers.cloudflare.com/cache/about/cache-control#other
add_header Cache-Control "public, max-age=3600, must-revalidate, no-transform";
add_header Cross-Origin-Embedder-Policy require-corp;
# disabled, because it prevents links from a paste to the same site to
# be opened. Didn't work with `same-origin-allow-popups` either.
# See issue #109 for details.
#add_header Cross-Origin-Opener-Policy same-origin;
add_header Cross-Origin-Resource-Policy same-origin;
add_header Referrer-Policy no-referrer;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options deny;
add_header X-XSS-Protection "1; mode=block";
# Uncomment to enable HSTS
# https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
include /etc/nginx/location.d/*.conf;
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
include /etc/nginx/location.d/*.conf;
fastcgi_pass unix:/run/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
# Prevent exposing nginx + version to $_SERVER
fastcgi_param SERVER_SOFTWARE "";
}
include /etc/nginx/server.d/*.conf;
}
So as it seems this question has been answered and I thus close this issue. If anyone has further questions on that topic, feel free to comment here, again.
